Analysis
-
max time kernel
79s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-03-2024 16:57
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/5884-348-0x00000269745E0000-0x0000026974620000-memory.dmp family_umbral -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1228 msedge.exe 1228 msedge.exe 388 msedge.exe 388 msedge.exe 1812 identity_helper.exe 1812 identity_helper.exe 1312 msedge.exe 1312 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
pid Process 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5884 NursultanCrack.exe Token: SeIncreaseQuotaPrivilege 5288 wmic.exe Token: SeSecurityPrivilege 5288 wmic.exe Token: SeTakeOwnershipPrivilege 5288 wmic.exe Token: SeLoadDriverPrivilege 5288 wmic.exe Token: SeSystemProfilePrivilege 5288 wmic.exe Token: SeSystemtimePrivilege 5288 wmic.exe Token: SeProfSingleProcessPrivilege 5288 wmic.exe Token: SeIncBasePriorityPrivilege 5288 wmic.exe Token: SeCreatePagefilePrivilege 5288 wmic.exe Token: SeBackupPrivilege 5288 wmic.exe Token: SeRestorePrivilege 5288 wmic.exe Token: SeShutdownPrivilege 5288 wmic.exe Token: SeDebugPrivilege 5288 wmic.exe Token: SeSystemEnvironmentPrivilege 5288 wmic.exe Token: SeRemoteShutdownPrivilege 5288 wmic.exe Token: SeUndockPrivilege 5288 wmic.exe Token: SeManageVolumePrivilege 5288 wmic.exe Token: 33 5288 wmic.exe Token: 34 5288 wmic.exe Token: 35 5288 wmic.exe Token: 36 5288 wmic.exe Token: SeIncreaseQuotaPrivilege 5288 wmic.exe Token: SeSecurityPrivilege 5288 wmic.exe Token: SeTakeOwnershipPrivilege 5288 wmic.exe Token: SeLoadDriverPrivilege 5288 wmic.exe Token: SeSystemProfilePrivilege 5288 wmic.exe Token: SeSystemtimePrivilege 5288 wmic.exe Token: SeProfSingleProcessPrivilege 5288 wmic.exe Token: SeIncBasePriorityPrivilege 5288 wmic.exe Token: SeCreatePagefilePrivilege 5288 wmic.exe Token: SeBackupPrivilege 5288 wmic.exe Token: SeRestorePrivilege 5288 wmic.exe Token: SeShutdownPrivilege 5288 wmic.exe Token: SeDebugPrivilege 5288 wmic.exe Token: SeSystemEnvironmentPrivilege 5288 wmic.exe Token: SeRemoteShutdownPrivilege 5288 wmic.exe Token: SeUndockPrivilege 5288 wmic.exe Token: SeManageVolumePrivilege 5288 wmic.exe Token: 33 5288 wmic.exe Token: 34 5288 wmic.exe Token: 35 5288 wmic.exe Token: 36 5288 wmic.exe Token: SeDebugPrivilege 1576 NursultanCrack.exe Token: SeIncreaseQuotaPrivilege 4172 wmic.exe Token: SeSecurityPrivilege 4172 wmic.exe Token: SeTakeOwnershipPrivilege 4172 wmic.exe Token: SeLoadDriverPrivilege 4172 wmic.exe Token: SeSystemProfilePrivilege 4172 wmic.exe Token: SeSystemtimePrivilege 4172 wmic.exe Token: SeProfSingleProcessPrivilege 4172 wmic.exe Token: SeIncBasePriorityPrivilege 4172 wmic.exe Token: SeCreatePagefilePrivilege 4172 wmic.exe Token: SeBackupPrivilege 4172 wmic.exe Token: SeRestorePrivilege 4172 wmic.exe Token: SeShutdownPrivilege 4172 wmic.exe Token: SeDebugPrivilege 4172 wmic.exe Token: SeSystemEnvironmentPrivilege 4172 wmic.exe Token: SeRemoteShutdownPrivilege 4172 wmic.exe Token: SeUndockPrivilege 4172 wmic.exe Token: SeManageVolumePrivilege 4172 wmic.exe Token: 33 4172 wmic.exe Token: 34 4172 wmic.exe Token: 35 4172 wmic.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe 388 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 388 wrote to memory of 3720 388 msedge.exe 87 PID 388 wrote to memory of 3720 388 msedge.exe 87 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1892 388 msedge.exe 88 PID 388 wrote to memory of 1228 388 msedge.exe 89 PID 388 wrote to memory of 1228 388 msedge.exe 89 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90 PID 388 wrote to memory of 4620 388 msedge.exe 90
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://oxy.st/d/tELh1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9c14946f8,0x7ff9c1494708,0x7ff9c14947182⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:22⤵PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:4100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵PID:1204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:12⤵PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:2040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:82⤵PID:2632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:12⤵PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵PID:5196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:5316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵PID:5552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:12⤵PID:5988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵PID:5996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:12⤵PID:2632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:12⤵PID:5124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4976 /prefetch:82⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵PID:2608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:12⤵PID:5512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:12⤵PID:5856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9961862099950847671,5221296955999616175,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:4424
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4524
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1028
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4444
-
C:\Users\Admin\Downloads\CrackByWinni\CrackByWinni\NursultanCrack.exe"C:\Users\Admin\Downloads\CrackByWinni\CrackByWinni\NursultanCrack.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5884 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5288
-
-
C:\Users\Admin\Downloads\CrackByWinni\CrackByWinni\NursultanCrack.exe"C:\Users\Admin\Downloads\CrackByWinni\CrackByWinni\NursultanCrack.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58094b248fe3231e48995c2be32aeb08c
SHA12fe06e000ebec919bf982d033c5d1219c1f916b6
SHA256136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc
SHA512bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f
-
Filesize
152B
MD57740a919423ddc469647f8fdd981324d
SHA1c1bc3f834507e4940a0b7594e34c4b83bbea7cda
SHA256bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221
SHA5127ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7
-
Filesize
152B
MD59f44d6f922f830d04d7463189045a5a3
SHA12e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA2560ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA5127c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\24c3d31c-48a4-444e-9f1b-5a29f29dfb13.tmp
Filesize2KB
MD5194290944955a08081da451eb54b3b2b
SHA19b5695894ab9ff373fd12c6dc92021d3b6c1b6c9
SHA256252c488b9a72967329bead05e497c16f954915188b0c03dfcbec5a4266fcfaf8
SHA512cafa7e64d895778066ba974048f2f06e3be0084ffff022af999b26f196f7abb42543635da99d6d450310136c78135f18516132289d9ba6888500cc49c1e3db59
-
Filesize
23KB
MD5cd7b3e4dfecea7028bc1bdeda5a47477
SHA15c37dcaa4ed3c2a4051e4dc1714a342ac0de8365
SHA2564d401337713e7f1c9f6588f8f7d79721e531c837b5f2f73c0b3cb372fd8f9b87
SHA512ea11eb8d8347a39a1aa990a05cce6543e47145a1e618091750e2ad77497449e12e8b4d5b1e3385c9669cdd6a66e7dac96ff0e67913730c27c0ef2ff40a669f2d
-
Filesize
23KB
MD582db06ca267ac7fdd878a1df35f41f4e
SHA19dae7f1ae60d7b83dbdada64fd1b4296f8f20051
SHA2563847721350fd764d4d21cb4d2e02ab95c4ccdaa9d8ffefeb6f1078bf169ac6fb
SHA5126e9beeca7caa94fc5dcf929d5af18d24acfc2a56612840b7084fb6057785d85b272eec8acdf4457c7dd1de9bee5e03fefc082a170131002229da0c01da9a8fb8
-
Filesize
20KB
MD54588208961b6b7ed6cd974687346348a
SHA152085a4f6c875b6949261704f05050c1727e9c55
SHA25695a95b07b4e0d051f83a51b680810572bd1244b42cb6e640d3b29b98f3e92885
SHA512a9853353e68286f62535548ddbf1a97f1b39c1b6200161a660b1a4eac6864a1f6e93ab72d2cfe61249bf4543e2317f04babb3be211a37c12a55d55ee08b2b515
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize888B
MD53c77e1190ef8a548e49320cfbc1ac6a2
SHA196104a685f0d75fb38eed261abc5f39811258c35
SHA2561ec29999ea60d3f4b9f994b80edcddcafaf8fab46694e2799f64c982993215a8
SHA512658ec37a919aa6cd3d41aa2cdcfe3435312d059177f26b6d86efae06f4a63c3ae469612de635b5b1cf9439114fa5bd4fcb2d8c8c911e5d5785866482914e0e7d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
6KB
MD5143889fddce2646f516ed40182d1b0f6
SHA1f1c4c8e827c68ba977e080b8a1d5d94c713209b8
SHA2563e3176d68955fb7920fc93c714c9c0100b15804c64ae9d1c7811484079f4c5ad
SHA5125934a0e1189d762fe775af00a62d294c9bb3bf2c8c84d644a79dacb541ab0fd919f0fc486deab984a469e08cdcbce15dd65e17bc2f0fcb032502d62251160231
-
Filesize
10KB
MD52a8f54298e57b0d4a4f8c1b6c17527b6
SHA1e6fb30cab7287f6232065b8d8fbcca91b70539a0
SHA2569f1eb139bc4d0a3bb96e105a097b273fa14d759f3dac857d00549532f7347c1d
SHA512d70b76835c6776ce53ee243384c2df35b3abe93761244a3cab60b392866b8f029f8e6a78b67828e0147723bbfa118ad7dfdf81c3ed38654e54c29b5a808c368a
-
Filesize
8KB
MD507f04ba789a62f2b88e25f37e28a9d2b
SHA1f3c39bb921bc90c225df7f57f70755118ea8fc22
SHA25607e7e6b5c48a86725c28abbb62ba4f9faab48a80b3fd34ec96e66f6a038b24f9
SHA5126e26c0b90210411983ef6ccce869d1704b87995ca2391ab9409c600dd7ec706ccfb6f0b42708aaf1e7af6cd03bd3c20baef2df43036e65a3f6b8e37eeaceb1e6
-
Filesize
2KB
MD5644972e5b78e23688171c730be41b348
SHA12ba1d0a46b27971ec3213b89ed1943cb1bc7a7bd
SHA256499fb430ec230ae9f39c4b78614e9845347ead687dfcfd7d1a580a87ebc883c4
SHA512f94041052bca78bb4e93828e6dc64e2faa7a3afd2f8841f9033f31d7b520124139d76bd7fe6b92e44a62b5f331441815dcea04d95bd42fadedd78bfac2f1b3b7
-
Filesize
2KB
MD53f0b6c84fd3ac5d3a617b253a95b1066
SHA12de084a860f12d332b31b800a748d6b102b53e30
SHA256aaf126c323aa7796d6c86fbabce2d44526e371cbebc02abf50df8f4243149a9e
SHA512bd8479f228562b9a97165b02ca60f0f70a4b3ec03142a515feeda61e8d9e6fb8b7f683984f90c8c6278005c2a2762099fee5c0add21f26cfafa3e7738884e724
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5f369b4151293e8b2cacb6f60dd97652f
SHA1616bf18897cf7c54a5768beb399ed103285bd30b
SHA256dfa9e4368bd23de601eec309cf83d7f53829c487a71276a0a13e9a6c71ce8b37
SHA5123db7082dc3ce1a05909c15b99d45aa41054990488ffbb9166b1c16a5d9cf8f959950ce4984c40606d2e3e1d297ffcff6665a8f45067ae13eb6b5e285e18a473e
-
Filesize
12KB
MD5948e3de3664809286ecc4f7d42447c1c
SHA1ca588431e6f7950afba10d767efaf0ee774ecc8d
SHA256d61898ec1d84b1f35dcab2db16cbf65f06538d711461d702872cb36caf16ccb5
SHA51226668eeaee8b0d4276da020ab378bf1f3411b336d2bfdfd12335850e75c224255e578db44405a0df9c763c8cfdf314a8eb4d339014dcd940ae338e300118c106
-
Filesize
91KB
MD5e54ccac35df48bc3da485079e474a8ea
SHA1bf9eee85e24e29c055d757b50a3297867687ba51
SHA256350b85d61aab608048c7faa7c7e5a04dfa74cb2645ea02efaba4c7c9b655bdc6
SHA5124319bf2cb5490232fd44b91648f09f1d7f35472f3c8737cb95963941c88f8eda91bc87fab7a25288d3b6ac2c91473787b2e4aa481cf08f7eaadac5e777c188a3