53490ed89b008fbfc3339cfe103112673075b92b1c97b4b79aeba01745ab191c

Analysis

max time kernel
151s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 18:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0025df71fe55e30ec68227c6b3b938e1.exe
Size

172KB
MD5

0025df71fe55e30ec68227c6b3b938e1
SHA1

17a794da7ea03202fa4cb70c004828c7b4c1e4ff
SHA256

53490ed89b008fbfc3339cfe103112673075b92b1c97b4b79aeba01745ab191c
SHA512

eec66a04833b2d2a492ae6c126581ee0f9992dae7e6ce700e2b42e74216a1c6578c96174b276a9a15bc92fef2fa58be5929a402a3c5bee2f24b90ad14bf62f1b
SSDEEP

3072:kfOEft/0DL9Y6huJIP3cmUe53qHkXxO8aqMsrbxEpQu7VdSVszNETfDUWesA:cOq8DL9Y6hie54kXxhzMS3SVdSV2WUWF

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	0025df71fe55e30ec68227c6b3b938e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5012	384	WerFault.exe	86

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\Download	0025df71fe55e30ec68227c6b3b938e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	0025df71fe55e30ec68227c6b3b938e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	0025df71fe55e30ec68227c6b3b938e1.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
384	0025df71fe55e30ec68227c6b3b938e1.exe
5016	msedge.exe
5016	msedge.exe
3128	msedge.exe
3128	msedge.exe
2624	identity_helper.exe
2624	identity_helper.exe
6124	msedge.exe
6124	msedge.exe
6124	msedge.exe
6124	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2884	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2884	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe
3128	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
384	0025df71fe55e30ec68227c6b3b938e1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 3128	384	0025df71fe55e30ec68227c6b3b938e1.exe	99
PID 384 wrote to memory of 3128	384	0025df71fe55e30ec68227c6b3b938e1.exe	99
PID 3128 wrote to memory of 4104	3128	msedge.exe	100
PID 3128 wrote to memory of 4104	3128	msedge.exe	100
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 220	3128	msedge.exe	102
PID 3128 wrote to memory of 5016	3128	msedge.exe	101
PID 3128 wrote to memory of 5016	3128	msedge.exe	101
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103
PID 3128 wrote to memory of 1924	3128	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\0025df71fe55e30ec68227c6b3b938e1.exe
"C:\Users\Admin\AppData\Local\Temp\0025df71fe55e30ec68227c6b3b938e1.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 384 -s 388
  2⤵
  - Program crash
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=FvCdqOQZQuk
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8bc3a46f8,0x7ff8bc3a4708,0x7ff8bc3a4718
    3⤵
    PID:4104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
    3⤵
    PID:220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
    3⤵
    PID:1924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:3860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
    3⤵
    PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
    3⤵
    PID:1232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
    3⤵
    PID:2276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5508 /prefetch:8
    3⤵
    PID:4580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
    3⤵
    PID:6084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
    3⤵
    PID:6076
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
    3⤵
    PID:404
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
    3⤵
    PID:5280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1
    3⤵
    PID:5400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,9985547833626774291,16426333193306434221,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4284 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 384 -ip 384
1⤵
PID:2956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2288

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4bc 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a5862a0ca86c0a4e8e0b30261858e1f

SHA1
ee490d28e155806d255e0f17be72509be750bf97

SHA256
92b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b

SHA512
0089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
65cf4a331ce686e754ab7012c727ef29

SHA1
d1b67c2f7220ca30c83480a95a656559a916d420

SHA256
a708c723035341e9efc53589b08c80e85bdd3dac6762e1e40a5cce5efe18c328

SHA512
652ad8101396c2b058205e6938968e5e4bf3969425af06d9dba6be6321e496ba7daaba071f351cfbe9e13c4dc2d5b8a814d453417f60cc9009fcdf29bd664193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
31c459b98f7fc41a8e9b6b67aa915067

SHA1
4d9da95bdabf2d04043183746885fdb1ad839cf3

SHA256
c8bd28239a179e25d522d8e8b694e64768a7a5f77975a8a5318dd6e3238ce36e

SHA512
01f79d3dc6faa59a74a48848e8e50b8c3f98aec3bc2e9e90430824a3d2b54dd0ceabd9f0b15023b60807ae5f85bac250bfbf9917b6009676eee40f582af68703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
68638d9e2131f7d6d5d7add7cb61d6e9

SHA1
7edbde5210dfc28791ee1c2f4b97629814f007b5

SHA256
ce2cd63382e78158efb83b08ae724d59a8e9991c8ea1fd62c771fdeaf5bf4057

SHA512
c60d5e1581649909298812c9d753eff3eee67eac57e1459b9d52bd5efd09cedc9f1273dee15d2fcadc18aab150e0da6e3e825c93c456b6fd78ba152495e4276d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aa529631a5a4da20fefb136fa480050f

SHA1
53e4ea4dc65644edc0ca11f8f347571f5563a071

SHA256
ca4cd1956fcaee8952edc0f17ba4b029dac0ab34238e848a834242490275d059

SHA512
bae6c32420029723d2caf09dc4188a0d41f24b7b89aecd5c0975539c3a11a261fb4ce2ba5d6429ada338b1442f01374f90b4198ada7068c84811cbaa6def77e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c647cc3652aca81db249f48e280602a9

SHA1
720be2df1f3b92500f93166d5b0e5f1a57f03b20

SHA256
2b390b961acf6248cb55903a685ac62512ef84235a3fbe0a423c1e3e5c5efa4a

SHA512
9f6d604623f04c2b4a905f26665b6c87f481ed8f639e1147a3a6047c83790aa07f32b700e60ddb1072c6f279586758490231a249e38c20a98d74de9386be9f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d501655e71ab066b57526c7e4e0ba246

SHA1
8244fc070f108d3b1de4e57b993298d9ec2da64d

SHA256
e4dbc2b58e250cb9ebdbc15ff3db97c3a07c3e83d7e1656c9a96e086fab13d9d

SHA512
2ace2b55fe4da90a1e047f8295c5042f423d4401304fe7cc97fd60bb44d8bdf14ae76ba2a7511e1a22e2776697e83e47a149d08ddfaba1d8a93ccb7529688fff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
52826cef6409f67b78148b75e442b5ea

SHA1
a675db110aae767f5910511751cc3992cddcc393

SHA256
98fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb

SHA512
f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0b6dcc3c-28b7-4e8e-8e93-f9c441a213de\index-dir\the-real-index

Filesize
2KB

MD5
a6fe1658e257881bacb89e3205b246e9

SHA1
253fc89d26a70c4a97639e038081c1504947546c

SHA256
326fab309d9be81af2fcd084d6e2a3cfb5a2676f39c5519edacbc72deb3c5944

SHA512
1dec4c0b0fad40fdd0235f9bf0cff8410762bdcf1a3aa6b7e78aeb9da58ae03a9b7696111ed1ee4cc938f0c737c3b57b3dba4e5814db6951bd0822d21780c89c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0b6dcc3c-28b7-4e8e-8e93-f9c441a213de\index-dir\the-real-index~RFe589a28.TMP

Filesize
48B

MD5
4ad167fb7709ddaf75709b6ae3395fe0

SHA1
d765c8391b75248af9c403c3c977dff0bf31a53c

SHA256
9f418b87bcbf9fc8984ec4d2cb1a81106506093719738d0bb9e87c29c2dd17a5

SHA512
4d192fd43eb92f0e16796cdf4539c92d968458e152ab2d19cb1f9bba9cf1e2aa8ef8ef25c6f1331a0c491c67c1e2c6fe8011b2ea22d932b1fbe70e24fd8953a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
e7cc3c3e18706eaa3af60dc98fc56a3a

SHA1
844ff48f02182570c7d448a91abd82df799a2128

SHA256
acdbfea73294cd56595375d0379894ac71291ba955066bea56053a4e6f03b658

SHA512
cca382e3d15f36463b76181ad75b292f4b269909985d6c1f71500881fb20321d1949205a0ed0a3a284a65d3dc0c28bd81029b7762e957d6219e4347044e4dcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
b6969e6c32ef43d7e9f9d80caa47f3f6

SHA1
ab1cab76f1803d01c38103b94af1cba5b79e5d20

SHA256
57d11bde04bd53ce0fe88b5c5a34937f90d6120db13eebb098b76432b2ab087c

SHA512
9b47b5577ba8777858d88f9290f524a43a422cebcaf0301fdaddde2394e0cd7cba6770cc81b93121bd1aaab96322dfcd8ef7c01299e3f575132d500fbab58a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
f00de424f20c70b80d55c6f59f9649d2

SHA1
df2b09b12626b768e62ce898e112428841221a70

SHA256
ca655aaa409a9f7682dfd5cac51a55404db7c12ae271ec63d23f7fc518b568e6

SHA512
210ff15dc4aa10febf3f06dde6461b80412f0b9c07a3f7699d937d181e9757887c20d1997b32ee85476067d600fd327bcf9a12d1eafc6609d5f4671eb9cf6c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57cd04.TMP

Filesize
89B

MD5
c69bec6fa5f681cae6f929745d616893

SHA1
b2320522a93ed1c25d68cca6994cab4570827e8b

SHA256
ca910cdaf79eb88065b157380e1b134f585dd0830288a80ebb4e6f27e45e0b37

SHA512
28926ab2540c7c5771bfc2b4a1f34ca61692f3d7c71e1fa755d5568ffb3285f61b362d9d8cc46cffb0c4a91c78e70c44f3a4f0e5e8246925768c17be63a977d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
40cd8687bf4ea1a196e141e1e1fb0440

SHA1
91edc67d66bd08c453a3b6452f035b4393186417

SHA256
2ef27b95fa228279d4ebc37d3010db3e4d502c398d2c8342b040e5a1987e2b62

SHA512
8cb4f45ba5a8d4a1b47606224883ff9f5c1a3cbb5904db64a9fce35fd6a9f92bb2f7c5c88017f6ad8a8554dc4315aa990796799955d6ea77563a0f6465ae9138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5839b8.TMP

Filesize
48B

MD5
2d05f1f44aafacb7a8336fa935c56a64

SHA1
3ac09f8472051ccde629b63818de41a341296c92

SHA256
3f13381048eae8ea031156de9c27417b3a2e671d74e45359f0146819ed5ced96

SHA512
455ef72105b90ec998c13d5f38b2aa045e2de40c83ab3cfe2b039d3fa717bc6960513804d725216cdab1cf6fe0b6ee423baa4fc27ce5b3bb91d98051af9839e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
ad853f185b7cdd08b76a598ff08ce7e6

SHA1
0021f05e3ed28cdd5bf5a2c5c63a5a8212d12589

SHA256
910c876087f134ad6c210e5e36605be0857904884adad648808ea499bcf4314e

SHA512
454353422aa8622361639bb3e6553e3bdcd6c6725e5f6f7a9348483d733dedb851236486855c340edf89b23bc48bb27ca04ae836cdccab2dc6ea33e4ca14afc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
2ec312939050f3484313bda6375fd220

SHA1
b07de90cc50622566e33b9b8f10bd1c15f90bd2e

SHA256
ce1dbf5390ac4619d2dfdbb51f4053651dde3955b8738ceb5e98aeb862a3e59a

SHA512
bddeb366e3c9017f6e0a80b1bc0125631211fdffd9a553f6bc3ae54e78ac52346fc94ba34ec9122d20d2b7027598b8df127f14ce41e6811bf4c3d0838ea62d54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58310e.TMP

Filesize
539B

MD5
1cc6dcb3786d5d239a54ef4750a2564e

SHA1
e398f0ceff98b03d2f14381539999513076a34a7

SHA256
9ef520e4ae4983eabfef3874208d91bdb29a8a7c9739ceb0c54034bfc06091f9

SHA512
8d7a492de5761acd3efeb6e1ca6e6e90f2b2f0125ad2935441b62a33d4d02763316e360f07a23001c3128a73c84cb22d380b9d322c3074b90598e14ec50234bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
542e468a47d2773ebf13b334e7ebfa94

SHA1
daa0e2f8165f7cbbb8ae052e23b4bcacc8d1defb

SHA256
6206bcd8e7cc22808d2e4c9c44f670ac76259be36ece122636618daf96f2c58f

SHA512
f4a1c228ef397183d107d99c2160e73bf4c595de97d33f103fcbfae8a165cf0ee664c7fcfc497c4425c12ddb3e5a6303025b1c29414f53609c099e1b1ee6c64b

Download Submit
memory/384-3-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/384-7-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download
memory/384-2-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download
memory/384-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/384-6-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download