fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786

max time kernel
237s
max time network
240s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b28242123ed2cf6000f0aa036844bd29.dll
Size

87KB
MD5

b28242123ed2cf6000f0aa036844bd29
SHA1

915f41a6c59ed743803ea0ddde08927ffd623586
SHA256

fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
SHA512

08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca
SSDEEP

1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3712	2896	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
2876	identity_helper.exe
2876	identity_helper.exe
952	msedge.exe
952	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe
3456	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2896	1532	regsvr32.exe	83
PID 1532 wrote to memory of 2896	1532	regsvr32.exe	83
PID 1532 wrote to memory of 2896	1532	regsvr32.exe	83
PID 3456 wrote to memory of 2328	3456	msedge.exe	105
PID 3456 wrote to memory of 2328	3456	msedge.exe	105
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 2992	3456	msedge.exe	106
PID 3456 wrote to memory of 4376	3456	msedge.exe	107
PID 3456 wrote to memory of 4376	3456	msedge.exe	107
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108
PID 3456 wrote to memory of 2040	3456	msedge.exe	108

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 596
    3⤵
    - Program crash
    PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2896 -ip 2896
1⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb75f546f8,0x7ffb75f54708,0x7ffb75f54718
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4192 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,15927079910674758535,1611155534200588271,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6452 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x2f8
1⤵
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
70KB

MD5
807dda2eb77b3df60f0d790fb1e4365e

SHA1
e313de651b857963c9ab70154b0074edb0335ef4

SHA256
75677b9722d58a0a288f7931cec8127fd786512bd49bfba9d7dcc0b8ef2780fc

SHA512
36578c5aedf03f9a622f3ff0fdc296aa1c2d3074aaea215749b04129e9193c4c941c8a07e2dbbf2f64314b59babb7e58dfced2286d157f240253641c018b8eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
17KB

MD5
18a9531f05f4a3662558d102349767b1

SHA1
328114b78180b5931d651669bf0b21d3a5cf8adc

SHA256
2d427df292899c50caad69f5c59737ff07f39544e52ff6b9d01f4fb82ec0d716

SHA512
b52d9f81a88694bbb16551a50fefd69a3f3dcd0ce5d3d3f3e3a2c1d7de969b5f6e27ca9fd22f7e964108f9b39eb083a44ef161ee3b8c39f61fa5939a15d21b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
72cef08ad122ffb0a58a3ce3398fcd4b

SHA1
b8b04f8a5d3730ff86534361bece26d97706c63f

SHA256
366bccd67cdd149e5a2a0c105393e5956cf01ffe43ab5feb45ecbeac04644f3f

SHA512
f026edb7e187c91272c7cdae30264da3a66992411716d2f13fca9a658c68ee3ee7ecddda1aa9a688a715d920f899ee1e6da0f94ac68252a0326fa49aba88a809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3e8ac94228a1903c2571346ebed64c5e

SHA1
1be09504327278f789521bebc30f64ea4c47d086

SHA256
0998e3c4532c93f10803f1299f6a51927485329bb7830a5925bd391c163d8025

SHA512
17400b7b259c04cb18051b7b445e2cec6fe07c5f8fc439c03e78fd12f5a460e565b585ada970a9eec0c88e1886138777d6e6ee57e313a53b841d67d5aefd9344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9438c71d65e219dd6133a47ec674c1b9

SHA1
a8786b1dbeaead00e09c5f136a7c16b5b8881751

SHA256
01f5cfe8a150cf3b9642ea9f1303aac1d8821869965a8e1f5aaa49e47cec8232

SHA512
7223adc859cfa1b846fe92012c3d0ee254e3080f23a5231ab5cd2de3128eb699e99afce818997335bd97b7eac42673c52f3b2ef22f88bcb1d992d1076f20ef24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
2ef388169503ac04473cd8468949416b

SHA1
9fa6f2cff251287b8a5d9300802f048e4f64d1d2

SHA256
d129907b59c4f8eceaa666e85c36434f6e3a449bb820b865842d8f526c1db716

SHA512
1706b89a45fbd0817ce0246e2b31d3ebe53e50f0d0d38dd460a268b120cedcd3e969f22d31d1d0453e239daf80a1f5d063b0a325ce9f82455606d9c3887ad722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
788B

MD5
dbc94d43a80b8982b572db9fee746def

SHA1
db72cf52e39793aded2c60f83c5384d3171e7800

SHA256
146d1b6e72873074829b79876a7246df046371930961e53c8129133b82458633

SHA512
f497be961092e66550542f836d796faf8041b958f59a81f99e9d8b77e5c919d99154aa7dc1d52ddfe32cbfb2f52024773906b14609c8df0594eb6270d76566ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
42452a8ba483f560a47b40857eeac0ba

SHA1
23a1116fb31b3247c029059cb2274714b3674b81

SHA256
9e90194583c1be1f1142ec8a9ed817925fb064dec835b8cc25172e7c248aa970

SHA512
830c0f21d921f59bd69c8c52e9f948443847290d0411f29520871860accc82df92ef810d36eb7300eacc0443dd571f5c62aaa2824d62515479cd6e9316aebd20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e2e3427cede20a0ef12e3c2d1cb2aca

SHA1
334595294668bc0b325689693eb8be67dccf648c

SHA256
ee1c7f5c669d3aa2e54de93102e959a7b8ff9ec82be4a91a57388baf6f4ba91b

SHA512
ea7f6d4d91b0f57151c5170d3f084b2a78ee620786ebe3f430cf0fce0561b87333f948d7af29b239f5d95b1c5d9aec1e94fc908954cfdb3314e93d4c91952e9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
08b2764319d23ec46e19d2d0f9b80182

SHA1
779f863873ff89d7e0cae2950ea14b1454f93dd3

SHA256
1a3dee5161bce04852bd37bd118dad530cae90bd3b21833182b00307913732ff

SHA512
9d25d30771020fc6f44920a86890076ed64a2e7477d30e7a47ffeb43bdbb5d12ec902efc36d2d7cb4cff87e0f5fb761dd88e8755adf6dbddbda58d2b9b300365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
68c93d20a13aee955afce1d0268c8581

SHA1
6cf4bb9dcb16f0156424f336a5021d82e4c0129c

SHA256
53823d3cf0af184c84c1a1695814b546f52d9b393efcf9a3cc1ee078f6d2f628

SHA512
77d492a0c49dfd65f08254bbf32728d12e10d941d58708a5ce2cd240399718176149919783d5f013fe129972fbc90ff4922835e2a24210cadacab3d85c760e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e09f954bc217b58dc8d4ec879daa4471

SHA1
04fb4377949a246c36d55f832b8a831a0928e861

SHA256
bd8e3f4ff68703bbd29721003fcf5b418e0d363e5708c1ab56bd2875abb2c871

SHA512
ac2fae862a53fe162a9286f53d4f6d27e59bbb5285cfaf6eb101e9f39e45b92e92f1a7be768236f58b5af948f1635bcda180697018c6aedecdcaf463f4186d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1990bb7e01d1c4bc6a357033f0b537d8

SHA1
716e84fa359e4583540690c5085bfd4f01e15abb

SHA256
1755a31e966d95443d29225f224948490770a57c9ed4442f0a6f55d23e8b31fa

SHA512
80b2297a4279ebd75f7b5e943db571967bf985aeb478030fabc53e6374e28c743ce15c59d15febe4ca713365f56fdf7df0d938183f6e8acff5ec8c256048067a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
40e321b0e263c80952296a5ef3c35cc4

SHA1
10038b8d18317a16d9b6f53167f06303c471c1a7

SHA256
f3553b4957b699abd79df46a43dd9f0752a0dff64a5f44a56e916180393e8bcb

SHA512
27be658216fa88bbe96905ef7962f71701016d7595df9bb7764fd445f2911488f8957276934504dff80f1e1dbf4869fe1008a9539ac471bcf44a9ac2f0d49621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ae13a26037ad9847b2baa9ea947d71db

SHA1
7a5a15ec78cebe50facc91871cbf7b2132b7b9bc

SHA256
5cc67d912ab71594154677b5b12543667deb3f283d3d4ced4627b9665b57c969

SHA512
21a7e3ddb211fa4b0f8eae157007dc3963cba6251f1961ca9dc0e01315239ed86cfddcd5ba36fac22dabd0586bd6f635b85f7ae6da8bc5482f9801a9a853546e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2b637e413e7b23cb39b883bf58017b4f

SHA1
325cff0d8d9fd703ded6f644fafe2a36e4dd1e65

SHA256
d348b58a3ac917343ac66755d50e9b4d20c112cb59085d931a87a02d6dab2ad9

SHA512
301ad1e58cd51466a5d0db46aff409304e4ae765e4b2e99e05d2710dae39cdb7ddd7d28730c8bcba5db807313188cb9eafb97de26bbf1e33e210c93a4b1ddcb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a6dc529469710fddc204863984d9960d

SHA1
372f0cf5b8bc0cec30edcb332c03451b403cf70f

SHA256
886821036d0238ec312d48639affc1cef5ca45b0c19cad5597bd06b663b721d2

SHA512
58446c3232decedcc5e7ff9202b5ef6407cb75a00532b6cd6abf2cf72214de9954d4009a1a775d580599a30dcded849d7861938a70fe890c4d878805aabf87d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5854d2.TMP

Filesize
1KB

MD5
154b6646b21401dbd22ae583cf91f56d

SHA1
f52f5277bc5b656768d802c1c93c802dc133c8b8

SHA256
f33f6b35b79444f209e04a82bcb0a567c1844fb682325ccb20378a4408f38bca

SHA512
42c130fedf55a428b3313b25b68b23032bd614a3ce00587d42ee9a54965f026435a6d02d9911165ba72e8437b526a9f22671a6a367b29b07cb349217ee2ce48d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
17589a057c3cccb2ff9185767234fff6

SHA1
fd2ab58487c2b04a7f248adbca89ef5362db5839

SHA256
2d9fb66f89e086f3008511331a4217458bced09564547a6f724cd6bdb29b84c1

SHA512
3f99889d196eae0c0b4e1bebe990c6d8c7a09930e4c340bd408dde4c0c5683d21a46fdb5e4b0df71c5eae84e3641b841b9fd7b1df762982f72ba7b7cf133a07b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c51f0e12c944cebaa0ce472f31db81fe

SHA1
a8746bd8c8206b5b3ebdf242f3305569c2fbeb33

SHA256
925fcb25e92f27135a741a8bbbebf2ff1547ab3e43bc995947e89744ae6421fa

SHA512
051768bf97354399fd3870be4a23b81287b77c183b9f0b125e8dc4c3c7b5ba3c726cdfa604e2b957a1fdbf1b44f77d3edc34cddb213f20079cea7b394764ac3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b512dd6c838a39e22f800664b28efbc5

SHA1
64607ff5be0e168fdbb8f223b33fbe1a587acca9

SHA256
865ee49bfe537381a193e93f2397b7240f056988321759053bb7d130bacea048

SHA512
2617a563c1ba89c5990f4cb3813f8a330847be1f9ece7b8feaf1b6e5cf02ed9a68b623e15648a88dfaffaa019f1eedc7bd66120d6698d8ecd501d911ece38399

Download Submit
memory/2896-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download