Analysis
-
max time kernel
1800s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2024 16:17
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://expandera.win/
Resource
win10v2004-20241007-en
General
-
Target
https://expandera.win/
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2924 msedge.exe 2924 msedge.exe 3896 msedge.exe 3896 msedge.exe 2072 identity_helper.exe 2072 identity_helper.exe 5740 msedge.exe 5740 msedge.exe 5740 msedge.exe 5740 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
pid Process 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3344 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3344 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe 3896 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3896 wrote to memory of 3724 3896 msedge.exe 84 PID 3896 wrote to memory of 3724 3896 msedge.exe 84 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 1748 3896 msedge.exe 85 PID 3896 wrote to memory of 2924 3896 msedge.exe 86 PID 3896 wrote to memory of 2924 3896 msedge.exe 86 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87 PID 3896 wrote to memory of 4500 3896 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://expandera.win/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa110f46f8,0x7ffa110f4708,0x7ffa110f47182⤵PID:3724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵PID:4500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:12⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:82⤵PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5612 /prefetch:82⤵PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:12⤵PID:3216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:4260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:12⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:12⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 /prefetch:82⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:2568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:12⤵PID:1328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:3432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:12⤵PID:1536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:12⤵PID:5172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:5180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6428 /prefetch:82⤵PID:5704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,7120135645370869953,9347592223813112629,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2960 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5740
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1696
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4428
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x380 0x3d41⤵
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD51d263cfd5bd7a91c0fb8e70ad6c73972
SHA159783c478401ab951ed74afea744e27f21e8cdf2
SHA256a27d0fe781c35f4e91a7a5f32d210e244607c89e6049ad908c8d989415f734c2
SHA512ef23c1e493e43940dc08a5c0499db2fb0739d218b4530cd793aa98c3daa44d99521d8e61813a30aff83b53cbff996225d3e3b306121dcc79f9b2a72f0748c1cd
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
415KB
MD5b30de5712914a1387620dd17ff41456f
SHA1ef6d28bc24bcc7bd7bce085fde43a1836766ddf4
SHA2569b4b5de9968be7793a9c2cbfccb1b593183f8ab1c95928ea91c033fa34b85aaa
SHA5122d518a225c8f411f5e946df29d1bdb9a55cb876147995a0fa39d1754742696e78836aa142b6770f6dfe9c2bf91debf014956e9c0727e2d5fe191a152e574d337
-
Filesize
735KB
MD52be0ed782cd9eced983ccf2f1024b200
SHA1d8ef5cb1933c739a5221ab9b75c570270d83ddae
SHA256481c5979f85e74a659175013340aee978e4caaf0a5dd1314765b7f9efec830ca
SHA51231ade9696fb3c2873f9b868eb8e46175b2daecaaeadb50e4fe35c8528e7f3bf8254a2aa6e4431de0d4413df66539ab5e3b01ffbddeda6ac6441d88127436cf70
-
Filesize
43KB
MD5f5026cd37a5ed7bc59f2158c00a7b156
SHA1bc334cbeb61a8c4453893883504c3cebe2b182c2
SHA256df2c35df48752a785c7c13e73a27996ccfd69018211cb0e7c088c974b42ad016
SHA5127a45be07b2e1ff5bbc336ba8011e1539a2d6603b0f16e56fea29ecd5769efabfcdcb33988a14c6f2816f1b5242fbff648924cef9eca2012ef833a1dd591c2a15
-
Filesize
72KB
MD5679f382eee40594cdf25a42940b0dbe0
SHA1224b8f42ef6371a3cd69313089df77492801963b
SHA2567976462e09f6b520de92849074c2ded0f6127decdf3e856e1d535519e14a8f0e
SHA512550c1d7053e7f65e3d21d767e5014ff14cf6f52871e20644174daac22e03c60fdb9b0b438efaafeb9c4fafdf97b778542212d79666d22c935d7338b0872c50bf
-
Filesize
98KB
MD5d0c685af8296fce0af8846bfc4ca43cf
SHA1d679c28b9c9fb359c95d48d198eb59ed7de8465b
SHA25652efe06454ca7a29926c10b1c7523785c37521e94ebf9e1f922f11117f837212
SHA5125c23bc318882467d753bc75d05ad4c2a46e731ea536c0a145008649a40b0c0171e31c1f025d70d98323a7806a8e46f6344a0766eee1a2a7d22d5d705be6d922f
-
Filesize
37KB
MD56c04baaac7fde99139ef51e70b6ece03
SHA18320575389c48a291ff65b06ff2ca4ae91b3c52b
SHA2565bf39ee6936161421f4f97475f47302f42b94fc2c4e87654f1b1af517386835f
SHA5123409dac31f314c18f70021ba96009176e0b223d70975c709ee4823bc4b2ad59aac13fe1e67ac5445dc1b8cb5918a638fab186f8d34259a4fcf15a4d3eef09461
-
Filesize
51KB
MD51188e512cc5ed640c1152829ac5e30d6
SHA18fcdd6cc39cc489297292b3e31f95613cca64b93
SHA256e12be55ebd857cf2436a2e51b027ddc729558116b336e9f8fc3e70f5210ba5ad
SHA5124589258ccfa8cf00d6f2f306f2a880ed087ddf0c3b9ec407a9b88394ca052e5b8cf660ebff53f3bddfb0d0eefa2181c8b2510c525403744740601d09aa750868
-
Filesize
300KB
MD5b7a1b184896adff5684a8252daa74596
SHA1a1f7339fb9a49ad2d164f5eafa86d95c19b10110
SHA2569ee590c4fc5dc80e38274c176e8c26ca4947dbddc925157141cd73b87b6961a3
SHA512fcaf28c4d38599dd2567a7b30627eb71aaf7a89613430c247315bd0b7f78bdfc81fd9817f4f97fa1ae3d4eea7e41750c6f872ecea15c0cb13a295eb7a6e57004
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5ce1f3f065820d4761f77d7c0a983650f
SHA1877e90ff7a212ce8abb9c5d6ea5a8b8d947bf5e1
SHA256c12309786e8094c2e709435fd340fa5b33fa68c6f377661fc9d64e7131063a21
SHA5126a740a032638e722d724a6c0f2afba7256369b0b5392dacc4f8adfdef29b891c62a0372c477d96792fa7d22cf5fb30b135de050692bba80d6dfe081de20da64d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD51a9f2175c7637351f2796afb1a8b81ed
SHA1ba09a190e4bb3dbbbb23dd617ce6bffae634392b
SHA2560e514cc32b1f23cb15d2ef199b1f7b2255750b353342878972d9871258282ea6
SHA5129c9d7dd19326040b9c3ed80f4862f3aecf58ef6293afa20646e12ea30be0231e7643d1185e828e9c8f11f21c36041ea3d2f4f017763b0d4e80fb820aa308e091
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index
Filesize96B
MD592219a6336a3ff703999036859945be5
SHA1915a4d379b5e52cf1650798b8669435a2511635c
SHA256a9cf363862f9e666e35db17d2bec0d27ef380f289779ad3e6c159ccd55006645
SHA512fb5795a98c0507caf4e86ce5445dcd2769dcaeece6b5f7bbe1fc14fcb9422ba8692f48e4f4dffc9891ebf3aeda8964a853c4f914e984b69d85a368233a9096ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index
Filesize96B
MD509548fcea5be010711fefedfbafe92d9
SHA18b01b8c3da64bbd3e8a871b7e7e0c0c01686674e
SHA256e3b2b6af9f29c55d1facb33e331c333cb943373327bc44bf1d95814209deb726
SHA5125e37e2bf49cb4125e3324dd71c1c07b2d43f4f2057b7dae8ec3cbec253b2e27d55e203a123035ff66a927ac9c12833d1b5743e0afeecb7f3d05f634980da4853
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.twitch.tv_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
3KB
MD5d284e802b2749901e2c2cbc4349f257d
SHA1aa840cf45c0809ebc422bd79724c788aff710f83
SHA25690c2a06d3e9a4e72d7b37f6990fca68c91e74d8f6713bdfdb627ab78befe32fe
SHA512d4802e5a95a33ef895c32514b3d94a9028c5b2d6ec0b20cbe2ca667ffe925f7c4b854154f4fe772e4a686787af71713d6c8c2698e75bc03024143b2e055ad90c
-
Filesize
3KB
MD5c15d934e65e0782b8955bc62f0378750
SHA1c43c232a499d44cba13669af3b6b739bf498cd7f
SHA256189c652154b6e25cf978db2d5f4f951fa9a4c72b906a5b241eb14336796b0a6c
SHA5125074649fdebd1f97404e5e336dc68d5139a0f13a8068b762f9e753d460ac6fc04a74122b13c9b86d64b3a9e0bdc2b40dcbb0db5c62d36b24ace631a41c886b18
-
Filesize
3KB
MD5d02e3cd69436776902284def964c476a
SHA139fb4ebd7fe987f97605c37c44592034921ee1cf
SHA256f8065f236ac255ff2e742ba9a538d8a92719cf7006232b375fa4fe49e4910f88
SHA51227b104b04e7d26fbaebaeb89b17d051c4d2cdc574dc80001dedeca7811e1792f276accdf3b0ad3f9204f079cc3742489b8f378d49f867b18ab4b9e1e290bc656
-
Filesize
3KB
MD5133ce2988f928637f68a6b89aef43f28
SHA199c8dd4ec97a10c8a9222d2bc6964eef3ed70144
SHA25614e1b80a1a6a7d19d2c5009d1b446f65b8d17e0c61b0165a26ba21bd4a126ca0
SHA5123c2782eedfd0666cf9308a4d380ae682bc0d7b3913cb615c05b7626d17391e77b0cbf5e9ebee258b74884389802425cfa3168ac3f6ea260eaddf4f1e627616e9
-
Filesize
3KB
MD50cf47769d9da148efb3a336e426ac66a
SHA19b5d6a81f26a921899a2473365515ea92a5f23c4
SHA256af9f50a6ce99535efe6e3c414898a7f9cdd8010850980e12e5290396e9d58b94
SHA51284482e63d4828b358694ab87ffdb15041d65cc5487064a07ee6dece25b5742c318ab6c70a1b92fda3c0caa679c236ff87e63d48f50a2d17a8e676127062e7c7e
-
Filesize
3KB
MD5b7cfc5dc2fc77bfce6b4686db2d6d72c
SHA1f55a9fdf3e7dd090cc1ecd317360bd5a10f05636
SHA256e46059e8b69eaa22a7122d9bf96add5af27140a008c6d34038a14928eb3726ac
SHA512f2ee96cf813ebc4bdcd70a67f15443eb4d2eb0fcc0c5ea5a433f5dbcff7afc22688210173bb4193d959d129fc33633ec5fda184ba244d546d7dd66dd25610943
-
Filesize
8KB
MD58addb7a873b980c50b43e4aa03610e39
SHA11333d1ce41655a86b753efc6498a77ef8e88c415
SHA2567d978308e8db818fd98a26598f6f76f66bd4eef63c430bbac0d67ad8bbfdc51c
SHA512e92c3069bc9a3ecf0bb95160298cacbe0a5469fac3a33513c288e1298cc10f5265d6c9116802fa8435ca0cf698a66a727f745d1fcf16f9d2b1374ce7977926e5
-
Filesize
5KB
MD5270dbbebc77a6bc5e50b720e774e0610
SHA1cdadcd6cd757df75cc68650ee9650511ef05e5cf
SHA2564ea2d6e05954861bafc969fce4e1beff26cb9e84245a834ef829c2601233128f
SHA512791f5de01f1b6c89f4f15c76473bd63974cf7539b6da9e4d26a2b7ac689a72a0edbaa4ebba606329089b647d6fb238fed8853cf62cdfe8550136a91e4c70f06b
-
Filesize
7KB
MD54c50cc99f37492e809515f79efdf0442
SHA154f3fc62881150cbaa4dd453c47b5f1d2d892406
SHA256b00907e5b32c6dc03033038ceef3d26c8489a90e07bb55e1a6b8b48569e810c0
SHA51267540ed1e7278840a312bfa13a8664f83edc5d2fa2fb79bd3b034f192e4a1e427bb00e6aa7869a8388f1a2fc64bfe1e03b55d0c837e271a0dcf467a0b60a4ea8
-
Filesize
6KB
MD59a31df030fd94c19b0d53cd4719b2b22
SHA19299c5f85c89a1c703fa27fa6afbded46bbfaec4
SHA25668c71d8e3c2a9fa6bb4a7a27fdc1345f7f4ef6e145915e1370ff8094b87f541d
SHA5122ca47ff5cb584f80e7b3d2067a3168df5c22baa14110989a70f967c89954020d196445795ec3ea59d356e0da3b7c89e891a56cebb3a40d71b973bf116e282e95
-
Filesize
8KB
MD52ddbd990b55cf1cb70e0bf3a5540f47e
SHA1e47f6933b249916ec63b46634bbb85c5787b451c
SHA25664bb15180bb3174c62a641924f91364f3248c81980a567ac7274dc62ac3a21df
SHA512818faaaa5d8225b7036703f2618fad4ace9b0f98d4ffdca7de1f09976e0128508a4ace79c2adc923edc719b5896c67b542498a0ca76604d334dede997a1dc570
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD53567c7bd11f960cbca43f3df181a0636
SHA1ba0d9c8fe48ea2cceab611e9bad55bc3c6101030
SHA2568d7b490c8f63a0e43ae7bfa6d4aad4b336fee54474044b1a5742e2e9ff8b1aa5
SHA5122e2de2f823e9e591b0fdb2a3cae547ea8da67f115bb0055715bf63660af57e3fc6dd132ba0ab4737a49b318c80f577b5d2214fcbf6bb908b580183f04d35e0ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58248a.TMP
Filesize48B
MD562ffe5eb79b8c7cff1a26c7304938dec
SHA128c66fbac2d5b6b2eee42b69d6a648d2618669c6
SHA256c747cf5fd91f7eed67c62cb88aae6876078d0b3dbd81126055dc55bbbcda27d4
SHA512d2cc818d309b356ac0d9adac72cf00717d16ccb6f097f620b6d9f39e5a7f1058571e4ff86ebd89be2c0cce1e215c7ef78d4c9621e3d5aead242c13df00447098
-
Filesize
2KB
MD50ec9d1018019e92f5835141f1730a395
SHA14a4e6664b0479170815b724a7e14ce34ee827190
SHA25687f9e2475ea0468a6ee14402780b3ea8800cbffe54a78c5d7af7a58b177adff7
SHA512eec3063abef1b87d877b59edd224b0307a657579cbe7f55e9df3658cbf210bd1106967211ad6d3c0e7a75bbb93ccc6c6b33377f82343d0931f35900eb29555aa
-
Filesize
3KB
MD56a0710de30f8212e75d448bd2f20e516
SHA13611687bf44cc83d128c5c65558cc9edcf5dfa51
SHA256927445679e09e78caac50b5c8ed092885ebcfe0f6cc7eae2220120a1e6508d59
SHA51260cf5adb8d7f7bda83b4ee87dbfbcfbe5d496c0628a5fdbf449350daa1295b848e32df47aecbac61d5b7584e60c129bf23fdeda632e82528d046c9e72c9b9ae5
-
Filesize
3KB
MD5fa4dfff4fdbcd7e192723d119cdc8abf
SHA12f3883b9acbe3e6fea3fe39a1ca5dbaf55b1885d
SHA25666a0e6cae1e1d9115e50ba0f96158338c4497be2af74af6e2a771aa21479fe65
SHA512b3f4dedf379994537cbf8e0b61d470056801b94988815bbea4160b6a426397729a330c68a379a8c4f83d8cc77e1e315659ae535fff233c4010610dd9bd40b964
-
Filesize
3KB
MD5873136f2a7636f13644c22092ec2108b
SHA182b244a73880a92d13ee8aa3da5400f437f17afe
SHA2564961e5fdef5e3778a9061493564ccae16660cf844cbd870481abf92431745b65
SHA512abd861bc47f671f0a9445aa6a9c03476566cdc143106f2d345f8483405c7f09fae66a0506a87b4a3f6d9bfe922cbb6f6b90abf7798d8c0447e74e7370205bf29
-
Filesize
2KB
MD5211cf30f333433b607a18a3fc0c916c2
SHA14f591cac9d35ddf3fcddfe46d7d361ed439a7506
SHA256fd5a54fa62814bb26beb1201a5aa4b19730c05b7df23c2bced2fa08a3c262154
SHA5125e34452a77e4d0741a4228cee847fb5ff0f9cb5ade7fee29cd779354c2b2307e8426d5218873a6dbcc5527154562b1fad4af40295439614ab4a8c9799bf706ee
-
Filesize
1KB
MD52c92ca13e724e78ce4aaba3ff1017be2
SHA13af002aad94bd43c0878afbf22b5e1cbb851594a
SHA256f26d82d42ca6467278a2117bc9626e4dfaa467d9cbe35970cb69da250cd69e35
SHA5125326fbfffccc34bd767389978c3ec249a5d38212228858d4bd513ffc0b6228b2d3fb8015a776afe288475d4228941d3edc6e3a7c7984c830608057bf0c6935b2
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD58e949358f51de42e725e87150715218f
SHA1d364b1ca6c899d489c08babc95fb1e64de4b0b5d
SHA2566363d00031be4a42bd40b3e0b6f88da211baabf3deac905c82bd806065d713bf
SHA512c807b9eeeaa510e6e213376614964e86f381f2272fe96619e68050d81492a7679360b7d0d0cd8e2d0c3a3af8a3083549cf86e2782b4f5c3de796f295b7aebce4