umbral | c19c1b9db038d843ea040fdd1e0ef430258479b88da3db295d82ad5ede7d54fd

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spoofer.exe
Size

227KB
MD5

71fdaa3ec1242e7643807ade78ae0c8b
SHA1

307ddc6e4a768069e726fd4bb1c21d1a8a3dcc7e
SHA256

c19c1b9db038d843ea040fdd1e0ef430258479b88da3db295d82ad5ede7d54fd
SHA512

ab43150a6ba2caf3e81212a840e05a6b6b95762ed2ba8234411beeeaf564a5512cc46d25c3fedc154fbe259f3ad113539861cb98b91e1caaa2fd43863a34a877
SSDEEP

6144:eloZM+rIkd8g+EtXHkv/iD4SDD6hv0IHL2PxM4dCCb8e1m4i:IoZtL+EP8SDD6hv0IHL2PxM4d5G

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/1960-0-0x00000274B1F40000-0x00000274B1F80000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
54	discord.com
57	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1414748551-1520717498-2956787782-1000\{E272411D-65AB-4C6A-A17F-B7F921506907}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4460	msedge.exe
4460	msedge.exe
1740	msedge.exe
1740	msedge.exe
1836	identity_helper.exe
1836	identity_helper.exe
2820	msedge.exe
2820	msedge.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	spoofer.exe
Token: SeIncreaseQuotaPrivilege	2780	wmic.exe
Token: SeSecurityPrivilege	2780	wmic.exe
Token: SeTakeOwnershipPrivilege	2780	wmic.exe
Token: SeLoadDriverPrivilege	2780	wmic.exe
Token: SeSystemProfilePrivilege	2780	wmic.exe
Token: SeSystemtimePrivilege	2780	wmic.exe
Token: SeProfSingleProcessPrivilege	2780	wmic.exe
Token: SeIncBasePriorityPrivilege	2780	wmic.exe
Token: SeCreatePagefilePrivilege	2780	wmic.exe
Token: SeBackupPrivilege	2780	wmic.exe
Token: SeRestorePrivilege	2780	wmic.exe
Token: SeShutdownPrivilege	2780	wmic.exe
Token: SeDebugPrivilege	2780	wmic.exe
Token: SeSystemEnvironmentPrivilege	2780	wmic.exe
Token: SeRemoteShutdownPrivilege	2780	wmic.exe
Token: SeUndockPrivilege	2780	wmic.exe
Token: SeManageVolumePrivilege	2780	wmic.exe
Token: 33	2780	wmic.exe
Token: 34	2780	wmic.exe
Token: 35	2780	wmic.exe
Token: 36	2780	wmic.exe
Token: SeIncreaseQuotaPrivilege	2780	wmic.exe
Token: SeSecurityPrivilege	2780	wmic.exe
Token: SeTakeOwnershipPrivilege	2780	wmic.exe
Token: SeLoadDriverPrivilege	2780	wmic.exe
Token: SeSystemProfilePrivilege	2780	wmic.exe
Token: SeSystemtimePrivilege	2780	wmic.exe
Token: SeProfSingleProcessPrivilege	2780	wmic.exe
Token: SeIncBasePriorityPrivilege	2780	wmic.exe
Token: SeCreatePagefilePrivilege	2780	wmic.exe
Token: SeBackupPrivilege	2780	wmic.exe
Token: SeRestorePrivilege	2780	wmic.exe
Token: SeShutdownPrivilege	2780	wmic.exe
Token: SeDebugPrivilege	2780	wmic.exe
Token: SeSystemEnvironmentPrivilege	2780	wmic.exe
Token: SeRemoteShutdownPrivilege	2780	wmic.exe
Token: SeUndockPrivilege	2780	wmic.exe
Token: SeManageVolumePrivilege	2780	wmic.exe
Token: 33	2780	wmic.exe
Token: 34	2780	wmic.exe
Token: 35	2780	wmic.exe
Token: 36	2780	wmic.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2780	1960	spoofer.exe	89
PID 1960 wrote to memory of 2780	1960	spoofer.exe	89
PID 1740 wrote to memory of 2864	1740	msedge.exe	103
PID 1740 wrote to memory of 2864	1740	msedge.exe	103
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4400	1740	msedge.exe	104
PID 1740 wrote to memory of 4460	1740	msedge.exe	105
PID 1740 wrote to memory of 4460	1740	msedge.exe	105
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106
PID 1740 wrote to memory of 1980	1740	msedge.exe	106

C:\Users\Admin\AppData\Local\Temp\spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9149e46f8,0x7ff9149e4708,0x7ff9149e4718
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,6920291815481874008,5614290700814147904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:3176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f6d41bf10dc1ec1ca4e14d350bbc0b1

SHA1
7a62b23dc3c19e16930b5108d209c4ec937d7dfb

SHA256
35947f71e9cd4bda79e78d028d025dff5fe99c07ea9c767e487ca45d33a5c770

SHA512
046d6c2193a89f4b1b7f932730a0fc72e9fc95fbdb5514435a3e2a73415a105e4f6fa7d536ae6b24638a6aa97beb5c8777e03f597bb4bc928fa8b364b7192a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4254f7a8438af12de575e00b22651d6c

SHA1
a3c7bde09221129451a7bb42c1707f64b178e573

SHA256
7f55f63c6b77511999eee973415c1f313f81bc0533a36b041820dd4e84f9879b

SHA512
e6a3244139cd6e09cef7dab531bff674847c7ca77218bd1f971aa9bf733a253ac311571b8d6a3fe13e13da4f506fec413f3b345a3429e09d7ceb821a7017ec70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
f77fa2368046d4b6efdba40de4e68735

SHA1
33d9320bf7e3192d5c730cd0327c482c01cf30ca

SHA256
58f427d4a71ec08857d7386588571cb176800e3ea1e728269168e15d21a422c8

SHA512
d157bbe547265624e7131526076f8eda2a463dd56be1cd7c97acdbcf998c16cf68675b3afc72e10281980bcd8d67669ff2e6ee106ad4a1bafe95d9d1e475bf62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
fb5989e862b8e246db1f5b76ff86f77a

SHA1
3ab6cb865d41e56334f1061e8205a4aa4d328463

SHA256
42a24ba277e7ad14be4eca3d41c4c95f66a43354ee0463e7be4bb9cfae264928

SHA512
ac023ec19c75fb4819b336aa164cb11397c84bb73d756ae7f8385db405ca0542e9698315566c24d9c9c8563c9b832ffee365302911ef05fd28bbf9eece95c984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d88831fd6d61f35770cfec4ffda01fc5

SHA1
8bac353a090442a7f0a59042e397d0d8ba0e5bbb

SHA256
264bbb672fc4bb4a82138435d438373e398cb4a904594802cddef08e22d4ff76

SHA512
c2414c3170de0de7035385e219cb9643a88751e229dac9b0ab8da11e38ccc6eea42a58ac6452600575425e29388604ed296ef6390152755000089fb7d3152c25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de16e7cf30b87836cc3ce3a647453644

SHA1
78cc210b6829ad75c103d51fc70a7d45bf3ed6a3

SHA256
d446defe63c3256ef4a41e7bd7c7b75556f9412152d3dbdedb4a4abf9c025756

SHA512
b3beee408ba4c415809e1ff2c17ccb585aee24ffee106729d1cad069d7327e543902df35a2e8cdd5308b15820cd39084fb7d3077bd5c8e2583c713fee8d185fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0aa2e6dd5915dfa4bd3a5b62aa79d7f

SHA1
f3abcb9e02516904a58bc21b636201f1392ada9c

SHA256
69e5d8dc47b8c3ced5595f1fc028cd4652c2b23645720ff1369accec13dee4bd

SHA512
0fee2b5ca742cf6d7d68ad8dd45a6ccfe1700209656a3cbb850d8b5914d59b63d94759c7e2810ed66a10b095e139c34b9ad7af743e9e26fac9eee763a1379eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b87e389fd33c062c8a64bc4affae044

SHA1
7b4d407ee3ad158342d45ebb513cbb7a34c2baa0

SHA256
f86476655e4e42fc911dcb06b6b2258d6cb2f88024a6e10def60ebf4b2a72b9e

SHA512
ccafb2f33093ab2e54e904b48e4f73621f96e24107a6a99f630d82b486fae17e06091d467c1a08d5b1b3ae15fe915be7ec9eca1df4563bb29c0c52d78eceeafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d55f5c9ea65389a6064c57ec61630283

SHA1
7519b593cee1aa468c4d5200e57cc74740509728

SHA256
593c4ef1d339bf7428d3f7c3428862ae04879ec3a5214ee8de09f69b23e8f8b1

SHA512
23322185664d198e36fe3ca70da0c1f92dfd931727125b5557d8d698d238dc779c22f1f18ed3ef2e42baf920e499cb959f64a9e8c070b49e4efd810c2f510394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
20b32581203a4207cc35bac99b8ee0d7

SHA1
08570b67021e2f2afbc0211342a003f19ded209a

SHA256
4446ff8abf38c2a83e61bd9e6cca4e54d2231da16d193829a257a349c7b58a3e

SHA512
9bc086199ddd3207daf584c4c5eff7f8178540f4fc1b6739c7fec602377b6ce2569d6739cdafb5c68895302a75e2754895a43882302e520f6fac677ec5b69cf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
341892fa5f9facdd9dca9503e89ee4f7

SHA1
e91d7c8bc9b61be4ac03e2e372f7aee0752031c0

SHA256
a9bbcfde1e28d26e5cba180b6541e902424891c3f896f51643d271ce3b5e05f5

SHA512
960c7ad9e98be74c9984b8c0a236715420a4830f5a0b94c875ac120cfa08c1214f4e90b4f17e36fafc15d6f423133273faca1ab5f1733d9d602f1ca4416a1214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
98eef544ac500fed0fa214445fe32cd7

SHA1
96b30cb7aa8e228284f9f5ca98769032057dca20

SHA256
5b57dd36df6a74f6270c7d3ec5e4d1b7edf15d30f25906eedc6b5fabb4423ca7

SHA512
aa60d8b411371d754d84f31101ba7d77487718d7dcf6502a1432abb1ca99d29748c094fe7c95722b8b0dbb14a0e986c3ce851302d5d33f219593fb79ffe3f0e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586f8e.TMP

Filesize
872B

MD5
212b3bf97fa27d260785870fdd23c0e1

SHA1
368ba439113951b7d408961f8bffc0a4496ccb82

SHA256
d3cc7b8fbcd5f81793d60ccb8c998cc3e017fbaf83f1325c7cb33ab8f1b48a73

SHA512
1be17ac9817e41729c14ea1a2b49068aa1d7f0843b5bb107d9539fe519a174e4941d37613274bfa1a2928204ca8e65ca6ed64f2fc9a95691f0aa8e402a3ede6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
abe0d1128876019e78ab762fdfe6e8f7

SHA1
118fe46d78e8da64aa908bf92b145f13c51b5202

SHA256
f5d05698eccd34602d5146867a82629793269cf5d4f694b88ac23008ec6bf3a2

SHA512
3565ffd0add65bf64e2af43b59fe66a1898015c2e1f7fd0e60b26eb640ff702066cf9d6d698f5f65d33b3eecdd915a0e241e00a14096c4ea7c0d3b4c92bf1167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
97d94d441406d4bc28c4d2d940a993ab

SHA1
09fefab78094271cd5baeaf568e5e2b01c7ab46a

SHA256
6e87bd168dd4c17fff2d649a8fe74f72c975cd2e736dd6e80c05fdebc6087a3a

SHA512
bfcd3a508d18ac7b434a45a1d9ee59fa6bc1212236f6eb0341dc1795a5b3ce1bfb7fad4bea2abb413b45978ce8c3bc770ceab7f7dbb581399459ff6acf7fee14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1960-4-0x00007FF915E50000-0x00007FF916911000-memory.dmp

Filesize
10.8MB

Download
memory/1960-0-0x00000274B1F40000-0x00000274B1F80000-memory.dmp

Filesize
256KB

Download
memory/1960-2-0x00000274CC400000-0x00000274CC410000-memory.dmp

Filesize
64KB

Download
memory/1960-1-0x00007FF915E50000-0x00007FF916911000-memory.dmp

Filesize
10.8MB

Download