hxxps://marketplace[.]visualstudio[.]com/items?itemName=LyfeExtensions[.]Discord-RPC-Support

Analysis

max time kernel
419s
max time network
421s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://marketplace.visualstudio.com/items?itemName=LyfeExtensions.Discord-RPC-Support

Score

8^/10

microsoft discovery phishing

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
44	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2208	msedge.exe
2208	msedge.exe
3544	msedge.exe
3544	msedge.exe
5288	identity_helper.exe
5288	identity_helper.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe
5944	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 3096	3544	msedge.exe	84
PID 3544 wrote to memory of 3096	3544	msedge.exe	84
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 4428	3544	msedge.exe	85
PID 3544 wrote to memory of 2208	3544	msedge.exe	86
PID 3544 wrote to memory of 2208	3544	msedge.exe	86
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87
PID 3544 wrote to memory of 2064	3544	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://marketplace.visualstudio.com/items?itemName=LyfeExtensions.Discord-RPC-Support
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe67d946f8,0x7ffe67d94708,0x7ffe67d94718
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6784 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7232 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7396 /prefetch:8
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1852 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4908 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,5985600371318886336,2760475926101271426,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
  2⤵
  PID:4548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1744

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4e8
1⤵
PID:3084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
898576b9aa21b0404fc84eaac5906dcd

SHA1
8dfda038952a754407c08d6be8e559826c3f6591

SHA256
1e7ce738eff78e1568c33ca33aa4d2a42677310ff26c04165b96109c74c40547

SHA512
f5666e14d0cf111ac7f4f891780915a781522e60a772af587870f1704f82219ba7464cb11efc9d9e82218726b2aa3ad13f594cc4d193ad79e215f2a3e0f5afe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
309148bf49e8ca246698168910d9b74c

SHA1
f99686e13cd2311a9aa76eb5ff41c83a6ce4b0ec

SHA256
f055363b8441f546499adc3fc60b5f90460be6e2abb3bc367c61ad8db0b8f660

SHA512
1a8aff15eb0b560430565a3999179d795e7b526ae7d6e3b60bd40f7f53bc8711a449080c0b862e9e46cb7c7aa79f69494c4a11ac9cdfd49060d770f8e6cf595d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8c779ab177fd55212c9213919788fe9a

SHA1
48a643c07b1dbd7b26819d1a6d40941bec473056

SHA256
384b231684c888259bcffa724b25ad3d6d9b994cd777fcf18aa5e7763f1a3e9f

SHA512
222b416882b9e249a977cd4229d8792c659f73e0fdfdb90e660dc0cf2627751d665bcd0befe23269f8a53eb48d3595f48eeb0e85a7f44798bc7a520ea2b30664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa1c17ad505b379ab16fe913941f7e70

SHA1
91bed7f88bf7bc8236cd27f389ff9029bf41ade7

SHA256
b07565f352af91479bfc3b6f49192e89e2ccfc130e6f18977e309e60850ab6d4

SHA512
98d21039ee8968b919391b12607f5006404ea7164b28580cbdbc3e577ae2b93509bc0f87b4c9c7088182fd1db1264ee2fbe746436c0d41d7d9c11d3d546d2a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0395a2e67738db72b4d6e445d28dce61

SHA1
2d2f56ff027a1822c876ea3765dce8b9e3cff622

SHA256
76d8c2d6d69d96d5638a9889fa241761a902787b42012c2e09893fa5c68e631d

SHA512
b135d706aea6f26bc364fa959ec9bd3ee49e187c79b8e0040b35ed7ed0ac678b1d5a99c5439b753fa3d26ac4935350a3dd84653e8d769848282da24469bb19f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
69caa8b4c6751a1c1d426f33efea7815

SHA1
a08ff6fa87d6b435ba0b67472d3c9d65b09ce44e

SHA256
be10660eb2e129199acf8ad4a886747b5d35c9cbd3bb3b4c20a8d8bc2b890520

SHA512
f30ebfb60a548328cf22c4abdcc1e981ffd94e297a9bc4fd29fa475a4f1442e7ef1f748e730e31c85589fa77d940027767924e1b02399844390641ac879aa708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5824d8d86cc4b3f112ee0bc78546c95e

SHA1
2f6762b62a04e3bc4eae4e68231ec765d1854377

SHA256
08eb69b453ef3e05515618ef32102b92c86cc774117020f4b62dd73479e0958b

SHA512
68bb9c861637c5743750dab7df8afc291a41d3a624f34b160a4f25743ff484fd0cf05f18fe26c5327508ee4a39ffc0e2cb66a241bddec4e79b5eb98c797201ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
890150d877911885a8106136ca3190fa

SHA1
ba2eaf7da7993c538adcf49581697038077f5cbf

SHA256
a713b896c75deadf612290eec19bd46b46bef96430d8278d010a21f9a6411172

SHA512
94e708b7269108832f78d484505c073fba718a8dba2c99ffff72aff277501ba61a62c5b9d15ba00681dce737daa4375592f0aa3e9379ab1d74a529884df60256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
75c9425d79208bc4c476f86e78fe115d

SHA1
b0c268396574527ac5c8255334122b0019f00266

SHA256
f08b137096e51ae1b6d0734cce96baa090cd3f1c80cb7a06b5f1cadb34c5dd51

SHA512
3efa0a26c0aa9bcf69762360e26434252d55b9c2ad6c40d9cf69f0dd53a0828c4589d5945e3016c1ed14f9c422608cc518a45e0aa2ecd76ca15b62d815cd25a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
db0b98ed8dfed5ca1389251903e96479

SHA1
0c5269ffda781cddd4199d634e9e832b4c6ee45e

SHA256
82c27b79490973a3a83dcf91bcfdf888c597258ff0b27896db89c93ad694c3d2

SHA512
9afaa898f7c73a291bfb719350be7e64930e7f163c37747ba6dfba98afc093cc39cd139b76fca5d9baffca7f022288d41f8c97ca47c94b22d899323ef8cd07e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
944c4ef982c74c6d2fcaf72c19a5adba

SHA1
500ba03511d65712ea9134b4b4c8caacd5978f00

SHA256
17ec4f47ffdc648f74d91fe75f5e073474204cccfb85c319bd048eb339dc8c8d

SHA512
16a5679e06263738addd3cf03d499d4f5f5f7203d36573640045f671bb35ed7e0729265138096496f94819512e8a4c23e4d047c0c7a2a6902de290f3874133b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581c1e.TMP

Filesize
706B

MD5
7b575efcf67a05f2dcfc402c773367cd

SHA1
a898b06d62d8bd2cf215023ea4a64980aab5de51

SHA256
8e72dbbd34e02c8ad91d2ce29858e78a61170f46d383dba2bc66c619d93f5012

SHA512
95885ec54cd601dd0ecebe5f1c060b27c80baf439b37a63a95753a589f5eb293dfc9cdba5495df641578df274ec45f67eff5475dc10dc6a301997ed271ecc023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT~RFe5855ad.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c927a8e676fbdefcf29f4c7342640dec

SHA1
94091ba7426af0fefb8b0b4a23d4c16107cfc577

SHA256
e2bf70792a46b4c7ba235144e108a91550c8583d242613278fc5a4b39df7a5ee

SHA512
f5993dd47f7f20a42ef9225a09172d0ea0de85c9fa032c4c5357a09460f23fd6c6dad66cafeb60eca9b2f81443cbf32fa2ba2a795d898d2783dd4c2d6111c837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1000eb33c50fa0914a2422014fd028c6

SHA1
c71c8c10b93f594d16173445a4c9ba7fb54a82c4

SHA256
d6c97bcf4b685c3c671b9faf087d474e7cd587ecf507ca542550b588a6e026ca

SHA512
860977fcbe17c166ed2c8f2a0ada084a863b5eb1277711dde38d383583eb3030f4e330a74ea316854004f867edda13ff80463fed7c63360697eb4cfcc3784376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
783a98cfcfecf5ed072c96ffab84f0dd

SHA1
ffcaa9832417d751558b7ec2b745f3d4423efbfe

SHA256
f93a75c336378ffeb143625a61a38fe29699fa1baf83a7f284a7d99721acd093

SHA512
025438379b43df79ce67977e2302e3dde459a770a0bc9610a0f551ae81b9424408ad4fca8a10ce8a4d1a92a7d5019f394baa27e05c74015c75e34e146955bdfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fd25706fdc5c56be1018b5f3aeebeb01

SHA1
c7622474b12aefbc74014c4557fb330bf5e68949

SHA256
80eeac607e2c97fb28448462d2b7a7f5dc9cd6bbba783a14b17827be1e76ea8c

SHA512
f18d45ad15525a974e1df82d254e629caecfbac7bdedddf31b4a44b3ce927a33ff573d50c4d4b8ed1694412c2591cc264fb66ad6c95c49212d0631743076b465

Download Submit