fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786

Resubmissions

19-12-2024 08:32

241219-kfqvbsxmgl 10

19-12-2024 08:29

19-12-2024 08:22

19-12-2024 08:18

19-12-2024 08:10

19-12-2024 07:51

19-12-2024 07:46

19-12-2024 07:46

Analysis

max time kernel
179s
max time network
224s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 08:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b28242123ed2cf6000f0aa036844bd29.dll
Size

87KB
MD5

b28242123ed2cf6000f0aa036844bd29
SHA1

915f41a6c59ed743803ea0ddde08927ffd623586
SHA256

fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
SHA512

08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca
SSDEEP

1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
94	raw.githubusercontent.com
95	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1020	2204	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MS 0735.6+7421-safety.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3832	msedge.exe
3832	msedge.exe
2188	msedge.exe
2188	msedge.exe
4524	identity_helper.exe
4524	identity_helper.exe
5260	msedge.exe
5260	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3100	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3100	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 2204	3300	regsvr32.exe	84
PID 3300 wrote to memory of 2204	3300	regsvr32.exe	84
PID 3300 wrote to memory of 2204	3300	regsvr32.exe	84
PID 2188 wrote to memory of 2780	2188	msedge.exe	92
PID 2188 wrote to memory of 2780	2188	msedge.exe	92
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3944	2188	msedge.exe	93
PID 2188 wrote to memory of 3832	2188	msedge.exe	94
PID 2188 wrote to memory of 3832	2188	msedge.exe	94
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95
PID 2188 wrote to memory of 3964	2188	msedge.exe	95

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 596
    3⤵
    - Program crash
    PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2204 -ip 2204
1⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff30b146f8,0x7fff30b14708,0x7fff30b14718
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,3959875288845146522,14052752535353362204,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6628 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5156

C:\Users\Admin\AppData\Local\Temp\Temp1_MS 0735.6+7421.zip\MS 0735.6+7421-safety.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MS 0735.6+7421.zip\MS 0735.6+7421-safety.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d0 0x140
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
679a3c981a46c88a0ed6bc550f49ead9

SHA1
9b69dda30fcc6cd111c7fca149a49fec81b8ba02

SHA256
d0b1875338d022ef0b0730185e0accecbaaa75b6eb1a1aa054afea7c6e9a4fee

SHA512
d1ea7ae73410a9a659aa65d91df534a4c409d148ae6f4004bf87f632d048597b2ecabf53085b3cced40b7e8bab7954f594864d747e97bdab325083ad21e38ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
5412626e3ce6142a3b64087240b2b8c6

SHA1
5d49b0754063e559dd36aaa0b4333ed99f1717fc

SHA256
f9defff17c60a8da2ff277c03f71e52c3453fff2f06a4114b41a3faa45068e22

SHA512
5529e47fe589c4a8f7ab4d7dc0cd58f3689e91bef4010b6c1e7fe5c595876afc12da75493a8aaf820a68aea647f4112d12e4e89c45114495e9a6963782be114d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
74930cdcf960f6eeae1d8e14d31e2428

SHA1
47b5b1bd4212d0d88b133d68f20b7970b2f9919c

SHA256
1ee3d55e4062082e2f980c350b42f6a8dd1b52fd16fa99d7e5f8baca4807d8f6

SHA512
f2a725617e1027955fbee744b279a4241bcb825673b90f892ee9aa827d7fdeb5f04c05e592797314e36f5cb6e89eee3a5d336713c407c16a99f6ac9cfaacadc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
78a6c03c7535efd617d5bd12e1a03df5

SHA1
adae3eeceb03fa8327c171e832cd12fc3e162732

SHA256
514171f11badf4d902f2b177a711aaa2fd79dc4a5f8dd15c4b258c450d6eb3ee

SHA512
7fe2ab154d0c88bb40f1ec26dc56b233dd459c676ba371c11ed6ee9f50ad72fce58e680e9a66d95a82054dd5fed0fe5d179c2618ca3cebf006b571e4b8938f09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
681b7886a345557af66d9c17c0262b0c

SHA1
7da506d9e3620aa66e7ba271b30e0b82e9f2be39

SHA256
2e3ff6fc53c6360027e85b981be5074c8c5a9e6a51f9d5b88a0b74ccf236fd60

SHA512
670b84f6f91cabe5b04b60785faceb658185a7722b2414e55c682be1d54bbac924664a5b14f117246f4198dfdaf33deb00921c3fbcc86747ddcab7ad54fc847f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7b949ddf31fc0cc8dad4487895f9dcc7

SHA1
fc9124597f44984f9ec569275119e9a173bab248

SHA256
527b67fa6066a5e2f0324ec6e0973ec03cea060ff875682e4b3e9ff483bb35d3

SHA512
02e91d35b2c91fba8276a2c6832b96e5300b07cd58071f466c785b0f7f3f069d806453af5754f6be19464550782908b435e62fd2cff7db86ce07f07d3fac74c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d725b99d1f5ffb1c0d4db370ae0fd7ca

SHA1
cee106cc648f01da33d981bb46b8115aa5a609bb

SHA256
aab8a5a7793150a1a2aabe183f0afebb704917853a56bb163e03b97612e911ab

SHA512
05f7d91916036fd527e99009135b31d019766245cc0b8a8420e7cd2d021c169d0c7391eff315d71616d21d77f488587d849629f1bd047aaf4347300d3fca687f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a7c4d24cdfea96a3888e5fa48b8e74b6

SHA1
2504fda5fdda083980c079dc789437071a248be6

SHA256
0a60361d278a50975c93ef155e3049f1bd3826688be16394c8ac94334f3c511c

SHA512
7ba5fe97982c323d6cfe144e1c934bcd29e6ea0424518f72d622c29a05b4d3ae34002eef322f3c0a0daab1301899d5c2c61eaf0f5d4be89aeef2f3a10a769ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a159cd66b6191ce05f6e9df52384133

SHA1
e67766542169f5385139a2897dce945419516dc6

SHA256
851deb7d572a51b3d7245dc01fac3be50efffa4cd47a1b41d891866993f18393

SHA512
8715a0ac6ad6d67673566c7319cc54e56e0eae75ff4bdac365a90623d255ffe3fdb7f0486876687ae430a9dde248daafb3f90acd6b8065fd9431c73bf35ec01e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c7fcbc3f47bf83ae9a866502b799ba25

SHA1
8dbb7130ebec1c9d37533d6efe2c379dc32c303f

SHA256
70c4246e5aeef9df567f1d833b6a8cd525308b964f6156395b6bc506c970ae98

SHA512
236e118076983bbaddce278afbd2929098dc6238464ffddac669ce7408b2a40fbb52260802d37a3621d61468be0e452a24536c0b9e01c691d686617ad564527d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d07613bb3ce792ee2e7426f2061ae205

SHA1
82f032436e8aec9501a588074a15b2448dec1eb6

SHA256
23a209961d53227bc41eace5974d77f8d5ab9c3115304da335e556d0e725ab89

SHA512
06c6b58927fb84817c227d42b1a58423a30d7fb20401a4d0a440825c8d87f7d8551c262a8c712203753e875b59c3ed107191917cd027a04eaea86051c467d30a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588c7c.TMP

Filesize
1KB

MD5
3c4a8eb5e0bfe6829a13ac9d86bea6be

SHA1
4aeb7ee9c43cf73ed1d5adfbdc6944936911b541

SHA256
5261b80da9ca44e41866de3ef998286543893400dd8074b58eaa20ff51f44170

SHA512
65ac5633956707599660897363eb8027fc9110cbb750a581f1dff8cc98e5df93b74a8918a35fa5cacffde7ab83ceb4b185cfc541e1f87080f4c87fa4dc87b1a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d8c073f3d13523a5411ea07cb7e50903

SHA1
e45dcc3521758fe5348f31cfc2ba63e622d6b1ad

SHA256
40fc6c79e06e71e97e0e2208dd1ce5dfe7031c0b0114212c4680770eaa90e4a4

SHA512
b3cad45b56b75bd21ad38d92cc682cbff4a29cf30530ae6d9d9848d3504a3f88dea488a277ab4cbc4ff9a4818eb9219e65be6578d4e8009d5e3dde121d44f1b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
562fc158b31ff67a48370838cb444f5a

SHA1
8cabf14391d9dbe8cde6867fc78306891e1eea54

SHA256
151b656ab83438f73ee0634ca7db328579971824c8d8d7fe7d5fbf2061e70c18

SHA512
970a3e6966e9fc4571c328527c9f0b157d6bfebe93a23ac6814651e31fdcdf49475fa9134a12f38a4bb3c7dbaf509f163efb4024596d798ca71429c2deae0637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
073c6b49fdb1340fec76888cc4c42396

SHA1
aaa9cab9d25736a200406f15d821c04138c79cbd

SHA256
069b38c2afe145c865167dd864668f5b34378e6e3db68ca484667e910ce8f077

SHA512
7baba55e3ad9be3df32ff19b3b08cedeb554eba7a0ad37beb9143ad944103b74e66f21a7a7da83cd4645c513750a283d37fe9c19ef88087aaa4e2fb9af13a052

Download Submit
C:\Users\Admin\Downloads\MS 0735.6+7421.zip

Filesize
112KB

MD5
1b3cf59e94f7d599ed2d54c1f82acb5a

SHA1
10d84b9096c92331106212af9a88cc7f8119c458

SHA256
57c3e5002750b9da9dbf7526a1288bbd84f339fadc16f828ef20d1889c51e483

SHA512
113328d190125c1dd0f7b5dc323a68c41f5a98c1afbec51e414c5f2776097bb1daf44af9aa58acb221c82c11e68b580f414ead1cf8184caf28da259793555a45

Download Submit
memory/2204-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download