f24030cfa46860ada950c00c03ba7393a150be831494febb5ecdc582d94ecbea

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbfcedcf055c87a2b2fec8338bf38e37.exe
Size

172KB
MD5

bbfcedcf055c87a2b2fec8338bf38e37
SHA1

bb95e08195f4a2bd6f96c102e780466411a3b430
SHA256

f24030cfa46860ada950c00c03ba7393a150be831494febb5ecdc582d94ecbea
SHA512

305bc98eee38aed576332d2a30e88c25a24d7f48353c559c4a91bf66fcbed97acc4d2fcb976d31628f71da4d027d66d06047c508e1c9cae7be1a2d1533235dd9
SSDEEP

3072:u+IkccR2yKXbigsZg7BjCPZ5is8CmahFWCuOE3BlqIW:tV6bigt7BaLis95gC7ERlq

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wmplayer = "C:\\MessengerPlus\\mplayer2.exe"	bbfcedcf055c87a2b2fec8338bf38e37.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
312	3304	WerFault.exe	85

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Internet Explorer\Download	bbfcedcf055c87a2b2fec8338bf38e37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	bbfcedcf055c87a2b2fec8338bf38e37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "00000001"	bbfcedcf055c87a2b2fec8338bf38e37.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe
1964	msedge.exe
1964	msedge.exe
1092	msedge.exe
1092	msedge.exe
3728	identity_helper.exe
3728	identity_helper.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3304	bbfcedcf055c87a2b2fec8338bf38e37.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 1092	3304	bbfcedcf055c87a2b2fec8338bf38e37.exe	99
PID 3304 wrote to memory of 1092	3304	bbfcedcf055c87a2b2fec8338bf38e37.exe	99
PID 1092 wrote to memory of 404	1092	msedge.exe	100
PID 1092 wrote to memory of 404	1092	msedge.exe	100
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 112	1092	msedge.exe	101
PID 1092 wrote to memory of 1964	1092	msedge.exe	102
PID 1092 wrote to memory of 1964	1092	msedge.exe	102
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103
PID 1092 wrote to memory of 4440	1092	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\bbfcedcf055c87a2b2fec8338bf38e37.exe
"C:\Users\Admin\AppData\Local\Temp\bbfcedcf055c87a2b2fec8338bf38e37.exe"
1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 396
  2⤵
  - Program crash
  PID:312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/watch?v=FvCdqOQZQuk
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff868d846f8,0x7ff868d84708,0x7ff868d84718
    3⤵
    PID:404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
    3⤵
    PID:4440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:1720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:3920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
    3⤵
    PID:3832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
    3⤵
    PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5260 /prefetch:8
    3⤵
    PID:1604
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
    3⤵
    PID:1040
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
    3⤵
    PID:3304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
    3⤵
    PID:4904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
    3⤵
    PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
    3⤵
    PID:1040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,348935598821358730,3599316297033154898,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4948 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3304 -ip 3304
1⤵
PID:1048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x2f4
1⤵
PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
64ece68cc0f41ba211f8368b6ea97aa8

SHA1
0595094b82886fd9340048379afc232668b095bd

SHA256
c656902659246c380a73c72b27b0cb01b55e4f21188f021d2df1acb5af23b9c8

SHA512
646c94b244f9dd4de1e7d845df4fdb1a7b6733d4f04d80bee469ba013b98f8b900d7746e2df7320956945bed28b126ded0e8d7db7f711e12979d0b78423700d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
35976964c61f3d39be3a3eaf07c2c716

SHA1
7336fb31f0ba934903f38326c4624036a6d97ebe

SHA256
0681763820fffe67d50517214b118ed2a4993a1944ed457bc0eb90929247daba

SHA512
85f299746fd135b2dcd927bd914431a66cc4d2e91deaed8ea266c3c5a83239837b084234d245a9d904695dbdc8c4f603171a03448e87e5329cbdede5d49aba36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f5ea076b4727343f73993fec1f62f7c8

SHA1
4f7bfc17f96abd126c78cf1aabdcf894e456e8fd

SHA256
6776a93737a7a2b63b5af4b9d3f9b7d5cd2e05fdfafdb052876adb764c84b4c7

SHA512
94a947985f31ec861d8c47822822150fff7ce4dec776fb9d344d4795d16a25ad4cc78ea01db939ebe2451a03e076c41311acad3674cf30d3ead316ed44713480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f2f2aa6778655ab019352df7cb88b2b

SHA1
efca2bb1de6f160ba5d202de7790ef1bf9adbe3f

SHA256
a1f5a34fb686c205110db37a7736f663e6b26a1537ab83f8d37bc9e8536abb9b

SHA512
6a3ed2bcd9e8ea99456c47b1049efdfaf97836550dddedb945c09109aa74c066cb95eea86b6755ab00ff56488de29c4f13b358d3e8d89d64143b50252214c579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f8acd88d63c3d9982f1e12a13f1bccd

SHA1
86dd49a8d65238d7b7088ce29e3097612446e0ee

SHA256
1a138357679bd2ec3b00628474e9f1bb5eda0a5ba6854d1302f7af9dde25d256

SHA512
1489961447ffbee7cf91a904614a74e01689ad4c675aee053f9d61204cb6fe2fbb88b5f713b328059a200bc91f66758d34d993cc3b17bbaed439ff67d799ebe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\75594ce5-53f6-46ff-a717-7392c5733993\index-dir\the-real-index

Filesize
2KB

MD5
dc3991114a64df1852621afa40c01401

SHA1
556efb9c0796a607697f33095d8b8bd17d213a83

SHA256
c948e05d0a94ff59a4e2a67189b237299273b18503c6cfa87326c11b9d60c880

SHA512
9b2b3fb0b406f77365ebd161e4a59479647a911a9d7876ca185a2c521f510257baf06639413b436eecad6b9c119796baa1eddbda438a943eecffee7dba8ef05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\75594ce5-53f6-46ff-a717-7392c5733993\index-dir\the-real-index~RFe580a8a.TMP

Filesize
48B

MD5
945904b234080a4629afaa853b575b7d

SHA1
ce8f66f5da8f02c6b5df4fcca15a03c992168475

SHA256
09df2d55112490593d9d6e44a27b7116028a18778a1f89a01275cbdf5d2839b0

SHA512
b72a516520461c923233859c6dcced9c75956933c7f8d205aca0edeb80d548e1c8acd83720166ccffefb0bebf0c3c10dfb6f91da6beb6ec79f507c96e218c3f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
1ada1c89cf1db46575f812461f02be7c

SHA1
0449b9cd5490dabaf23be0b24bcfa9b0a68d6fc9

SHA256
34e920926f9bf2351aa560cbeea34f63287807fd9dd18cf2a79663bfb9419346

SHA512
0634b44bffe36a2ac1ab30404ba5bb22a33bb737ec212ccf7f482043764038cfee9f08fdac705d349df0c81b81ff1054284d64485a42ae786b0cd5735a4e2c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
773f3cd01ee9fa23a4fd0a414fd800d8

SHA1
21675c801ea70c21f39ec8ebb821cb3788d21736

SHA256
bddc5711b0b646c605c4f6e8718739cb5ea7da38a46844eeb6ae26a96e38622f

SHA512
a8e4ba072c15fd39f514c87a0f710288d1778af5dfa721c1cd4b767e1bf91250f0155293d67d270420abc48bdd3a24a1c85c4823921476630c7094734819c88f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
c30dc4adb5d97988fb3f397e2f9e5e1d

SHA1
c4552132bcbb6629b5b2312fd295bbee7b2afe7d

SHA256
678f98b838e6c54b2ab83b8c2ee0748996aafa657fdc94838e02d22d4a7b7b8d

SHA512
d8df201cb88f1ca393952d71940064a6c58f6299d43ec732e79ab83c89e44c5f1cd005db857df5a45f09c647ed4881a63da1f6f5611c39acaa8ac8e8551dffd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57afe7.TMP

Filesize
89B

MD5
b4b36cbd832c744a0e93b6e182bc4f75

SHA1
d0ab70a2f79fc77a85d30325ceeab1bd482300fd

SHA256
beff77efe9da01a6ebe404b98969f6fb2f980e9c4a9e34f5abf3e294edc2d368

SHA512
6b4bf0a77c52e11c5917bae5ce4d19c9b7a0f4fdfce2e569b8106f80ce45bc5ec623839410fe025428c9af41809185afbfc300cef26ae800a4acdbaa16771041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
63ee362153fcbd029ecb6cc1ffbd3421

SHA1
02dae32aaad2c34d42798aeb9f38d2fae5bf41e3

SHA256
8e34abab14a4c77004364078e7ab8c58783dd64aeafcbff17a2bf8e0c7fbaeb8

SHA512
16b8392342211fa4bbde6160ce056b971cc44a6e3d2d88e7e5878d2c1e24b1dd952afa0d55fd5071be2a1e0ffb0b38bfd157b3d19195fbcba8506d67dc76cfdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57fed2.TMP

Filesize
48B

MD5
f7f75490ca36d18f025603bca2bb9b22

SHA1
f8e297fc75db296bb77dfe261419264d5b953919

SHA256
8023cbd7318154daa3297ab9deaadafd191e85c60d510f77ae85bda05ef6f22a

SHA512
697803ef2967699ce4af26846d5d6352269495d9aa19d7b6fc9ae0d373fabe3addc1bf77d3da7a2043787b4a08848f798a4ada26e6188bac3acf242c3576efa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0055ce80e5124edda626496649c98835

SHA1
72848cea2d450e54bc91f41bf4a9bbb19990e306

SHA256
e8b71469370aaf56ffefe828173bad9aa0815a88fe673903fd7ea8d5d547a5e1

SHA512
f5babf5a9adf66fde35d19c1fe0604e0446835f89f3a4171b64b6c6bf2ec651dc62048de2e1ee196deb09543a78d7049a0453c26af1dd41b1334f1406adafb11

Download Submit
memory/3304-0-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3304-7-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download
memory/3304-6-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3304-3-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/3304-2-0x00000000005B0000-0x00000000005F6000-memory.dmp

Filesize
280KB

Download