umbral | ed2f50ad609af7d19f742a8b431f93cf0b18c4cc0c9daf5d948855784b959d87

Analysis

max time kernel
49s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xbox Checker By Xrisky - Copie.exe
Size

231KB
MD5

8cf3944a211784c36345dbfe96567529
SHA1

80d5f583adf017eb56a00182f39102aea138d23d
SHA256

ed2f50ad609af7d19f742a8b431f93cf0b18c4cc0c9daf5d948855784b959d87
SHA512

59db359989a353a29ae84bda4ca6ee1a6aa6d1352377166e679787663edf6c091e5db05bb9d0f14c6f201afc10915b0994bd1b5b9033d54a611c3a46273f3c3d
SSDEEP

6144:xloZM3fsXtioRkts/cnnK6cMlGmOQPUM8e1mPpi:DoZ1tlRk83MlnbP1D

Score

10^/10

umbral discovery stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/316-1-0x000001F4172B0000-0x000001F4172F0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
3020	msedge.exe
3020	msedge.exe
620	msedge.exe
620	msedge.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	Xbox Checker By Xrisky - Copie.exe
Token: SeIncreaseQuotaPrivilege	1148	wmic.exe
Token: SeSecurityPrivilege	1148	wmic.exe
Token: SeTakeOwnershipPrivilege	1148	wmic.exe
Token: SeLoadDriverPrivilege	1148	wmic.exe
Token: SeSystemProfilePrivilege	1148	wmic.exe
Token: SeSystemtimePrivilege	1148	wmic.exe
Token: SeProfSingleProcessPrivilege	1148	wmic.exe
Token: SeIncBasePriorityPrivilege	1148	wmic.exe
Token: SeCreatePagefilePrivilege	1148	wmic.exe
Token: SeBackupPrivilege	1148	wmic.exe
Token: SeRestorePrivilege	1148	wmic.exe
Token: SeShutdownPrivilege	1148	wmic.exe
Token: SeDebugPrivilege	1148	wmic.exe
Token: SeSystemEnvironmentPrivilege	1148	wmic.exe
Token: SeRemoteShutdownPrivilege	1148	wmic.exe
Token: SeUndockPrivilege	1148	wmic.exe
Token: SeManageVolumePrivilege	1148	wmic.exe
Token: 33	1148	wmic.exe
Token: 34	1148	wmic.exe
Token: 35	1148	wmic.exe
Token: 36	1148	wmic.exe
Token: SeIncreaseQuotaPrivilege	1148	wmic.exe
Token: SeSecurityPrivilege	1148	wmic.exe
Token: SeTakeOwnershipPrivilege	1148	wmic.exe
Token: SeLoadDriverPrivilege	1148	wmic.exe
Token: SeSystemProfilePrivilege	1148	wmic.exe
Token: SeSystemtimePrivilege	1148	wmic.exe
Token: SeProfSingleProcessPrivilege	1148	wmic.exe
Token: SeIncBasePriorityPrivilege	1148	wmic.exe
Token: SeCreatePagefilePrivilege	1148	wmic.exe
Token: SeBackupPrivilege	1148	wmic.exe
Token: SeRestorePrivilege	1148	wmic.exe
Token: SeShutdownPrivilege	1148	wmic.exe
Token: SeDebugPrivilege	1148	wmic.exe
Token: SeSystemEnvironmentPrivilege	1148	wmic.exe
Token: SeRemoteShutdownPrivilege	1148	wmic.exe
Token: SeUndockPrivilege	1148	wmic.exe
Token: SeManageVolumePrivilege	1148	wmic.exe
Token: 33	1148	wmic.exe
Token: 34	1148	wmic.exe
Token: 35	1148	wmic.exe
Token: 36	1148	wmic.exe
Token: SeDebugPrivilege	2896	taskmgr.exe
Token: SeSystemProfilePrivilege	2896	taskmgr.exe
Token: SeCreateGlobalPrivilege	2896	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
620	msedge.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe
2896	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1148	316	Xbox Checker By Xrisky - Copie.exe	85
PID 316 wrote to memory of 1148	316	Xbox Checker By Xrisky - Copie.exe	85
PID 620 wrote to memory of 1768	620	msedge.exe	100
PID 620 wrote to memory of 1768	620	msedge.exe	100
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 4580	620	msedge.exe	101
PID 620 wrote to memory of 3020	620	msedge.exe	102
PID 620 wrote to memory of 3020	620	msedge.exe	102
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103
PID 620 wrote to memory of 4084	620	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\Xbox Checker By Xrisky - Copie.exe
"C:\Users\Admin\AppData\Local\Temp\Xbox Checker By Xrisky - Copie.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1148

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=lhkpi-.exe lhkpi-.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdb4d546f8,0x7ffdb4d54708,0x7ffdb4d54718
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,11126022592704705987,1665167763496824668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e59dd3af9c3235b7aa97caf4b6711a41

SHA1
be298b39a64c20fc21231db85585dfe62a9d2b9f

SHA256
047ce27a2ee0dc72dce353ba3db569d799bd4a47bdc93ac818da0492e7914f4d

SHA512
129a29dc9f89b951427a5765307ace1924f22047e3751c4fb5c53a3e0185bd4450a3fd5ede92d5cdfc1b16a07acadfadc97cf21b7df48d9e61dc6c98153b1295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
09e065a34095e48cffe76a31987ff075

SHA1
e447bded0115a77136930993c0a87dcf97a48bf0

SHA256
efcff7c423b18155b308ac73c3a5afa19aac38f21dea5275f1ac3f79f7c03376

SHA512
acdcc653b04c918563f288d0d875f16ca3620135f3225d597e19ce78e9152ef3e8fab561f0918126174ef63b199d389f058dec1cc5e679b7dc86d735528e0772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b8f4921fb4c24c0d42d02af396ab745a

SHA1
399c2a69e1bac257d5ba4638093ad2fc606b2779

SHA256
23243a36953f56cbfd3bf32da77cd799084608f7e3e3978fcb75b2cda4189481

SHA512
ee60ec0ae57bc71cd4625caade8d85443a5257607aa59019e221ef03f12c64605ce3a3054c18a331dead0945441aecdf1ae5f4238658b8489222c9c71e7179da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e1ce80ed0972d4be318fe240d84eabe6

SHA1
d24edf0e0ffc497a647c6aa74239d6c7b75b2ea2

SHA256
f096e43eab91b1ea2dafc6e554e86025f0c2186f7ecafa4477d76fcef36f463f

SHA512
b6397f531f99fbf6ec724b1795159e7a05935eeae58cb3d6d6911fd89cfa14b970b2d51457b26f171b4c7efa8706e7d73005a1e7615a61c5ed76e1fce0cd3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fef1.TMP

Filesize
1KB

MD5
d36848461418a4c243bdcc80bcc2a09a

SHA1
524c21ed3c5f2fe2fca98e624534f0ecbaada85b

SHA256
a2647fb40a77dd7b5ca7c7460e6ccd58a179453254e4e9bc5aa31ff93eddb925

SHA512
57651c10c970509a6ff0880403a03f94ddaa03471c616f2879d4e73851de5b98f204081fe669fec9d298ed3bc1c6181107f7f80c46a14cc8d2f8dc68f35cfa3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
20ed5ec3d7a6ed3fe3c46ac0f5b109d0

SHA1
a63ed65f97a86e49a842f8cabd4ad166da8676e2

SHA256
4eba3a4d1a1d346c294a7ec925251ba50dee65ac48006dbc1920c5b6707bc36f

SHA512
2d7164e6f4d2adf1ef8f17ea0a40ef1caa9b8cc679575669dc3f5b82d2f2d3350dd3b5940e11cb2c819cb1172dfc135a48636b056187addac2df9d32701b11fa

Download Submit
memory/316-1-0x000001F4172B0000-0x000001F4172F0000-memory.dmp

Filesize
256KB

Download
memory/316-2-0x00007FFDB5640000-0x00007FFDB6101000-memory.dmp

Filesize
10.8MB

Download
memory/316-4-0x00007FFDB5640000-0x00007FFDB6101000-memory.dmp

Filesize
10.8MB

Download
memory/316-0-0x00007FFDB5643000-0x00007FFDB5645000-memory.dmp

Filesize
8KB

Download
memory/2896-5-0x0000027B70350000-0x0000027B70351000-memory.dmp

Filesize
4KB

Download
memory/2896-11-0x0000027B70350000-0x0000027B70351000-memory.dmp

Filesize
4KB

Download
memory/2896-12-0x0000027B70350000-0x0000027B70351000-memory.dmp

Filesize
4KB

Download
memory/2896-13-0x0000027B70350000-0x0000027B70351000-memory.dmp

Filesize
4KB

Download
memory/2896-14-0x0000027B70350000-0x0000027B70351000-memory.dmp

Filesize
4KB

Download
memory/2896-15-0x0000027B70350000-0x0000027B70351000-memory.dmp

Filesize
4KB

Download
memory/2896-16-0x0000027B70350000-0x0000027B70351000-memory.dmp

Filesize
4KB

Download
memory/2896-17-0x0000027B70350000-0x0000027B70351000-memory.dmp

Filesize
4KB

Download
memory/2896-7-0x0000027B70350000-0x0000027B70351000-memory.dmp

Filesize
4KB

Download
memory/2896-6-0x0000027B70350000-0x0000027B70351000-memory.dmp

Filesize
4KB

Download