blackguard | c81e2a3b15785a5fb548c5552be839fd92e2fc5423b372fba2f890ad488371b9

Resubmissions

20-02-2024 04:33

240220-e6v9vaba5w 10

20-02-2024 04:30

240220-e42c3sah9z 10

20-02-2024 04:20

240220-eyb61aag6y 10

Analysis

max time kernel
1789s
max time network
1744s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UMF.Installer.exe
Size

10.4MB
MD5

5a7ecc12107019e47294f27f4d40572c
SHA1

01891d681fd8b6baa0599e335999d427e55179db
SHA256

c81e2a3b15785a5fb548c5552be839fd92e2fc5423b372fba2f890ad488371b9
SHA512

77da7350f3cc4358e07250ee9c6cbd035a9a27a934c019967942841cbf3d49839cb765dc6a22bc121e34ef1494b33050dc5752beff5e1938b82848b3190d4ad1
SSDEEP

196608:DJ06wpSjt1RoahEDQH6TdBy5AY6TdVp/6TdvpPC:d0xpqloDQajPTpCppPC

Score

10^/10

blackguard stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
68	discord.com
69	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
740	msedge.exe
740	msedge.exe
1200	msedge.exe
1200	msedge.exe
2104	identity_helper.exe
2104	identity_helper.exe
4804	msedge.exe
4804	msedge.exe
4012	msedge.exe
4012	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	UMF.Installer.exe
Token: SeDebugPrivilege	3216	UMF.Installer.exe
Token: 33	4972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4972	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 1200	3216	UMF.Installer.exe	108
PID 3216 wrote to memory of 1200	3216	UMF.Installer.exe	108
PID 1200 wrote to memory of 3884	1200	msedge.exe	109
PID 1200 wrote to memory of 3884	1200	msedge.exe	109
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 1620	1200	msedge.exe	110
PID 1200 wrote to memory of 740	1200	msedge.exe	111
PID 1200 wrote to memory of 740	1200	msedge.exe	111
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112
PID 1200 wrote to memory of 1920	1200	msedge.exe	112

C:\Users\Admin\AppData\Local\Temp\UMF.Installer.exe
"C:\Users\Admin\AppData\Local\Temp\UMF.Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\UMF.Installer.exe
"C:\Users\Admin\AppData\Local\Temp\UMF.Installer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://umodframework.com/license
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffadf6946f8,0x7ffadf694708,0x7ffadf694718
    3⤵
    PID:3884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
    3⤵
    PID:1620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
    3⤵
    PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
    3⤵
    PID:784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
    3⤵
    PID:3076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
    3⤵
    PID:3348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
    3⤵
    PID:4804
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
    3⤵
    PID:4972
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
    3⤵
    PID:1276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
    3⤵
    PID:2348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
    3⤵
    PID:4960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
    3⤵
    PID:4108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
    3⤵
    PID:3220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3092 /prefetch:8
    3⤵
    PID:2976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
    3⤵
    PID:1252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6584 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
    3⤵
    PID:4604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
    3⤵
    PID:2944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
    3⤵
    PID:1764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16131805506392111929,14508011070414202058,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4852 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f4 0x3cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UMF.Installer.exe.log

Filesize
1KB

MD5
a6c9c7d8739b6b18b572dfa496509a1d

SHA1
febb2d6f97d9030dec365fa88c1d0bc48b4adb45

SHA256
c4690d5e4ba4d7d4bfe813b1f02aa535c2eb0e27bb097d2fe37fbcc66d29cecf

SHA512
92f45dab1626426fdc0ca73f19338dae7a46b8f8c28e1d9ba3719453118c5d7e21c395e7aa85dcbecb18103dfb000c395cacdd47c6ea7141d390fff7a16240c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
2053838b97b84bbbd0387df6783d6548

SHA1
4a887311b108431247b36fdf83f3752365aa82b9

SHA256
e95cc3d56ed7e3dca8f963102170707c4643839a52c0164e2759babd26d4d7ff

SHA512
c3688797e92d1410aa9c0c78b234bf184d5cb585e6ed2d071e2fcb91cc0f5d08878ce342ecd997ccbf70c4922d55eafc8d68bbecfd731abd7837a5ca5a6d5c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
10ec5c13ae87a7f5f75ffeb1bde7b3b5

SHA1
ce1dc4e6ed81f95e0b2420e2687bf948ff7a5180

SHA256
1e31340471432ea434e6b2d25b2dd183a9ed85b9f643961262be8f0dd0e937e3

SHA512
7db437a3f9d690a939f1de5c37f551e44a4ce642b90766a77099b101c162879078799172398dfa1ce80f280e59c8ba02ce0d9163ceaaa72970be15db0a645abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8a13c57ce81844bae9ead67d08bc7690

SHA1
54d44ad3a9313f2bdcc304af31f55c857750d06a

SHA256
251dc9420336fe9330d3316ac801c9bc9b9f2c614ce9f40442e725da31dbc896

SHA512
91ad1d6a8e4aeea6aaed26b31d9e9d9926994af7404d68de2a370c8c89bebea98ced9b91a178f4d8d1c02b60f7d2aa4b5f01d3d4326989d3dd9a02994b240838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
22dd909f5b4d8cd27ae5807e906d6ef9

SHA1
0230da2afaf19ebff94db6b424b9a73b0c55f43a

SHA256
9e45b0c3d462e13bfe298b1e7f9dfb33dfc5b9411ee4fa7f24fe46da97b12aa6

SHA512
614862e70cfc40dfecd416190e816752a3524104012c0f6ef63e0131d76126b7474d25d6ea0379bf1dd8e8d646a01c4dc2e0c31331252fe0c2c0f2777d6761fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
76f3043cacd5d620970bde7796609e31

SHA1
94b458a5ed4630a596d17206aa9134a656f24aa2

SHA256
153b2d7b16e755d53557589fac4e64aaaede51781ef89a7890c192292ac651ed

SHA512
d0a31ae84d429d243c2398f4eebf2fea6cceb825613df23c6d0d44d72953e32ce51f7028a745a42f4f718a7dbd5a991e023aed6c1cc260d267aea02152d2d15c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7b19b3830a3f47e7c98f4ac98f3a900e

SHA1
d34a157fd79a78ce3462adf7c00fbb1a1c876ae5

SHA256
49c349b279740fae93c27dcf51fc463c98a7d533dae6927834a2cf8c41cf0d92

SHA512
201acc931f781546a35cf800998de2abb997a4f69aa1fe94915158e4d0da0dff462ad5b4b17a4c127bb750860706d2cade03c55062ff7a77a4e5409ba690d463

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2f9b299115721cb874874d874167262

SHA1
25b8104849bad333ab0bb064d7f0be125eb4bb87

SHA256
b144f6c47362a3b03a1d2602f1ab0131007ce4295d2b03c5f53b129444589253

SHA512
f26f8e36d6711f069dc726efc5dacc906f5d15881295f5967d21cc59d973b162131efb1ff16aaa0a0f44dd10fec02a23506b6ad5042e6e33925c52b679a69844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
5a71847d27b6530c58819e94e7068055

SHA1
3087f851cd17aa7ed32ba2e10bc75959904854a8

SHA256
6f8106965d0061898839a9d37b830418fca98af301b289723f7e274b9688896f

SHA512
f632a96641e272017f7c1337a4ac16539af762129cec771badc15e518493488c5eff14bdc19d224af67ba3d0dd6f3931259df2365d61b9b7a0277fa671c2792f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5adfc2.TMP

Filesize
538B

MD5
4cfb8e48b4ae59d165d3dc84f0edcd96

SHA1
ab5492df61e054aeb367f185dd5378326c74127e

SHA256
931386a658a1d4265972e9fde477a156151659e56de93f8c6f37f430e498c64e

SHA512
c9d0f890c549739025a787179c86b95314db755b6460bb9e53f5b2618f1f5463eacd163bbd88bbae4ed284554d29fd528648a9bc52ff680efb16ee5d633f4218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6bd863973428abe952dfc7cdf8573201

SHA1
d904591bff575ed569267ad7990b877f35594c74

SHA256
ae1eba9435c52dc1b5184a4be00fece5441f4f8f571480d9977267aea7a6c0c7

SHA512
3f6a7067168acf4a8f1b0540750ce3661ed39ab6afee1d302928b75008ef339f34de576fa81f62afa1808f87f3876bc60418c66b65ed7f466a270ba5f95c641e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3dad01456a1b291f643a48e47f521e56

SHA1
733f8676671de14a463d9730cdbc70c89195b91e

SHA256
0a807449889d9645ad6aa3596d46e90c9d0224606aacf4424c058d89f9df5f6c

SHA512
632e88b97e2f1e8b160e540ef99c33652a606b9b71ae332718a754e739d731bbdb57c9466c6514b0eac95a3a2b0c5e0e9b465261e768b91f62780b5b236ec729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
825c09bcb085643556f52fec959a209f

SHA1
d7d7aa51dbeec6c19925a21031412e8eae1dbdec

SHA256
f7fc13ca7c6bc651f7abb24339bf4f0c7d2618c6779b9a04896ae6ae377dc99a

SHA512
90bad177d3ab06d30c3a0c05c6359d9e277a55cdf5f3167b60cbefcc72f860fb40e5028177f5240aec97e7c13d4f71e144d8c51f702db9fe348e40de1aeebf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMF.Installer.log

Filesize
1KB

MD5
1862e824e518abdde8e0989f16a95c20

SHA1
5e4c59ddf8a5e01006a0d61007dc4c7d0a3fff12

SHA256
15df92d1b18ecaa49eafe22ee6548ad0d51465ee1fc99ad02c061902dad6fed1

SHA512
39a40e3cea974a0bb5411777f80fce697ee1a491faa0fd7ced2e05678d31f930e786c9ca7cc10dec6cda7145dd99ae3b7a8dfa0bca4d4abe823ebe9babe24d44

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 238586.crdownload

Filesize
16KB

MD5
c44dd4994192115708db3651ebb0b1bc

SHA1
c50ae7585eb3c3df5f61c498c31d22ee9444f2e5

SHA256
ee62a83cbd1c38fc412e3c0442696a7d34131601b1c6189e7f2c21f097f6a130

SHA512
a3aed4edfdd33b2206cad1d3a75fc5138dedd5dbdb022fc0eeb0cc8284ad3403a80437dfdd8fc5fc7125c9859c7d22c28c189b7ac2c2c3a50c4d06bda08bc898

Download Submit
memory/116-1-0x000001CFCC400000-0x000001CFCCE7A000-memory.dmp

Filesize
10.5MB

Download
memory/116-0-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/116-2-0x000001CFE7580000-0x000001CFE7590000-memory.dmp

Filesize
64KB

Download
memory/116-3-0x000001CFE7580000-0x000001CFE7590000-memory.dmp

Filesize
64KB

Download
memory/116-6-0x00007FFAE5590000-0x00007FFAE6051000-memory.dmp

Filesize
10.8MB

Download
memory/3216-11-0x000001EAE5B70000-0x000001EAE5B80000-memory.dmp

Filesize
64KB

Download
memory/3216-12-0x000001EAE5B70000-0x000001EAE5B80000-memory.dmp

Filesize
64KB

Download
memory/3216-10-0x000001EAE5B70000-0x000001EAE5B80000-memory.dmp

Filesize
64KB

Download
memory/3216-304-0x000001EAE5B70000-0x000001EAE5B80000-memory.dmp

Filesize
64KB

Download
memory/3216-8-0x00007FFAE3820000-0x00007FFAE42E1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-292-0x000001EAE5B70000-0x000001EAE5B80000-memory.dmp

Filesize
64KB

Download
memory/3216-291-0x000001EAE5B70000-0x000001EAE5B80000-memory.dmp

Filesize
64KB

Download
memory/3216-108-0x00007FFAE3820000-0x00007FFAE42E1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-265-0x000001EAE5B70000-0x000001EAE5B80000-memory.dmp

Filesize
64KB

Download