7a88c3a591454677697d4b7555332397a660487f9ae477266d06227711ddab8e

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
Size

172KB
MD5

7c4a2880d6f3bd9d3bb287f5e34bdb83
SHA1

dd79742775d89c3aef92db1b8c98a37a40fb62ac
SHA256

7a88c3a591454677697d4b7555332397a660487f9ae477266d06227711ddab8e
SHA512

6fa0f6131ed0ec4f31284ad2fe7c19e891bd956aac3fb5e0519eb685d75184a6cc5fde5a56f8c0c73eb00e9eb173e4b2bbac18ef63f14c781b96b2d6918f3b99
SSDEEP

3072:8hbRBRLFGo18bXeU9EOR0vSdYS6Nt2V3GRipa3xhUEOro4svwDy:8hbvZ/1s/WatdeNpBxhIowD

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1788	5100	WerFault.exe	84

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Download	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
2868	msedge.exe
2868	msedge.exe
4340	msedge.exe
4340	msedge.exe
4388	identity_helper.exe
4388	identity_helper.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4500	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4500	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4340	5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe	96
PID 5100 wrote to memory of 4340	5100	7c4a2880d6f3bd9d3bb287f5e34bdb83.exe	96
PID 4340 wrote to memory of 3664	4340	msedge.exe	97
PID 4340 wrote to memory of 3664	4340	msedge.exe	97
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 1932	4340	msedge.exe	99
PID 4340 wrote to memory of 2868	4340	msedge.exe	98
PID 4340 wrote to memory of 2868	4340	msedge.exe	98
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100
PID 4340 wrote to memory of 2116	4340	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\7c4a2880d6f3bd9d3bb287f5e34bdb83.exe
"C:\Users\Admin\AppData\Local\Temp\7c4a2880d6f3bd9d3bb287f5e34bdb83.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 388
  2⤵
  - Program crash
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=FvCdqOQZQuk
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffbc49d46f8,0x7ffbc49d4708,0x7ffbc49d4718
    3⤵
    PID:3664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
    3⤵
    PID:1932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
    3⤵
    PID:2116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:2872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:4040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
    3⤵
    PID:2832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
    3⤵
    PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5276 /prefetch:8
    3⤵
    PID:2108
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
    3⤵
    PID:1296
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
    3⤵
    PID:444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
    3⤵
    PID:1484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
    3⤵
    PID:2596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
    3⤵
    PID:1212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3217819933124066269,12089918688228621599,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5100 -ip 5100
1⤵
PID:4312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494 0x490
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d6e17218d9a99976d1a14c6f6944c96

SHA1
9e54a19d6c61d99ac8759c5f07b2f0d5faab447f

SHA256
32e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93

SHA512
3fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
2a419b901c5ac6835d5c3e3cdd9ac99f

SHA1
73a8ce1048907d2c0b59a3d5949b601c7f0f9873

SHA256
811d9f8ea13a26518aae5931832a3ea0012a6140693e5c823130d93a33170ff7

SHA512
da9365b3710a0829944c583e471f951523088523327127ae8e8aee1eb3c32ffb68ff4388ea61bc2b4e3c3c2eb661b0e63b1a396879d331a910b88429351ec494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a4e30a0d95ca4276a51c87033adb4cfb

SHA1
c86dac6df0c4a3fa926f55de0496900093854da7

SHA256
653e0f3987511a1bbc2965967793afdbe7ed0ca1d37ad2e49f49c742b81a09eb

SHA512
295d1abfc2d624156f6d6ed1cc8501811790f156908889969a2a9554cd688ca97c94dad945dbcf32ad8e467b8717f0e23d72e73706bef0054be49d4c4ef300bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5bab75d5e31dc5e82bde4f042a8ee16c

SHA1
eaa1ffdc3c93cf0e11a72e053f7c7fe0e947b413

SHA256
e0cf353cfc04d9112fadbb5a5d45c74207f2655541cf8e1200fb9cfa7b528335

SHA512
89d28c84ad91ce6e61b9a91ce6835eab2014dc8b86cad66f9d78c59716edf5b5accbd909ed8664861894f4a8d9c8a1491ba575b5e3938f4a87fdddc304e94b78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
efa71bfc14ba34d9bc7c7a0dc8740c6e

SHA1
a28a3f10191cb899e9e0d8f524eaa20ed8291d34

SHA256
717cc308c64a83fd22386385465b0d42bdcf158380d7cd3f9ee5217d55e2878c

SHA512
0183b3a131878297edcb7431d8f8fb921f4f72951e5ba78c668c8935258e8bcb2586604319827c7b6be42adf528c266eb0638f79a8fe43fb67e771ab00f0855c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9eced1b8e6b74d5d805dc76ec45e2b8f

SHA1
3f9c07c579fa34842826eabc6d5a7f9171f41d67

SHA256
3e0b5357d4116a640efbb5dc3a15353597d4245281de82f745b0e7fa925019fe

SHA512
63fd135ee521b2b86e0f3b347aed0fe19e3336a8d6fe3755719942de60e31ffaf7fdf99a085b982000258c70c8fc49bfe8dc9458db48b7bcb78f879ff169aff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
c2ef1d773c3f6f230cedf469f7e34059

SHA1
e410764405adcfead3338c8d0b29371fd1a3f292

SHA256
185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521

SHA512
2ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b426a89b-85fb-4afc-84b5-8841cc60a8c2\index-dir\the-real-index

Filesize
2KB

MD5
95d0834ca614083e9ec1a39b12c8b791

SHA1
6619c45ae2ffa843576553d19df40aabf753ac86

SHA256
1147601a70bfbf150fd97945904641e06c15bd50d3fb537926853860b8dc8003

SHA512
df2f70e6a984f65ac6e7b076d0ef1408b66be71d08f5f36696c8183ed51b7aad46e83a08e6112fd05da1d7bf520deb0b1d952d2d03aa8e2d7078f45153cd84f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b426a89b-85fb-4afc-84b5-8841cc60a8c2\index-dir\the-real-index~RFe57cfc3.TMP

Filesize
48B

MD5
5ae4193fe685edc897a7e5224abf4ca3

SHA1
26203e7362c55d0a33346c0f58285c2cbf7c162b

SHA256
6a616a46191098bf023d5e4e53088f80df1356478f43afc93699ad0a5b8b294d

SHA512
d6c337dc7c2a3d430d1a483f2b8cfd322c6528240f05b1a94ace10904efa8db8c38725e7b259fd3c06e5d6b27fb60b2cc00bda0ba1d181d7b86a8b3b7f59c184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a3016cebeb4c39d4cc1c354fee878110

SHA1
b6f304545b3a08894e3e42b44d7c0549a390d095

SHA256
a0ddf78fd5735245d4ffcf29925948aa310e2d0f3f63bb66b2f301627e638336

SHA512
5eb490827e90fb19cc5a7ae91c6a0ba63c98e225dba9c3b5b80881c4d5a8ff36990ad7fdd528595ac958739ce04ebaafd1daf6e32ed4049c1e99ed40130c1129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
2a985031d1daa2b4644de06e9639928d

SHA1
060e5f9917d78dc319514bc8fd1ebcd6f149ab86

SHA256
5a38bfd41bc0fe2bffb00cc1c6163ade21d8ea99ea354388168cf37b5ad2fc6c

SHA512
0702bc544c334edcb5ea3acfcd7c36c87c4f5814733f7a045b630d19dfaeb0f662001e3229e1f4edffed8fee8866da4251bff87163497825e7cc6e9449a64f84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
103b255e39550a78fffde758c17855df

SHA1
4a39d0d11bf1cd5777fbbaed4037de505da79cb0

SHA256
c031268809734b2aac5541f5a7847e06df7dddb2e8cb177503ecc67f386ebf5f

SHA512
3a9813147401af5d99662632ab39fad920caae0d0c65042ac7368ea3e24f888e5a2c67edd79c8056b79e380841c7113188e3ec86c38ab76ae51261a88eed41e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe577ca2.TMP

Filesize
89B

MD5
70ed89eb00188ee10407e7487fcd9783

SHA1
3141ef3d7464f3753dd31a418215b82661a2a8ba

SHA256
2a5c948467ac35ca5c41e05b19d10092c99ab3ab28195794e9a4f135dd30d523

SHA512
4d2892b50aaf82e624326b6099f5e2e1cad3b29634445518d3fb27e353799365071b2fb1506a7c8c917d5df1b563971bab937ccd64fed348fc49dbfeea7f2298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
647f7e4220185a5e0a21b979f84b13c6

SHA1
e3ccb407c58cbccb86871c1856b13b6c7f19402c

SHA256
2593a7d62a9f74311dc99bfa811b28f855f9cc8192a0b0cc243075239d72b766

SHA512
5028faf77280e3016e83da3f8ec752a0112d4fca56adc4552d45ab73bff8294f80d1b887eae1e3c1ab55df0a626a5b15da04d2b54bc70406e0768b1c634562b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cbbc.TMP

Filesize
48B

MD5
fd9fb441e60177879920139013a55729

SHA1
1cf05e583692aa2b6645873c03e285e3a2021bc2

SHA256
eb26fd549ce1c91d7690b1a9f3bf8d77470ca828c31e793a4767db78585452ae

SHA512
ac3b4a6bd6060f42751efc0b1f10ddd5c3ec0b547f953fc2626348a78da02503fdd7e53beea2ae503ccd1789e5f610859065c0f6a873e9880cd8d1ccc3eef48f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f8f91e2017fad8b944bf7c3b3efd0022

SHA1
e643d1da71265f5726115a26938ab9d3f5fce06a

SHA256
dcbe8910fa489ccee3aa45e63089c623ac44ae76318cf90930011d37cfc5cea4

SHA512
1ec2e7c412b09947a94a0e0ac54fac2c0dbdcb0a8f270775a24358e4aa0684d0c734cb30e696d69ad91d4929b748f8ab387162c67a348d91d606d8e1ff4c3db2

Download Submit
memory/5100-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5100-7-0x00000000005D0000-0x0000000000616000-memory.dmp

Filesize
280KB

Download
memory/5100-6-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5100-3-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/5100-2-0x00000000005D0000-0x0000000000616000-memory.dmp

Filesize
280KB

Download