1018137099ddf1a33905d10d8375d799a930bf94203d26ee16980d293d2f0063

Resubmissions

01/06/2024, 12:23

240601-pkgvfacc3y 3

01/06/2024, 12:18

240601-pgzwvacb61 3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 12:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

uwuRecorder.exe
Size

441KB
MD5

993f2baf6bb7d701aa2c7a98fa2c3d6f
SHA1

da1d37acb3747c0ac9b4b39208e8461574ea1940
SHA256

1018137099ddf1a33905d10d8375d799a930bf94203d26ee16980d293d2f0063
SHA512

0bc1a41f937f1629290db0c752ca601b92a047e5f54e816bb18b5c8cea631e73eb9df617de2daf4f40cda43a8427905e732b3557a1a3c35ba5eb7f8671be0826
SSDEEP

12288:VYwxpU6mtQz6k0QwDdoqhzOMgv//pqef2Vai:RKlQz6k0QwDdoqhzOMgv//pqef2Vai

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	uwuRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	uwuRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings	uwuRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	uwuRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	uwuRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	uwuRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	uwuRecorder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	uwuRecorder.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	uwuRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	uwuRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	uwuRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	uwuRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	uwuRecorder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	uwuRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	uwuRecorder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	uwuRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	uwuRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	uwuRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	uwuRecorder.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	uwuRecorder.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3664	msedge.exe
3664	msedge.exe
4248	msedge.exe
4248	msedge.exe
5636	identity_helper.exe
5636	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
448	uwuRecorder.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5032	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe
4248	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
448	uwuRecorder.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 3720	4248	msedge.exe	95
PID 4248 wrote to memory of 3720	4248	msedge.exe	95
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 5544	4248	msedge.exe	96
PID 4248 wrote to memory of 3664	4248	msedge.exe	97
PID 4248 wrote to memory of 3664	4248	msedge.exe	97
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98
PID 4248 wrote to memory of 3636	4248	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\uwuRecorder.exe
"C:\Users\Admin\AppData\Local\Temp\uwuRecorder.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffacd2646f8,0x7ffacd264708,0x7ffacd264718
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,14178212239759794214,663707307421430078,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  PID:3532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5472

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3fc 0x41c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
b0c78cd70e5e2431c4361e8b99ee0489

SHA1
e3e0655be8aadd86f75093a54a54b945bd813eb3

SHA256
fb36aabf1bcc32a19d77efee3436d8d1b4d168bf7bd2f1582bbb34b9322798c9

SHA512
c10bf184e1544486c57adb227e260c285baf8655f7cf0a850fd7d6a1d040beaa07e6ccb5de35d928edaf703f5f1bb758af0bf9068b5e2cf52dd8ab93731f969b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6aaa6c45d53a1cb3b318ccf2b062c2b1

SHA1
09db90220c517ee147c849ffb23a2099f80d8110

SHA256
c901eb314f4b5435406205d9afbaf7cc907b8d2859af749c0e8f80e7b11bdf78

SHA512
63cbb69e7c9eec1580986a3adaa6b340c381400906aee4f78b30e371dc5ff143078d53b8eb0070bde3b1d5941e3623dd83587cd326b81905661ac7b1b8d9359f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
19fde8634fdfbd75e360e38916259799

SHA1
9f493ce7482850fc8cb216743542603316cf7d9a

SHA256
4444bb5289a4fc5d1365cc9b804ec7c36e218a8289d41b381e418a5e130467ce

SHA512
0132318f5e28fc1ebddeb142ea8e01431f3b82dde329af03aac5a64fdc4d9fae46ec2aa5e314279d015a15013d94a9cdf646e44cf3e5e953959b83c574af50d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6fbac2bd7d6737068cf7e5ce3ff4ef0d

SHA1
5f61326f69a8df0320ed18baebded24fd0144f44

SHA256
7b3cb00ce71f57009dfe986197c91a18b353b60fc65a0f7e0f065391b11be88f

SHA512
563f66f99b9a2de02bbc1b2d26609a84ab1ef639e62ab48c52b9c9bc43c727ec9d3cb624be03323dfab3e8bec69e3f30c8f34363861f2d8511c6b7c442e54427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
23e6853eed8d03d78e38d137956a5f7e

SHA1
4413142be9b8f7c8b8ab8f28e41900001fb92603

SHA256
5d521e111a65017aa544b129ee86f0895a9d419f8060afa4d64984e73d748f0c

SHA512
f03adabe6154cf9d09df92bddd7c801a188a27b5f49a60c747b6bd5c9a1d931aff3b8e0d2835f3c9fe012d15dea8c1941e6e7296d27c78caa47670a2cdfcb060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
177d91f3ec05c67977f9798e9aab155b

SHA1
feed78d69623c35179d3c3dfe891bacdff31103d

SHA256
05879cb9c065521dda0de9062ae11be799292c6bed21e93b836a4da701893547

SHA512
be4884e8413ac93f074b5dd4fdcc1132d227e26508cdd2ec26f1606f24e6b3dd61147a7fa45dc074535eb5e641ee8e80b7034a72d590a671e1892c286ea2c9af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4570d77995fa5932c7403052ce6aeaac

SHA1
299a9a16b053f24e6a4292916de02f73bf391db3

SHA256
a7f431ff0a2694663c6ac0895747d70c461e7b99af5acaaf1f41381992ba43b6

SHA512
c7bf92aca3b7d85dca5a39da9e196d9bfd93ea10de97df6259683e557a864f34a1acc27e0c4cd664a3bdc15b93a16b114dc40c8fe5c80824ba4bbcc86aadc5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
a545b298e8d3c956e7dbf4a225257f35

SHA1
c1291314e7c07f734262734da14471fc417545ed

SHA256
d1473588f083c63ee40fe2d84d412ad26fe81507ffd305a4d3f62a3e282fd120

SHA512
8d389f36581da8932b8d14633b65edfe7ae9073fdae0d6bfda986f309ccf1225e1b0858cac5654fbf41b875b1e90414ca25e2e2f8a6e0ea3b3ac5961f49b07a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58d164.TMP

Filesize
48B

MD5
119d900d15ab7af16bb4fb189c836328

SHA1
ba52edc6ccf73458046af9c416fad174e9f11223

SHA256
3d69e0b47981e530d5e262199ca50a4c2da1dcfd17a14c8e301dd5f49adca410

SHA512
3ace254a4e3c2982e91c6a455521dc00d4bb88d34b6fe7c9b7b5c26b01560fa7ef3743cf00bbb72e27af59e403aaf24f74fa3b4bc05a3a5c0343b5c798214726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
52be543dfb2fa7b1a7a1a754cf2bd7a2

SHA1
285b4e4c7c2ef51d6322bd505ddaa45b87c01a40

SHA256
0d4d5aecc75f1e6dc593862be142361e88b8fc45a89b876bddcd0164cb01175c

SHA512
57069856e1c21feee45541aed688628fca10a9ff3997174a3bd9fa7edd6ea93fa7751ce79e887906ec719f4eb2eaa67751e20d25b4be47822cb0d5c86e7668f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
35dfb512dc129c0850f2ec4411f14b31

SHA1
ce195c398118d1f1d8cfd4a181a631372d3ac9d6

SHA256
5c02bc06c10c24e5d84b85dec3012fbe466152f085307dec8d1947a0753b5f33

SHA512
a16c9caf58d1753356ffe9dd76484ff4535f1e72ea8246cdcb55d6e6a5a7217806bcecc208f25980f53f7adf061a24f89bae8603c395455ea355c95eb12c8cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59231e.TMP

Filesize
704B

MD5
0d1a74c851ae8070d1bb1ab6c5f49a53

SHA1
1bb7c1dfc7d45c9a6b2f658e85a0482bc0ef52fc

SHA256
54e4462794db6e097d031453a92ff7a2e3cc13c108a1daa94fc08bc74081359b

SHA512
62ce6edbac9a2e0cae85b3d48b6ae2adc222ea8e442788659ff6c344c965a1f3698e3f0b05e53219d4c6582d358c8a4932c92427ac7501f9f17f37919885f6c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
001feb614b70ea847f42e8df5cd1244e

SHA1
4f06b45f3309d9fb924647672b3533d56ba1c111

SHA256
be176fc8a417f886c361f0a235ae09817c7e157d20b2457172a47af7fef59817

SHA512
44a1645a1968417ee9cf0e9d896750df0ecf59106678a34d61fb6029e1ae0e38e67d8c72dc4d83fcdde02177ba9d13fb1619276d0b9c95cafb40e887730ec515

Download Submit
memory/448-67-0x00007FFAD31E0000-0x00007FFAD3CA1000-memory.dmp

Filesize
10.8MB

Download
memory/448-0-0x00007FFAD31E3000-0x00007FFAD31E5000-memory.dmp

Filesize
8KB

Download
memory/448-8-0x000001E736610000-0x000001E7367BE000-memory.dmp

Filesize
1.7MB

Download
memory/448-7-0x00007FFAD31E0000-0x00007FFAD3CA1000-memory.dmp

Filesize
10.8MB

Download
memory/448-6-0x00007FFAD31E0000-0x00007FFAD3CA1000-memory.dmp

Filesize
10.8MB

Download
memory/448-5-0x00007FFAD31E0000-0x00007FFAD3CA1000-memory.dmp

Filesize
10.8MB

Download
memory/448-4-0x00007FFAD31E3000-0x00007FFAD31E5000-memory.dmp

Filesize
8KB

Download
memory/448-3-0x00007FFAD31E0000-0x00007FFAD3CA1000-memory.dmp

Filesize
10.8MB

Download
memory/448-2-0x00007FFAD31E0000-0x00007FFAD3CA1000-memory.dmp

Filesize
10.8MB

Download
memory/448-1-0x00007FF7FB590000-0x00007FF7FB604000-memory.dmp

Filesize
464KB

Download