hxxps://discord[.]com/channels/1082842822589292634/1198110724732506122/1242417475065221232

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.com/channels/1082842822589292634/1198110724732506122/1242417475065221232

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	discord.com
7	discord.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
8	monosharp-auto inject.exe
4080	monosharp-auto inject.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2640	8	WerFault.exe	123
3588	4080	WerFault.exe	128

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monosharp-auto inject.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	monosharp-auto inject.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{16FF9FE8-DDFA-46AD-925D-85FD0758F38F}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3784	msedge.exe
3784	msedge.exe
1844	msedge.exe
1844	msedge.exe
4784	msedge.exe
4784	msedge.exe
4908	identity_helper.exe
4908	identity_helper.exe
3540	msedge.exe
3540	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1524	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1524	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 4436	1844	msedge.exe	82
PID 1844 wrote to memory of 4436	1844	msedge.exe	82
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 4732	1844	msedge.exe	83
PID 1844 wrote to memory of 3784	1844	msedge.exe	84
PID 1844 wrote to memory of 3784	1844	msedge.exe	84
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85
PID 1844 wrote to memory of 1992	1844	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/channels/1082842822589292634/1198110724732506122/1242417475065221232
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb974046f8,0x7ffb97404708,0x7ffb97404718
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3248 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4120 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1511828036945074881,1112350765991384788,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6004 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3636

C:\Users\Admin\Desktop\AnthemiaTemplate\monosharp-auto inject.exe
"C:\Users\Admin\Desktop\AnthemiaTemplate\monosharp-auto inject.exe"
1⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:8
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1048
  2⤵
  - Program crash
  PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8 -ip 8
1⤵
PID:4048

C:\Users\Admin\Desktop\AnthemiaTemplate\monosharp-auto inject.exe
"C:\Users\Admin\Desktop\AnthemiaTemplate\monosharp-auto inject.exe"
1⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1016
  2⤵
  - Program crash
  PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4080 -ip 4080
1⤵
PID:1568

C:\Users\Admin\Desktop\AnthemiaTemplate\smi.exe
"C:\Users\Admin\Desktop\AnthemiaTemplate\smi.exe"
1⤵
PID:1092

C:\Users\Admin\Desktop\AnthemiaTemplate\smi.exe
"C:\Users\Admin\Desktop\AnthemiaTemplate\smi.exe"
1⤵
PID:4312

C:\Users\Admin\Desktop\AnthemiaTemplate\smi.exe
"C:\Users\Admin\Desktop\AnthemiaTemplate\smi.exe"
1⤵
PID:3648

C:\Users\Admin\Desktop\AnthemiaTemplate\smi.exe
"C:\Users\Admin\Desktop\AnthemiaTemplate\smi.exe"
1⤵
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smi.exe.log

Filesize
128B

MD5
acdeb37a350c81691546e4f3b884e477

SHA1
8815850392fd0442f04c0e98fe60b3ea92b2d2b7

SHA256
6d977d3b652189f85df8543244696fa855e3a6429857146737102fac19b32741

SHA512
d328a6d0da1c861b5d8a8b4c5c39ca8e48bb004af3bf9d958955ec05a5b2ef3b733321e9a94bb08494ef7550147b87a2124cb92dc7fb5164620b2b6a9d9cf3ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
156KB

MD5
3b0d96ed8113994f3d139088726cfecd

SHA1
1311abcea5f1922c31ea021c4b681b94aee18b23

SHA256
313818d6b177a70fbe715a5142d6221ac1a1851eff5a9f6df505670ddcd73074

SHA512
3d78c250029069e1850b1e302a6d8a5154f6e7bc5cd58f449b8824ccf418e80dba2d5569a9cff72f51ccc9de140dc91148f93ec4717f4a880e2ba94898fbdb24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
07832330a8573cf044b7418b9621b886

SHA1
6a5f434ce980b4b278e7ee41fbc50e309ab6c6ad

SHA256
dc91dbb87cfaa74ac692dff774bfb751c80836230b84a29ea9b91a0d8ed9b4fb

SHA512
03c00248b219cfa6fe37832dd7029c7c45848521492a5da40fb5d59bcc85f9b1f8214563d2d02035d649d389cd343f2196c33b6eb641cf20eaa5a22e4546009f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
00b51a17cbc2f2c5508e8c5b0cf1d2cc

SHA1
bd9ae035fa144c90069ae8ebafc647d8d5e225c4

SHA256
7ed938564bdcfaef6159341b3bbbc2d5b2508d47bf3679cfaba034823feaa8ed

SHA512
fedd18d88cc4d637f04245b5c28858f4ee2a9e12a0451dd853f4dbdcb51a4f3bcf3c0a2125ba46eb16675286516c4005fc5d6f395b9830a4fd5e62720c40346e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
179B

MD5
c88a3bc77002a075b95198522f195432

SHA1
dd6ff073c9b7fa86d1a461013165a7251443e777

SHA256
8f8c6061b94669fcf151b9f8f1c979a33ad38d597be893f375bff44ad1b3556d

SHA512
e3facaf13afeab1a90a5c15f31288611e7af177fed3e4474aefee3560c5e1129579ea74857f5a3845b8f04c117e6c5af45c87df5d0b003e1259d918b7b0dff1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c6cfef046801bd027f94ed73d7d14762

SHA1
ae72db6cfb4daf4b9e76e50e203b67e365d521d0

SHA256
ee0be565e690cd14f2e85ad5c8f6cbe9cfa14978f1f2713758631f7520b24fa2

SHA512
a7b13c769a66141e4d13d855ca170baae8834b8aed953b4695ba876741631cc174d00082f88ebeebdc8ba220c0fb9c353a54f653d565d2e88a766cc96b1052c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
15baedd3ada9519c118566e0a65e3883

SHA1
b900f77a7a841cee2af9925405c43cf84f5a297d

SHA256
0d916b14a5d13d5b275ec55a8c5fb499042b7ef869bc63777ddcb12a30a48f66

SHA512
edc497e75ba8480509ae05e03a5f445587d282e65fd690b309a710c561686b9d59b02b71dd5478b8096085931164d8eb163188eaf7c7af0fb83c3ec845b4cc4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0d0c032aaf394095d24d0b565855abf

SHA1
1bcbc54472ee5ff8c53808a377a5d6b276a8e21e

SHA256
b5232134bc1bc4068661de44d519711b5c05896b4ae8648e5a040d32acd7ac7a

SHA512
5928477236886c3fabf33d78695ad6b819b53c7f740f2ac8adeea933f487591847420bd0b93372ca49e0d6d56a1c00dd6e70f1f54655d27b51404bc5f75143a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e0fd329fa1d3104f6b61248e5bad161

SHA1
1e0d9d4143b1510dbdd905d4233a7b28c01457e6

SHA256
db844d8cb100a558aa09a06b69fe293bf51b019762367b54ee1e715110414bae

SHA512
56c29f49390d02c088b6331c92b444a9a5e95a447304524fe7bd5b282cada7e60a61c3c725820b7f8afd0caf452a20ca37c264435e58c927cb2bc0d7a82f2bc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
26fa1a11fad524d8713692832bbed9c2

SHA1
0cf7fb098c4114707e19e62400587608aef52490

SHA256
45214cd6116074d6a347625c1d95676928a59a9f0e9376f6298be57df6afd90e

SHA512
1f8edf6300d94ad78843c0f0086fec938f747dd33b05ec2729aee735b77a89be071023a0e3437b7064dd252bd49959e8fda17b5601f7c28cc989f27b5739c32e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f5e98f1d1001388d372b5bc1353efeef

SHA1
5ab939bae98e0a69fbffa55d1efd7f4c7b449faa

SHA256
d0ddfa9cb09870b816d6ae9756415b00862300c41ec26a7c6b1221ae994a7bd3

SHA512
d915a3f1489678d6882c70e89dc9a0a4a91d4d0bf63cb6dd7bb5509c1bbfae73c882dc2f297c7be7daa6d8438af8e404f3da73a65925d0cb3183159e62744c03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0873cf6ff4bab16490a41390d4732465

SHA1
44df3a983a02ed7009d5160247db6ddc39fad802

SHA256
aa95147bbe75074ac6982049083e50f13e18c48a0e2528d589c4576cf5f0ae13

SHA512
02ae7566d2a8491885ac738e9a29fdbe2bb60185b4b2096f7bc17bf95a7b9c9bb3b594605e1653ccf53b4a5502da3f57142092fe3f18315606ece86f63ebe08d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7bd61e74bf7788f697001c8c58ee1fa1

SHA1
df232080d0cf492344d2ef07a87b6e975884c56d

SHA256
16df718675c1f9871ad079408f2c1014322c120dedb905bc53d7f13c1569484d

SHA512
049202fabf813c33ff4f5398f535ccbe3112877f95f8d4556172a9b462d94cfc2843dd175c8fa5856cb9c0f70212c31cc3e3693406939f62327b90ddeb24ab98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
809d1e7dc91ac9951548b3b0e64f769f

SHA1
0c9a776ffcf09e72d7543c6328447631f40c89de

SHA256
8a36607d1f056d2b43c5c173c56d644d9f7bbd27624007a97a71fb0b03e6a96e

SHA512
8f8156594769bdf69a037cc224ae7798400a41b6797b2616dbf3ae3788c15012c3ad54b7e1d5eb89c810614fa654e73f24ec0992b01a765c7f8d647cbf076866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9edb7e88c0dc6472cbfd9f53951b0a35

SHA1
f1508000273717f1cb33129d2ca4e925813f46dc

SHA256
cce554ac45f2a3b54111982c4e4147a8676b1f07c59a5b2e63f332a62122a990

SHA512
f25a37d554c33032787c9ce239a42502fdcfb89ec9408e636d691bb9f6d3230207daa854958a4f42afa0f3be8f94e80b41f3342eb71ff3648fad77a9cff99eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e172.TMP

Filesize
370B

MD5
dd99f2bfbee8f775635a12d17f97fce8

SHA1
416df7577611da65341ffebb369360451e4f5bf8

SHA256
fa055b0c40986f14c0403a366d05354837c4343fd2c3b1fddcd6ef1dd6a31359

SHA512
574c95c4a218e69952270a0e87d8b93ceb2c54d3e5ce85e37e4a02ff4830e76ce8c0abc7250ce5926e935508a3fb28cf38fc0f0756b43e7a86f54e4f0de6a047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7305e4d317a96d939977d542a17fdb65

SHA1
3459fe9670f3818dd6a1f9e554552224fb5a9acb

SHA256
5afd1e403dc359097ffcfec7287142340beff3833362489798ece13ae1bfa872

SHA512
e60dc1bdef612938fe3b65d5bd43b7fdbb64813a436a4b1199a81770ce7436e73d909baf9f695623f563aebfa6bf67ddf490f9cbcd73da034172fbc523b1b098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a038b90562a37719fb0244c06adfb57c

SHA1
d22d41aed39fcaa491332418b596e9f233098a4a

SHA256
f1cfc1a0bb442df31d8379c175cd9744bbd9e4d3952d4c0376f47dcbe7018238

SHA512
3fc27b94064a4b9235461e38b567788c738b43d8deec47c6542cca6276b1f5e9ffb66c0fe0884152de6b9a00e7f3bd303f37715c16e50bf5b79261f4e191e73b

Download Submit
memory/8-487-0x0000000000070000-0x000000000007A000-memory.dmp

Filesize
40KB

Download
memory/8-488-0x0000000004F40000-0x00000000054E4000-memory.dmp

Filesize
5.6MB

Download
memory/8-489-0x0000000004A30000-0x0000000004AC2000-memory.dmp

Filesize
584KB

Download
memory/8-490-0x0000000004BD0000-0x0000000004BDA000-memory.dmp

Filesize
40KB

Download
memory/1092-509-0x000001B8487D0000-0x000001B8487D8000-memory.dmp

Filesize
32KB

Download
memory/1092-511-0x000001B848BC0000-0x000001B848BDA000-memory.dmp

Filesize
104KB

Download
memory/1092-510-0x000001B848B90000-0x000001B848B9C000-memory.dmp

Filesize
48KB

Download