umbral | 9ff459396b1f4de8dbca8a866ff3b9e4a46c48a9dc1071812a256fe21349caf9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-11-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Big clean script.exe
Size

230KB
MD5

b23d20593d9176d95302568243f60052
SHA1

fef1aa01b7a41a8255d71309c7c5badf48a7a907
SHA256

9ff459396b1f4de8dbca8a866ff3b9e4a46c48a9dc1071812a256fe21349caf9
SHA512

13a9f86ca7b7df87b4174875fb3d7a7552986a6484297c841037b054d3bf01eab724f3b080f9f1984cc58912e0a50953f5d1e2355dca1cc5366eca4870400d3e
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD4M8RobhS6FDAxDeebSzb8e1muQTSi:noZtL+EP8M8RobhS6FDAxDeebIHQz

Score

10^/10

umbral discovery stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/2356-0-0x0000026259890000-0x00000262598D0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
67	discord.com
70	discord.com
141	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{3E1A7481-2632-4347-B4A5-C1A7E29C71F8}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1980	msedge.exe
1980	msedge.exe
3356	msedge.exe
3356	msedge.exe
1456	identity_helper.exe
1456	identity_helper.exe
5556	msedge.exe
5556	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	Big clean script.exe
Token: SeIncreaseQuotaPrivilege	900	wmic.exe
Token: SeSecurityPrivilege	900	wmic.exe
Token: SeTakeOwnershipPrivilege	900	wmic.exe
Token: SeLoadDriverPrivilege	900	wmic.exe
Token: SeSystemProfilePrivilege	900	wmic.exe
Token: SeSystemtimePrivilege	900	wmic.exe
Token: SeProfSingleProcessPrivilege	900	wmic.exe
Token: SeIncBasePriorityPrivilege	900	wmic.exe
Token: SeCreatePagefilePrivilege	900	wmic.exe
Token: SeBackupPrivilege	900	wmic.exe
Token: SeRestorePrivilege	900	wmic.exe
Token: SeShutdownPrivilege	900	wmic.exe
Token: SeDebugPrivilege	900	wmic.exe
Token: SeSystemEnvironmentPrivilege	900	wmic.exe
Token: SeRemoteShutdownPrivilege	900	wmic.exe
Token: SeUndockPrivilege	900	wmic.exe
Token: SeManageVolumePrivilege	900	wmic.exe
Token: 33	900	wmic.exe
Token: 34	900	wmic.exe
Token: 35	900	wmic.exe
Token: 36	900	wmic.exe
Token: SeIncreaseQuotaPrivilege	900	wmic.exe
Token: SeSecurityPrivilege	900	wmic.exe
Token: SeTakeOwnershipPrivilege	900	wmic.exe
Token: SeLoadDriverPrivilege	900	wmic.exe
Token: SeSystemProfilePrivilege	900	wmic.exe
Token: SeSystemtimePrivilege	900	wmic.exe
Token: SeProfSingleProcessPrivilege	900	wmic.exe
Token: SeIncBasePriorityPrivilege	900	wmic.exe
Token: SeCreatePagefilePrivilege	900	wmic.exe
Token: SeBackupPrivilege	900	wmic.exe
Token: SeRestorePrivilege	900	wmic.exe
Token: SeShutdownPrivilege	900	wmic.exe
Token: SeDebugPrivilege	900	wmic.exe
Token: SeSystemEnvironmentPrivilege	900	wmic.exe
Token: SeRemoteShutdownPrivilege	900	wmic.exe
Token: SeUndockPrivilege	900	wmic.exe
Token: SeManageVolumePrivilege	900	wmic.exe
Token: 33	900	wmic.exe
Token: 34	900	wmic.exe
Token: 35	900	wmic.exe
Token: 36	900	wmic.exe
Token: 33	3044	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3044	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 900	2356	Big clean script.exe	84
PID 2356 wrote to memory of 900	2356	Big clean script.exe	84
PID 3356 wrote to memory of 4424	3356	msedge.exe	108
PID 3356 wrote to memory of 4424	3356	msedge.exe	108
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1036	3356	msedge.exe	109
PID 3356 wrote to memory of 1980	3356	msedge.exe	110
PID 3356 wrote to memory of 1980	3356	msedge.exe	110
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111
PID 3356 wrote to memory of 3580	3356	msedge.exe	111

C:\Users\Admin\AppData\Local\Temp\Big clean script.exe
"C:\Users\Admin\AppData\Local\Temp\Big clean script.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe631346f8,0x7ffe63134708,0x7ffe63134718
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:8
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1900 /prefetch:1
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,10621255665235189250,16006656507717890339,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:6084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x2f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
7e887d8b3708c118417230183cc6c208

SHA1
37b0146f2b8d1f0029f6b7a0929312a60640194b

SHA256
8fae2acbe63e969c42f763d1bc1b51c74aef14465fe7409236ffa60881b2f0e0

SHA512
301f0d117571856d3252a39a8f148c9a27f59df632e4c5307b8fd89de7d8be3d53d159c1c3b5506ab6559c49754c8abe424eaceb1d39f037533f05dee9b95162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
632fa6a507515e553aa39f0e713ee922

SHA1
d9d99c5d2ca0b2fd6c2e4dcbfdc3fa6560c1c4e9

SHA256
fa91a32184183a7a7b019c2946a6f14c4f6f1d821c0e88aac8ab6424b4383bba

SHA512
5daec1b6fbbb4641fa4ddcc07569dbc8747d870f2ed3ed08b2569528d0a6328649421bc57734f546f32d7e7972e9095f3faf75d027d3506af4d6694026d79fd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d2c5b027bc0c11ccf41576fae6f4b79

SHA1
41706cc9b004cd22c2c2757c225ad5b5daeb0c4f

SHA256
3bcd08fbafbd913279897bf1c109bfba0c63f2f94734737d797b1ace542e3f51

SHA512
3444257cfaadc43c22a5c93943571a62892ecb69475e04281d576f5cb8b23874f789e6f2d0f207ac139c34683f6bfaf956b8bab82c1ea52619f238064ad81b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d684fdd4bd715c5249d264b52a00f06b

SHA1
60a4e1a4e8ef9fe19ce4eb089da5bd265e01cb39

SHA256
78621dee2e490c7de4a0cdb1165d6c006255e726f82ef4b308fbc84f96ccedcb

SHA512
b8e1c93362437c8ec718e696afd231c00a007f9ab7807b6fa563fa9e847f7da33805ea4b1e58ce6d7bf98158296cfe6ef84de0186d1220424d7a6df90ee837c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f92b84e1ed92e6100b1ac3da3ea5af5c

SHA1
f6c56aa7667cbb9a31d5c174c7964286c4603609

SHA256
cef7af70417b7406043474b5c6c7048b6ce4ae0cb1f59e7f073d8a0f3ab03d7d

SHA512
a2696a8f099b510a99bfdb8621e7c0bb891a18810beb2e00675a7609528ab095c5a9ff68884b72b8432c910ec76735a6eff0ded36c4e413970aad050f2368bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3f51f865ea0d0aa06e4fec1fa04b79d9

SHA1
183b6f081d30af9ffd6e004c1a3615bc050a2114

SHA256
9e3b4247af90665eb63f8ca828bc9153e42cc20606b540f546c727e2965bde2f

SHA512
b6423b1ae4a2e316d17ec941fd172b91b7086c9b71035d0bc387de13a0d892e735ba9a5e057e0a85e576f5f785ab79c04efd462a4c94496b73ed1f3147e607c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a7ad9b73833a0c229e3da164fb5bef86

SHA1
7f2eaf987e274f9f66bfe691506806ee50b81962

SHA256
f68ca6976d9ea27b8906bd7d0784a472f9edd66b6dc2d4cc0e0160eb57a1f9c5

SHA512
f59767b90714ec759f855afa41fd7fc5fb2d4804cea4eaec41f0fa2490aed6b2f7e7a9819da7e8d786dbcfe4a193dcf9e3ea602798165106cc70c9985e7a7c4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
733c511ff0ff77269204a2a65185fbba

SHA1
6be2d56f86e89a3d3b1dc87ac944108190b095ec

SHA256
d98ef31cf4147b3fe89f3b77a14bfe7b0a1dd70c4ca2d0107f5d7ad80d10e99c

SHA512
f84df007d95c80e0df8c4cbb0d0c1209376cc2b99f341be7dc5c0cc4664e22a6cf9118b0d06dec56fd4b8a166538ca5ef6896495bc8b8f3a304c7bfd92673b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fe0d6a735d0e71c561d865e91b88d840

SHA1
c4c2f2f3137ceef800a2d84729c3f681ad774d54

SHA256
85a92ebed163517fc8e5d8ea0bba93d9c3a6bd546b435cd0a6cc91f93ef04e21

SHA512
7cee923fe4b23dd9c037b1e93eb73a0ea9e59d3656a30c0c830e3c5b5579ddc10008f2b43a07b45b50564d043046b8513f7ed701d5b0123657b63517ff2b58b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe596836.TMP

Filesize
872B

MD5
85f52850b15d275d669030764cb37e3a

SHA1
13862c243978c7f5df7728ec4ee82437b56125e3

SHA256
e53ab938f798af01a2263ae1da559b2878f5a4855073ac12a7e3d99c569a10fa

SHA512
df1ba04f575e44b7180648a05dd58fe0dbf5190ac13bb5bf6ec0f134f1e9295e5f8bdb3163b1a7d9f06724098a180a282631c7a65bc6c544378d248ade9fe836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
77dadd6e1a2993f6e5ebda7ed040efa6

SHA1
f22d398650f4bbf8af6374527b53f4261429fc98

SHA256
81fd64ad860a6f40d0e7df05c1480f91e1e79896bd30ae2899009e4587a70cfd

SHA512
7ccb992171f91625219b0763d8588168dfb30cdded872a11ed06d4c0ca35992fb75aa0aa869c0887bafd0944a448c62168c6862d5af89e3174b0090e3d443c9a

Download Submit
memory/2356-1-0x00007FFE64653000-0x00007FFE64655000-memory.dmp

Filesize
8KB

Download
memory/2356-4-0x00007FFE64650000-0x00007FFE65111000-memory.dmp

Filesize
10.8MB

Download
memory/2356-2-0x00007FFE64650000-0x00007FFE65111000-memory.dmp

Filesize
10.8MB

Download
memory/2356-0-0x0000026259890000-0x00000262598D0000-memory.dmp

Filesize
256KB

Download