aac32ed16f262918a685abdac1d191411a4c325c46c8bfcd434014adbf7ba36d

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20-08-2024 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExSoftware/Debug/msvcp140.dll
Size

438KB
MD5

1fb93933fd087215a3c7b0800e6bb703
SHA1

a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb
SHA256

2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01
SHA512

79cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e
SSDEEP

12288:UEPa9C9VbL+3Omy5CvyOvzeOKaqhUgiW6QR7t5s03Ooc8dHkC2esGgW8g:UEPa90Vbky5CvyUeOKg03Ooc8dHkC2ed

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2260	5484	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	Process
3096	msedge.exe
3096	msedge.exe
3100	msedge.exe
3100	msedge.exe
1524	msedge.exe
1524	msedge.exe
3624	identity_helper.exe
3624	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	Process
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description	pid	Process
Token: 33	2756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2756	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

msedge.exe

pid	Process
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

msedge.exe

pid	Process
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exemsedge.exe

description	pid	Process	procid_target
PID 1396 wrote to memory of 5484	1396	rundll32.exe	82
PID 1396 wrote to memory of 5484	1396	rundll32.exe	82
PID 1396 wrote to memory of 5484	1396	rundll32.exe	82
PID 3100 wrote to memory of 5636	3100	msedge.exe	98
PID 3100 wrote to memory of 5636	3100	msedge.exe	98
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 4508	3100	msedge.exe	99
PID 3100 wrote to memory of 3096	3100	msedge.exe	100
PID 3100 wrote to memory of 3096	3100	msedge.exe	100
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101
PID 3100 wrote to memory of 6128	3100	msedge.exe	101

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ExSoftware\Debug\msvcp140.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ExSoftware\Debug\msvcp140.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 452
    3⤵
    - Program crash
    PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5484 -ip 5484
1⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd5e6b3cb8,0x7ffd5e6b3cc8,0x7ffd5e6b3cd8
  2⤵
  PID:5636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
  2⤵
  PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,594498266288021540,17635921735526415948,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:3192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1396

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25bfae4db6ba42c412967eaf39b07703

SHA1
3bcb26bf8b96b7fb1b98964cc05e2afc17276158

SHA256
d1f9b141451328df930afc49a124e8500c1915ff8dbfc315b17d6f7e5b04789e

SHA512
274dff508c24cd404831ca88e767b024e4d22cb0a21c2a846363f22595445e01c01af22b0e14cd81a4507a99e8e4265ccb00b2387eba8ae3039ff105959561c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3c543d642899f1ca0f96b29a47fa545c

SHA1
b5d988d60b28be661f20df9040270e0effa4ee13

SHA256
fd63d68030a3efd80b50714aadd051687d2073b7dea6a1e05b73045bdf5d9d5d

SHA512
0a284b402ea397f71195f32170c4dd7c2155a3e2f9125329a70fa6a09b159803719164b073b9a4b88d77026389f3ce3d0109ae0f64dd17abb190150037a8c81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f954bb3ff2415128f2314c6c1ef069ea

SHA1
46bc60c7c37919d48c6dcdbb8d867f39588760a1

SHA256
3b1e618dc2b6f8259a5716befafd235cc16cc4871a369b2d3c8ab84f0bf2069b

SHA512
b9c01de85e6dffd6d5820ab4e9f9652dda6ae14deb9d33286f233d5d9ef70a39bd96bd45e9683e64580864a8dbede8406338ef317f41ccf6ebe1b6f23bf5c8d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7b87608b55df0e42be6dc57e1798bb6c

SHA1
bd51bab8ab02c4198e388289dc1b8346aecba276

SHA256
be1dab4f1899be131ef33f3d991f53143859ca578cae7d6d493576fce68a83f7

SHA512
a409b26d16a06e6022d43310e73b69e2d52208e63870b70b290b1d8b7ce3f022d0f1936825be199299c2f29c48073e6c55c73a450792a5b0b4d95fbfb6b9b8f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b9094d2943dbba20917d14c2ded48b67

SHA1
050f93dfc52e6c116d379f61251e2fd3ec6fbea5

SHA256
c392ca9917719c1551132d67c06fa8393022fc913e74a4b91e2a239515148f38

SHA512
7206e1a05ca54845dd6f004c3a7fb6a3ab59155f5bb7394695f2de099a79859c514e16a43cfd7d31c6f6ad5aa4bc6be6e0f5c8e9ff6be727befcfb00939adf64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\19dbeca7-e913-4e23-878e-de597a737f06\6c41e9bfceee6f5c_0

Filesize
2KB

MD5
b8709a9884d9d318ea9f6b6de6ece6c1

SHA1
4a22223c9feb02e7d07d9c9f60649d0d97fae49b

SHA256
682868c8df9b0819184aee31fea3ecac50671e6de5dca66824b5ee256d8cde94

SHA512
8f644032682b2ce4ff759d279a955f6e6a27b74b85dce964f73129bc8f035b4b5e524a42ee85df8081e93db49c93ec34f91efdb9fe13456014ffa5b926508b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\19dbeca7-e913-4e23-878e-de597a737f06\index-dir\the-real-index

Filesize
624B

MD5
e0fae28860c897883912b9527615b717

SHA1
3b85aa0bcd6ad11cddee6d55a35d2058ae709738

SHA256
9a9c7699af35fdd5af276be8bd3bfd6a34aedce80d15ee87559a9f3ab2321039

SHA512
fbb821d11dfae50c30266daf5e70b1d92fecfa78ab69811cec4932c8baf2de6e1eff273bcc91deb8bf472bd513c7c7a1637ab65a432e7163cbe8e4242eac3e37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\19dbeca7-e913-4e23-878e-de597a737f06\index-dir\the-real-index~RFe5955b7.TMP

Filesize
48B

MD5
62ad61b543eae035a736f5c8e7352b95

SHA1
bd6f834b436c57ef8c58be3104b9e364a2f87ca7

SHA256
26107efb91b85a1efc088f42fa1e6e39bb7fa05c98b6707e7528d525bbe4ac12

SHA512
a6bf6cd60217425efe2b1e9ca07bc832f5a2caca02438df8119d31e2065ac99b4208e6dc70abe9e2e9e7909923d6cf337bf38a6466538504ca3abc9ce14fcbd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\90cec98f-191b-4c3a-9e2c-32284d1494c4\index-dir\the-real-index

Filesize
2KB

MD5
0e4c07bef8e17dc45baaf836dc11573f

SHA1
bdd8beb02f571b3023d01ba8a0836e309794e73e

SHA256
4180914b7b204c0329e3b33b56f484e47dc07d246d6c63824945546e72172c9d

SHA512
d7fefdf960638ecf9ae5c9aafe8551c612569480a03fd5e81912d7038e241b8b09701e10813c2df6c7c66a13fe54896ac3d02189a0cc9c33e6697d770c11dc5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\90cec98f-191b-4c3a-9e2c-32284d1494c4\index-dir\the-real-index~RFe59b116.TMP

Filesize
48B

MD5
ba24a8a43f102a2c146ad4c9e85d5a2a

SHA1
a498257609a017fa91f16fb7e9c5930c12837288

SHA256
121b9fd5a409722f43f5b659d001dca5d9a53f56123d0d59c9f22c858bd640d6

SHA512
c1decfd16c93637068903fa8a03a099252018a02c8060e59509150589dce28264a7d6c926d267679af13f87b0035821299cf8f4706c8a6a5651d9b7600ba07bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
be50034a940c21ca773fb88bb4b89d90

SHA1
59d45669035b838ab15173a9895db3b7f3c6dcf9

SHA256
853698fa9bf4501b1f8b15bca5135adbc21c300e1dcbc30370d6e50fda0b1ff2

SHA512
75c3417e9b81985d4ec831a28bd7173bf86ac9567d13e1fce3b11b1c34f7454ff39e43373698e8152062a7ab4b6762050589742fb83ac34f8b9eea9f2c16850c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
1ceba3c3bfb749ed1bc6d542fd3a6cc3

SHA1
967dfc61a82bc1a67e9e7150fa53f983da67fba2

SHA256
82d883ab064a8b2737a19e8fc83eca512d61e9cd197be7e0a40c95cda5633acd

SHA512
f452c6594877ea6aec38ced994406011e6e6166d6e9ae29c33033389b9c861aa000a65f9c09d824a9165d63779f95f4da74137589c02cfd63511a9504d8e5f5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
bb7528a035477d08dda61375b484444d

SHA1
6abdac1329d64f55aeb4be89f05dca4c9a450e21

SHA256
50cbc096122b0ba5061d2881e1a92cfb1e88c59d510def99b5264c357431c6ea

SHA512
a38e6d1434dbcd1b0bb15ac81995f07bdd98c27289f50d7d952b52e8c710d7820d3a90a16a20b8b65e1ef546cb382f93a8bcf36c07a280bcfa929d20f7062cd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
83ca534a9eb63b3d96fd980c4e6bd345

SHA1
29fc4630effddc47c6951988a5dbce749f9b4265

SHA256
916fe51c022329087fc9c2b4fc2f44503999b287aa197e5f78b4fe4a245bf8d0

SHA512
dc9a44877f55bbe4f6d0db0e9954c2c97829463189f75cc59c0a38efda3c3108fa3ba985c64e10a18711a5f9c47a4b8811c1198b27c048e7be3cd96a62d82bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
1d8b25d23e6066684a064d97ffec39d2

SHA1
b17fb9888de9db32fbe093069495fb638b722fa3

SHA256
4d83e65deff881b758ebbb5adc79f57affee228165457397df335de64280b1c5

SHA512
f75c77c53cdca6fa8c639295969087532c888052f3f23feb2a67a0aa971af07c6282000ddadb54a867e5487761bd5c49b2225a2cbbc6d04c9ced40713e6fe254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
af29c320697898503fe2efc89d7964d8

SHA1
b8ce13bda6f0f5e85cef3c66980b6b1119333cd4

SHA256
df7748bdf67819f2f381b0e0c8c677b6aff302fe79d1516498df0e28e8dd7534

SHA512
7e1d28d5ffb5b93aa4ec015f3a6474906366473266fe1425823a19681b41bead0939b0029f9e7d01e9c4063280af9ff1800c6d57dec7d026b88c94b2077a7af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe594c90.TMP

Filesize
48B

MD5
b8ccb8ecdbe91eb8ff5ea64a3831a4b5

SHA1
a87cccb90fa349031970f237f6f6f5ea4e24b68b

SHA256
019a3d34da11c5e2d48d81e9a44ff4a766dccc2affd451e08d69f3e297adce1c

SHA512
d2fc90d34d652d78b5f9f3ea8f3da1a182798e0202fad9bd8cb1c7eee78d72b2287cd8c5c028a1b13c3eaecec15c2be8622385594e2c23a6c2596f61afd7dfcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
963a79f85c133fcead1a488dcb294e78

SHA1
94109f0fec15e930069d98614df21c32fab6e3b8

SHA256
d1ce29e3aed468d92a4d3459d45b6ff99a35eb547b97dbf977b54dca0a6d47d6

SHA512
a3b10aa0706bb5e3d9b9a68a6240e58fd5d13ccb0817fdcda309e9938a96addcb4a0a5eb7703e66da543512424bf62487b13b1a714c40d3233a44b729f4efa56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
64b0d60d0eb515696efaa6a2a52e2da7

SHA1
b18f696c687ebde12f54bf75299b08a12c5d3795

SHA256
900224fe3e6d16ee3a2aab33d99f4f2760a4419ffca1774aeaa55811e42f3cc1

SHA512
be62d4abced18d7e1167d34c4bc9a93dd896a88a0f67c3957239dccdb1780cd279bef7755f0ec62105b0f2d10f6f9787bb9e777d0713119f5af87e3925b4464e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0aaaf91ba5760dc90080c45ec0dcb81b

SHA1
2c3f7e7d159afa9a801a88cdfbcfc990e12f7ade

SHA256
810bf96cbcd608ec60a1379f2e00796dbf68a4e426780dc2301c129e3f6e53b0

SHA512
7fd8b52e0cf61c22036cac65521bba700d10b2e7340a9d3010bf2ed053da4d0e574d109f089d2b0e839c2f7a60ec2a76fd28987fa6d59bc9f64ae9a1677d92eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593b98.TMP

Filesize
1KB

MD5
d4853ee40a3de7e8d69ba2ece92861fc

SHA1
1fd85d25e96f0b7befe3cae8e7f214ce3d2db10a

SHA256
4b260f33579baa488dd4f1b62c54a219876b0a0aad9ca9396901b3f05ace20b4

SHA512
7861935cb3e0fbf1a40451d399a66e23a23a8cad7d9bf5c9c91c46e116ddca0af26b3e643489603b07d9084b88034d01c61d7403375575358c6617e6c7503a85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d35937157ffa12f813c721da9214385

SHA1
fbf60a47fe5eeecdb4316457d8a88913bdfcfb55

SHA256
ff6dacf70745638fe4be11fec1565c2e4a181bb4ff22bd25d64855306ca2d2f1

SHA512
078448f158d629c320102e82c1fd3d660f7154082685461b4d950a4e4a7b3ebdcdd0c038bd5bad598d917c0cd6c7bc3ccc5efc7887d4c77925e126416187f91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
74f46dd835150552a77ae4a2f43b3860

SHA1
940012b1a87141a8441d15629ef2ec12740a2583

SHA256
a3aafb104a2d3ce76b4e85203da7d42999e3e14d9be8d67d5541d8343a54462b

SHA512
f2dcbc8e570b9dec69a73c96523fac0710f3b54204c05781c0c67988fe09cf2886e232191442d5f7c72f3edf08d110d58d828b7d886ce215c1b2699bf400d044

Download Submit
\??\pipe\LOCAL\crashpad_3100_YWYTYCLZFECXNAMY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit