7fd1cbb0ec656ed8cc87e6e66826bbbc4d571e449955533e70c5ec6bbd3abd93

Resubmissions

05/03/2024, 18:56

240305-xltvdsed3z 7

05/03/2024, 18:53

240305-xj3phsec7v 7

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lofy Cloner & Casa Cloner.exe
Size

8.3MB
MD5

66e6140ba9e19c29529dceb265b17b41
SHA1

fefdb348596c3160bac45888d56e6e940a452907
SHA256

bded5cf8faf4c7ff8a7582538cd325da029adcae50b14f38ed4dc6adabc5673b
SHA512

b0a26c3d34e1f1043e06ca759d645d10c7b1ab6f05a1d5e1788714b0d568c27f2763450f2af608cf01c7947dc7f55cc403dfa3355d51c45227f2951e4d5a6944
SSDEEP

196608:GJi56vBAoiL2Vmd6+DNnNgwQ+dtLZ7k30szjad0tNNlezM:GIL2Vmd6mZNjd7NszjJle

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 21 IoCs

pid	Process
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe
3660	Lofy Cloner & Casa Cloner.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
211	discord.com
212	discord.com
213	discord.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{08D24CE4-869E-451B-856C-F80D255829E2}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
4504	msedge.exe
4504	msedge.exe
4520	identity_helper.exe
4520	identity_helper.exe
2536	msedge.exe
2536	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	Lofy Cloner & Casa Cloner.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe
4504	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 3660	4756	Lofy Cloner & Casa Cloner.exe	90
PID 4756 wrote to memory of 3660	4756	Lofy Cloner & Casa Cloner.exe	90
PID 3660 wrote to memory of 3340	3660	Lofy Cloner & Casa Cloner.exe	91
PID 3660 wrote to memory of 3340	3660	Lofy Cloner & Casa Cloner.exe	91
PID 3660 wrote to memory of 1096	3660	Lofy Cloner & Casa Cloner.exe	92
PID 3660 wrote to memory of 1096	3660	Lofy Cloner & Casa Cloner.exe	92
PID 3660 wrote to memory of 1092	3660	Lofy Cloner & Casa Cloner.exe	94
PID 3660 wrote to memory of 1092	3660	Lofy Cloner & Casa Cloner.exe	94
PID 3660 wrote to memory of 1704	3660	Lofy Cloner & Casa Cloner.exe	105
PID 3660 wrote to memory of 1704	3660	Lofy Cloner & Casa Cloner.exe	105
PID 4504 wrote to memory of 4392	4504	msedge.exe	113
PID 4504 wrote to memory of 4392	4504	msedge.exe	113
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 4992	4504	msedge.exe	114
PID 4504 wrote to memory of 1480	4504	msedge.exe	115
PID 4504 wrote to memory of 1480	4504	msedge.exe	115
PID 4504 wrote to memory of 2460	4504	msedge.exe	116
PID 4504 wrote to memory of 2460	4504	msedge.exe	116
PID 4504 wrote to memory of 2460	4504	msedge.exe	116
PID 4504 wrote to memory of 2460	4504	msedge.exe	116
PID 4504 wrote to memory of 2460	4504	msedge.exe	116
PID 4504 wrote to memory of 2460	4504	msedge.exe	116
PID 4504 wrote to memory of 2460	4504	msedge.exe	116
PID 4504 wrote to memory of 2460	4504	msedge.exe	116
PID 4504 wrote to memory of 2460	4504	msedge.exe	116
PID 4504 wrote to memory of 2460	4504	msedge.exe	116

C:\Users\Admin\AppData\Local\Temp\Lofy Cloner & Casa Cloner.exe
"C:\Users\Admin\AppData\Local\Temp\Lofy Cloner & Casa Cloner.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\Lofy Cloner & Casa Cloner.exe
  "C:\Users\Admin\AppData\Local\Temp\Lofy Cloner & Casa Cloner.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c title Casa Cloner - Developed by Noritem#6666
    3⤵
    PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffca6ce46f8,0x7ffca6ce4708,0x7ffca6ce4718
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10239162595095742130,7138987525866351601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:5892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
7bcd788e7994b67b77c211aae56aa1a0

SHA1
25235dc1952c78a479dd63a68f496ed3001f21b3

SHA256
b195664a776889aba3adfbba5d3dade5ba63df4fabceedd95692f3907c49cc6e

SHA512
fc32de0be6a50834ce6ee7d5e1cf1e51a9bc503482b144c861a28a216527b5fe69fef4be1eac5d8c5393c2638fbbb2b4f0a65003f8edb50699a5cd3c96e32365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
7b1d999a6a65d59aaaaf9735157b2a1e

SHA1
518b91f045ee7a87634ceff5e11f0ec101be891d

SHA256
a82cd693dadf012d2b9bd79ba20c2ea3c9fc8fbea73de2fd4c1c42c62e2cc38a

SHA512
bdbfe411ebd18e9df9062a9938fda62d558924f07e4b621fc2699ec3ec495fccadeffee023e7ce9c478874c6bde207c269b83eeb246660a7aed2348322b328b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
306968e534a89c235118a833f1328429

SHA1
7ce990ee9f5327397ca06395db6ceb797be4d058

SHA256
8a145a5f047187d5043bce892885e4520d405256ddc33ed07bcff88cd1f3120c

SHA512
bd62c40be6d4dad5d563622db17b587ba0ee85218b4166dc32cbe5ea31ed33d83f5bbf46ade2b8b200594ae3b47718bb5261dd8f5c2a83a331699c78ae5b0762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d1b926c0ecafc69f8db889e4b2da562

SHA1
510e0038ad6d4019b128810a0315fd3a8ecd1aad

SHA256
2ed4a79dff81089bb1579ee534179b6c6408ab35a58114ddb0c72699df22948a

SHA512
760825bd8287173c458248d3863d921cdb15350ec7b8118e8b35b6bba508bd4fc2076686a941a944dacf7a3172104de714deca8bb089f56b219821c744ef25b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8649d7777a4fa2cc0b4e711e6e13f16e

SHA1
8c1a993539595e280c70cacb50590d342504af29

SHA256
c21b66be775e38b0690160494581f2cf6bcf7c21d2a9d62590e70c7b6f7bb75b

SHA512
5c1744b193efd70e63c29d5ac42fac93ce74b775be50ebcf536219d57a963cfa7c1f426bfd6569b76ebcce102a86ed2af24cc3f05c8bd33c72ef1e4dae9d5e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
74e471978cb33e85c51d1c73cdd82367

SHA1
51d222cfc5b063d1e1839daecbff18402473c473

SHA256
4bc4d007a3c8f9b1ebfadc3363f2d29083a8e68583de3b1094267707742e3b58

SHA512
b18b399b3d7bfeabce4eb8a2fc9f3d73b1a621062eee1fc172b5368a5f902c685cbcd4697a7a7b41fca786ca1f74a7ee22d3442dc14098a5b820bfb2ac9bd214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0efdac7e61e250c488288387506ca1d2

SHA1
4d51e0c83b396f3e510ff97d3236c042714a5194

SHA256
782ca12b35d63083f2e8a72d06dc4e05e7a61ac83e3512cb6df8d72c7e294ec9

SHA512
c78161a1d86217bf884da55bf348eec29f5ef0c4ddd30a43b9cbfeada1adf4d20fbb2bf35dbcf59a9fa0c9981ab457bc325d6c011c87b27e62867bbbe807653f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
74ea4cb0f7cca24ab9c9b0af019b28c2

SHA1
776b4883dc6d2af8fb310e16779953dc2f9d1124

SHA256
7bdfe2cf7869fc96f828359e49b08032224ca0f7655859a13170815e1df0e32c

SHA512
4933b188a5b12bf6c55382a49af31ee422a1dcde883f9fbf602c2aaad867c61bca0594081356f9b96b197a28c73361bd8ef0e8ec601b70dcc059dcc76578ab1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f99d.TMP

Filesize
1KB

MD5
0108c49a976d2da73f70a6863dcccfca

SHA1
422beaa7f581ad95506f126fef4d08b450c4d8ed

SHA256
fce1271f32337c748ad3e7646449b0c38d39fd08d258b8903897ece87308eabc

SHA512
06b1f2f55d7d8b4dfb7146c4cc1b9c918234d122815971ca7f6ad0fd7a195dc2e69fc4dc48d443d05d9f89d8b7ecec366d3145754cf6537102fd62bed8c049f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3dac1c1f772ce0ef6b4d7c4d8849a470

SHA1
d0226c4ec7566ea5da49955ff3fcb2acd17283d6

SHA256
56179161aa1d893fb3cfcb4f5233db75e8bea37bb9078bd60861495e1d4c60ba

SHA512
ceb0cf405ecfd0463b104140115787c47cc1ac29623e208e60f8c0b2c99f6cb915ca253b94f93b9bb370e3d356612772fa3328d4c8121f0b220f806c8506aa7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_asyncio.pyd

Filesize
59KB

MD5
483bfc095eb82f33f46aefbb21d97012

SHA1
def348a201c9d1434514ca9f5fc7385ca0bd2184

SHA256
5e25e2823ed0571cfdbae0b1d1347ae035293f2b0ac454fb8b0388f3600fd4b6

SHA512
fe38b3585fbfaf7465b31fbc124420cfbd1b719ea72a9ae9f24103d056c8fa9ae21c2a7dd3073810222405457beff89bbb688daeced3219351a30992a6721705

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_bz2.pyd

Filesize
77KB

MD5
a1fbcfbd82de566a6c99d1a7ab2d8a69

SHA1
3e8ba4c925c07f17c7dffab8fbb7b8b8863cad76

SHA256
0897e209676f5835f62e5985d7793c884fd91b0cfdfaff893fc05176f2f82095

SHA512
55679427c041b2311cff4e97672102962f9d831e84f06f05600ecdc3826f6be5046aa541955f57f06e82ee72a4ee36f086da1f664f493fbe4cc0806e925afa04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_ctypes.pyd

Filesize
116KB

MD5
92276f41ff9c856f4dbfa6508614e96c

SHA1
5bc8c3555e3407a3c78385ff2657de3dec55988e

SHA256
9ab1f8cbb50db3d9a00f74447a2275a89ec52d1139fc0a93010e59c412c2c850

SHA512
9df63ef04ea890dd0d38a26ac64a92392cf0a8d0ad77929727238e9e456450518404c1b6bb40844522fca27761c4e864550aacb96e825c4e4b367a59892a09e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_hashlib.pyd

Filesize
59KB

MD5
ad6e31dba413be7e082fab3dbafb3ecc

SHA1
f26886c841d1c61fb0da14e20e57e7202eefbacc

SHA256
2e30544d07f1c55d741b03992ea57d1aa519edaaa121e889f301a5b8b6557fe4

SHA512
6401664e5c942d98c6fa955cc2424dfa0c973bd0ac1e515f7640c975bba366af1b3e403ea50e753f837dcd82a04af2ce043e22b15fa9976af7cbb30b3ac80452

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_lzma.pyd

Filesize
150KB

MD5
a6bee109071bbcf24e4d82498d376f82

SHA1
1babacdfaa60e39e21602908047219d111ed8657

SHA256
ce72d59a0e96077c9ea3f1fd7b011287248dc8d80fd3c16916a1d9040a9a941f

SHA512
8cb2dafd19f212e71fa32cb74dad303af68eaa77a63ccf6d3a6ae82e09ac988f71fe82f8f2858a9c616b06dc42023203fa9f7511fac32023be0bc8392272c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_overlapped.pyd

Filesize
44KB

MD5
bf3e86152b52d3f0e73d0767cde63f9f

SHA1
3863c480a2d9a24288d63f83fa2586664ec813a2

SHA256
20c94846417ee3ca43daa5fae61595ad7e52645657fda5effe64800fe335ff0d

SHA512
8643f94ece38246769ff9ba87a249b8afde137cf193ff4d452937197ce576816c1ce044c4ad2951bc5535cc3acf1b27e9f2be043b8175c5a2ca2190b05dc0235

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_queue.pyd

Filesize
26KB

MD5
8dd33fe76645636520c5d976b8a2b6fc

SHA1
12988ddd52cbb0ce0f3b96ce19a1827b237ed5f7

SHA256
8e7e758150ea066299a956f268c3eb04bc800e9f3395402cd407c486844a9595

SHA512
e7b4b5662ebd8efb2e4b6f47eb2021afacd52b100db2df66331ca79a4fb2149cac621d5f18ab8ab9cfadbd677274db798ebad9b1d3e46e29f4c92828fd88c187

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_socket.pyd

Filesize
73KB

MD5
c5378bac8c03d7ef46305ee8394560f5

SHA1
2aa7bc90c0ec4d21113b8aa6709569d59fadd329

SHA256
130de3506471878031aecc4c9d38355a4719edd3786f27262a724efc287a47b9

SHA512
1ecb88c62a9daad93ec85f137440e782dcc40d7f1598b5809ab41bf86a5c97224e2361c0e738c1387c6376f2f24d284583fd001c4e1324d72d6989d0b84bf856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_ssl.pyd

Filesize
152KB

MD5
9d810454bc451ff440ec95de36088909

SHA1
8c890b934a2d84c548a09461ca1e783810f075be

SHA256
5a4c78adedf0bcb5fc422faac619b4c7b57e3d7ba4f2d47a98c1fb81a503b6b7

SHA512
0800666f848faec976366dbfd2c65e7b7e1d8375d5d9e7d019bf364a1f480216c271c3bcf994dbab19290d336cf691cd8235e636f3dbc4d2a77f4760871c19ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\_uuid.pyd

Filesize
20KB

MD5
6cfc03bc247a7b8c3c38f1841319f348

SHA1
c28cf20c3e1839cff5dce35a9ffd20aa4ac2a2cf

SHA256
b7fd172339478adaa5f4060eb760f905a2af55ce7e017b57de61ee09dcb09750

SHA512
bd123566a104568e2ec407b35446cb07c660035a77a1e11a8d8d90518c1a83b6815bf694676fa003b074126dcd0594457195f835df7bc828df1195db6584d23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\base_library.zip

Filesize
812KB

MD5
9425444153fe49d734503889ce8d1e20

SHA1
7676bc66117f1a65161c4f3da7cfb949e16ee812

SHA256
da56060a8dc19c3c3b148efda5123de9ab7ef2bb568c1ca0ac1238d000ff5d09

SHA512
ab890f7490acfa62be23989923ef430a0a26ad86bc65abcde0d2e4599ca659ab9933a87f99ead894025af202aeca89350f09099414f06e4570e3cef8aa1cef94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\libcrypto-1_1.dll

Filesize
3.3MB

MD5
ab01c808bed8164133e5279595437d3d

SHA1
0f512756a8db22576ec2e20cf0cafec7786fb12b

SHA256
9c0a0a11629cced6a064932e95a0158ee936739d75a56338702fed97cb0bad55

SHA512
4043cda02f6950abdc47413cfd8a0ba5c462f16bcd4f339f9f5a690823f4d0916478cab5cae81a3d5b03a8a196e17a716b06afee3f92dec3102e3bbc674774f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\libssl-1_1.dll

Filesize
682KB

MD5
de72697933d7673279fb85fd48d1a4dd

SHA1
085fd4c6fb6d89ffcc9b2741947b74f0766fc383

SHA256
ed1c8769f5096afd000fc730a37b11177fcf90890345071ab7fbceac684d571f

SHA512
0fd4678c65da181d7c27b19056d5ab0e5dd0e9714e9606e524cdad9e46ec4d0b35fe22d594282309f718b30e065f6896674d3edce6b3b0c8eb637a3680715c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\multidict\_multidict.cp310-win_amd64.pyd

Filesize
45KB

MD5
1b59c87f0871fed4ff2be93c5d9234ab

SHA1
7e5c8827a5b2dec5417800ab0a2001af46ab8924

SHA256
b7151a6ffa3dc7436d09b1e35343801e11f423c6b391f1177254236ec47a3ad7

SHA512
6092628a4c73ca2d29b6f6a0d1ed34627795363c89b2a45bfc75951f8148a288707231575183ef73d4fb24c022883ab3ab30da61c92664295fffd8a36e9200df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\psutil\_psutil_windows.cp310-win_amd64.pyd

Filesize
67KB

MD5
6e04a1d41b0897878583702d398bdc88

SHA1
33f396728c57505b0b897b547c692a9cf8959a36

SHA256
be9701a1c3e48599d8c22c2c371d5493e9a97fa5063022c110842ecb886214e3

SHA512
f9fc5d2c480fb7edcad9490925b75007523adecdd0400adaaab888d12f1e67abfd614a142e38a93ba3b42de2e466f1aa0f48625e76bbe3868b9c308b0bdf4d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\python310.dll

Filesize
4.2MB

MD5
a1185bef38fdba5e3fe6a71f93a9d142

SHA1
e2b40f5e518ad000002b239a84c153fdc35df4eb

SHA256
8d0bec69554317ccf1796c505d749d5c9f3be74ccbfce1d9e4d5fe64a536ae9e

SHA512
cb9baea9b483b9153efe2f453d6ac0f0846b140e465d07244f651c946900bfcd768a6b4c0c335ecebb45810bf08b7324501ea22b40cc7061b2f2bb98ed7897f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\select.pyd

Filesize
25KB

MD5
63ede3c60ee921074647ec0278e6aa45

SHA1
a02c42d3849ad8c03ce60f2fd1797b1901441f26

SHA256
cb643556c2dcdb957137b25c8a33855067e0d07547e547587c9886238253bfe5

SHA512
d0babc48b0e470abdafad6205cc0824eec66dbb5bff771cee6d99a0577373a2de2ffab93e86c42c7642e49999a03546f94e7630d3c58db2cff8f26debc67fcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\unicodedata.pyd

Filesize
1.1MB

MD5
d67ac58da9e60e5b7ef3745fdda74f7d

SHA1
092faa0a13f99fd05c63395ee8ee9aa2bb1ca478

SHA256
09e1d1e9190160959696aeddb0324667fef39f338edc28f49b5f518b92f27f5f

SHA512
9d510135e4106fef0640565e73d438b4398f7aa65a36e3ea21d8241f07fec7a23e721e8696b3605147e5ce5365684e84e8145001201a19d7537e8f61b20cf32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47562\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
78KB

MD5
7e620bd4ba53daae5df632f2774b9788

SHA1
28ec3b998f376b59483ad4391a0c2df2c634f308

SHA256
84c696ed1b5ba6a3819d73b6f27aee93bca72286b32307fe259e23dfc1cfacec

SHA512
e2d012dd9a7959c0e06340de3728d6e800b56cc0bc8d525c38dd49d9874095d2edc3ae06862d1a21e873c0da0678e8ab3bc95a57777d746f0d6d8b0c6c08c202

Download Submit