8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3

Analysis

max time kernel
143s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2025, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3.exe
Size

800KB
MD5

02c70d9d6696950c198db93b7f6a835e
SHA1

30231a467a49cc37768eea0f55f4bea1cbfb48e2
SHA256

8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
SHA512

431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
SSDEEP

12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3.exe

Executes dropped EXE 1 IoCs

pid	Process
2160	BootstrapperV2.12.exe

Unexpected DNS network traffic destination 23 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1
Destination IP	1.0.0.1

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
47	discord.com
49	discord.com
50	discord.com
51	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4472	ipconfig.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{4EA59D20-C866-43B0-B03A-75B6039781D8}	msedge.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2160	BootstrapperV2.12.exe
4716	msedge.exe
4716	msedge.exe
4500	msedge.exe
4500	msedge.exe
4048	identity_helper.exe
4048	identity_helper.exe
3940	msedge.exe
3940	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3508	WMIC.exe
Token: SeSecurityPrivilege	3508	WMIC.exe
Token: SeTakeOwnershipPrivilege	3508	WMIC.exe
Token: SeLoadDriverPrivilege	3508	WMIC.exe
Token: SeSystemProfilePrivilege	3508	WMIC.exe
Token: SeSystemtimePrivilege	3508	WMIC.exe
Token: SeProfSingleProcessPrivilege	3508	WMIC.exe
Token: SeIncBasePriorityPrivilege	3508	WMIC.exe
Token: SeCreatePagefilePrivilege	3508	WMIC.exe
Token: SeBackupPrivilege	3508	WMIC.exe
Token: SeRestorePrivilege	3508	WMIC.exe
Token: SeShutdownPrivilege	3508	WMIC.exe
Token: SeDebugPrivilege	3508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3508	WMIC.exe
Token: SeRemoteShutdownPrivilege	3508	WMIC.exe
Token: SeUndockPrivilege	3508	WMIC.exe
Token: SeManageVolumePrivilege	3508	WMIC.exe
Token: 33	3508	WMIC.exe
Token: 34	3508	WMIC.exe
Token: 35	3508	WMIC.exe
Token: 36	3508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3508	WMIC.exe
Token: SeSecurityPrivilege	3508	WMIC.exe
Token: SeTakeOwnershipPrivilege	3508	WMIC.exe
Token: SeLoadDriverPrivilege	3508	WMIC.exe
Token: SeSystemProfilePrivilege	3508	WMIC.exe
Token: SeSystemtimePrivilege	3508	WMIC.exe
Token: SeProfSingleProcessPrivilege	3508	WMIC.exe
Token: SeIncBasePriorityPrivilege	3508	WMIC.exe
Token: SeCreatePagefilePrivilege	3508	WMIC.exe
Token: SeBackupPrivilege	3508	WMIC.exe
Token: SeRestorePrivilege	3508	WMIC.exe
Token: SeShutdownPrivilege	3508	WMIC.exe
Token: SeDebugPrivilege	3508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3508	WMIC.exe
Token: SeRemoteShutdownPrivilege	3508	WMIC.exe
Token: SeUndockPrivilege	3508	WMIC.exe
Token: SeManageVolumePrivilege	3508	WMIC.exe
Token: 33	3508	WMIC.exe
Token: 34	3508	WMIC.exe
Token: 35	3508	WMIC.exe
Token: 36	3508	WMIC.exe
Token: SeDebugPrivilege	1940	8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3.exe
Token: SeDebugPrivilege	2160	BootstrapperV2.12.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1928	1940	8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3.exe	83
PID 1940 wrote to memory of 1928	1940	8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3.exe	83
PID 1928 wrote to memory of 4472	1928	cmd.exe	85
PID 1928 wrote to memory of 4472	1928	cmd.exe	85
PID 1940 wrote to memory of 3844	1940	8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3.exe	86
PID 1940 wrote to memory of 3844	1940	8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3.exe	86
PID 3844 wrote to memory of 3508	3844	cmd.exe	88
PID 3844 wrote to memory of 3508	3844	cmd.exe	88
PID 1940 wrote to memory of 2160	1940	8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3.exe	95
PID 1940 wrote to memory of 2160	1940	8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3.exe	95
PID 2160 wrote to memory of 4500	2160	BootstrapperV2.12.exe	96
PID 2160 wrote to memory of 4500	2160	BootstrapperV2.12.exe	96
PID 4500 wrote to memory of 864	4500	msedge.exe	97
PID 4500 wrote to memory of 864	4500	msedge.exe	97
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 2800	4500	msedge.exe	98
PID 4500 wrote to memory of 4716	4500	msedge.exe	99
PID 4500 wrote to memory of 4716	4500	msedge.exe	99
PID 4500 wrote to memory of 2460	4500	msedge.exe	100
PID 4500 wrote to memory of 2460	4500	msedge.exe	100
PID 4500 wrote to memory of 2460	4500	msedge.exe	100
PID 4500 wrote to memory of 2460	4500	msedge.exe	100
PID 4500 wrote to memory of 2460	4500	msedge.exe	100
PID 4500 wrote to memory of 2460	4500	msedge.exe	100
PID 4500 wrote to memory of 2460	4500	msedge.exe	100
PID 4500 wrote to memory of 2460	4500	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3.exe
"C:\Users\Admin\AppData\Local\Temp\8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c ipconfig /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\system32\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:4472
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3508
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.12.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.12.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3.exe" --isUpdate true
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/w9yACJan55
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa42bc46f8,0x7ffa42bc4708,0x7ffa42bc4718
      4⤵
      PID:864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
      4⤵
      PID:2800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2484 /prefetch:8
      4⤵
      PID:2460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:2104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      PID:3720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
      4⤵
      PID:3532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
      4⤵
      PID:448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
      4⤵
      PID:4708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
      4⤵
      PID:1872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5760 /prefetch:8
      4⤵
      PID:3676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4820 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:3940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
      4⤵
      PID:3172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4543563319581414450,11751030775786410122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
      4⤵
      PID:3156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
45ebf06d66a41c9232aaa9360a2ac5cc

SHA1
597b5659f5cfe6537ce122d8e41e5ded5135afd8

SHA256
17ce1ba0a334eab4c69869d4c2b33b707ed11a9777fdaa675731ece6d5d22123

SHA512
d5669170b4f2b4e9f5d0ced3986158abae17333b6873b55434aecbe76cbda1aa6be6818d44b8888327e1cf1d6ed18a21a6ecd8e8e5aaf346901676f7092bbe52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
537B

MD5
7a7b68529f5b9387fa2be5570004472b

SHA1
00c23bf1c78421cfee7e41747cbc0eec36138650

SHA256
890753b151d91cbff0b9a717d255ab672c827e75eb7a90e829963daefd189fc2

SHA512
1cd53c9720d7bd783a044fd3b6fa254cab6786bc9f8e6e6737baadc40ab5f8288fb18f2675245b35e3e8c7543683125166a2a6624aa70d81cba87ff315e89739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
205e1d31128b38490ae918341b5fb192

SHA1
91503b109e4b7e67a320b73b9d15a58d34a003b0

SHA256
7f6ff8bdfce96f02383c485e9d4191d6e7e74f6cba652570dcdddcdb7b85284d

SHA512
13c6a12d6d877a4242aac38b0c19c5c58a19ae45c3f1e83b3ac730702b9de41a27749c0aeda77e57933170188965c11af865b64d4b791e83237447436b0a2337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3b0e5be2aeda7fcc89c90658cc873d4f

SHA1
617ecc0e24804b4f0eb5e661a1bd274bc03c5273

SHA256
95e522a6ca6460923a192cf2b4772deee069b9bbad3f551bb6f0a3d25924591a

SHA512
0a07aae4c73956ec7dffeeb434d28a00f86da168d46e248372baac90434bb6a0954f365c158d1fce4e1fcf6d2e73641b8b598011ac377120bf32570401645230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b5a198279182773b488c0c49f6660af3

SHA1
2388a60d98366a38e5503bb1494ebaa0565fadd1

SHA256
583c76794d852b794859a479d8f8c03eedbefd22ee73e4489b9ac21d07d329ac

SHA512
c90406def2312df27e0f542e5373ade1c8b678a7c3711e1d17d12981043e11ab632a203fa4147f29577c88515038cadabb22b2fb0de26d1811a862af252958ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.12.exe

Filesize
2.9MB

MD5
a36750fe814c6cd0a94312ebaf85e07e

SHA1
9382378c4831247b2efc387581dc909c6352571f

SHA256
933acdb61d5d05bb55cd56957312b677719ac237a2daae0f1daf9d70dc68f2de

SHA512
d028e93cfe594c557e74376854916c33ad0614db1fa1efdf4a4477ff246ccb791510192c35296d5a32b81b376e9ee94ec5f5c0109f04f0320ed788ceda092f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DISCORD

Filesize
29B

MD5
b86aef3d31fdcc68c0138b25a632f939

SHA1
5f2a826056fadf32b85a9f2f0d960c2bf4ee99eb

SHA256
9bed077bb37dd2f770ed6f960f9e1a22054174fb14ba1aa49cb13cf3008a8486

SHA512
dd6262a375d7195289bbe3f78163d8a1ec2b8db8d4eaee8e3434c3c686a2a38e9bec4fc0fc406aa1915e04475e0ca041b0bfcdd033f08829f1893d6fd0d06e19

Download Submit
memory/1940-19-0x00007FFA473E0000-0x00007FFA47EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1940-1-0x000001F603690000-0x000001F60375E000-memory.dmp

Filesize
824KB

Download
memory/1940-0-0x00007FFA473E3000-0x00007FFA473E5000-memory.dmp

Filesize
8KB

Download
memory/1940-2-0x00007FFA473E0000-0x00007FFA47EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1940-3-0x00007FFA473E0000-0x00007FFA47EA1000-memory.dmp

Filesize
10.8MB

Download
memory/1940-5-0x000001F61E020000-0x000001F61E042000-memory.dmp

Filesize
136KB

Download
memory/2160-28-0x00000249A0E00000-0x00000249A0E26000-memory.dmp

Filesize
152KB

Download
memory/2160-30-0x00000249A0E50000-0x00000249A0E66000-memory.dmp

Filesize
88KB

Download
memory/2160-33-0x00000249A0DF0000-0x00000249A0DFA000-memory.dmp

Filesize
40KB

Download
memory/2160-34-0x00000249A0E80000-0x00000249A0E88000-memory.dmp

Filesize
32KB

Download
memory/2160-22-0x00000249A01B0000-0x00000249A01E8000-memory.dmp

Filesize
224KB

Download
memory/2160-21-0x00000249A0130000-0x00000249A0138000-memory.dmp

Filesize
32KB

Download
memory/2160-20-0x0000024982280000-0x0000024982290000-memory.dmp

Filesize
64KB

Download
memory/2160-31-0x00000249A0E30000-0x00000249A0E3A000-memory.dmp

Filesize
40KB

Download
memory/2160-18-0x0000024981BD0000-0x0000024981EB0000-memory.dmp

Filesize
2.9MB

Download
memory/2160-24-0x00000249A0C80000-0x00000249A0D80000-memory.dmp

Filesize
1024KB

Download
memory/2160-29-0x00000249A0E40000-0x00000249A0E48000-memory.dmp

Filesize
32KB

Download
memory/2160-25-0x00000249A01A0000-0x00000249A01AA000-memory.dmp

Filesize
40KB

Download
memory/2160-23-0x00000249A0180000-0x00000249A018E000-memory.dmp

Filesize
56KB

Download