Analysis
-
max time kernel
231s -
max time network
235s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
20-04-2024 14:30
Static task
static1
Behavioral task
behavioral1
Sample
zvuk-zapuska-vindyi-na-polnuyu-gromkost-300-beregite-ushi.mp3
Resource
win10v2004-20240412-en
Behavioral task
behavioral2
Sample
zvuk-zapuska-vindyi-na-polnuyu-gromkost-300-beregite-ushi.mp3
Resource
ubuntu1804-amd64-20240226-en
General
-
Target
zvuk-zapuska-vindyi-na-polnuyu-gromkost-300-beregite-ushi.mp3
-
Size
122KB
-
MD5
04036f7c8deaf3a5e1a24c59cb9dc222
-
SHA1
609f633b9f941b28470a07476fab087e4057e7ca
-
SHA256
bce8dce5992cc7449446b242c822089d0e2afb15eb1d9ecb88ddc81f9dc909da
-
SHA512
95facecfba70b1478c6380384b086b4006e07f8828f00c7c1cc8ebbf738a3fd4918aa33558c711bed82e1bb1ec47428967a2cdf59c141399bc2f6a094aaa14c5
-
SSDEEP
3072:QRmclzFNCYulIU5I0UKthAUVB4SNiR3vTMBaYyof+kzKa:Q4iFNelIU5teUVB4ciJAf+kz9
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
unregmp2.exedescription ioc process File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "132" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exepid process 1428 msedge.exe 1428 msedge.exe 3488 msedge.exe 3488 msedge.exe 5036 msedge.exe 5036 msedge.exe 5380 identity_helper.exe 5380 identity_helper.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid process 5912 1860 4852 5584 3496 4748 5948 5952 3956 3420 6016 4072 6032 5968 5996 6040 6076 6092 6080 4348 6100 6132 208 6048 3492 4416 1876 6084 6104 3124 3076 4900 4772 6108 6116 1176 5248 2056 4196 3260 2360 4168 1736 4484 2020 1552 2572 4624 3172 5264 1460 5260 5284 5288 464 5348 5268 5372 5272 5476 5280 220 5364 5508 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
unregmp2.exedescription pid process Token: SeShutdownPrivilege 1840 unregmp2.exe Token: SeCreatePagefilePrivilege 1840 unregmp2.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe 5036 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PickerHost.exeLogonUI.exepid process 1780 PickerHost.exe 3164 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wmplayer.exeunregmp2.exemsedge.exedescription pid process target process PID 3288 wrote to memory of 3500 3288 wmplayer.exe setup_wm.exe PID 3288 wrote to memory of 3500 3288 wmplayer.exe setup_wm.exe PID 3288 wrote to memory of 3500 3288 wmplayer.exe setup_wm.exe PID 3288 wrote to memory of 4616 3288 wmplayer.exe unregmp2.exe PID 3288 wrote to memory of 4616 3288 wmplayer.exe unregmp2.exe PID 3288 wrote to memory of 4616 3288 wmplayer.exe unregmp2.exe PID 4616 wrote to memory of 1840 4616 unregmp2.exe unregmp2.exe PID 4616 wrote to memory of 1840 4616 unregmp2.exe unregmp2.exe PID 2320 wrote to memory of 3368 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 3368 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 872 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 1428 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 1428 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2432 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2432 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2432 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2432 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2432 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2432 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2432 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2432 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2432 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2432 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2432 2320 msedge.exe msedge.exe PID 2320 wrote to memory of 2432 2320 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\zvuk-zapuska-vindyi-na-polnuyu-gromkost-300-beregite-ushi.mp3"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\zvuk-zapuska-vindyi-na-polnuyu-gromkost-300-beregite-ushi.mp3"2⤵
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultd15d8a6bhccd4h4d3eh8ddah318d012b9b3c1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa359646f8,0x7ffa35964708,0x7ffa359647182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,4626368415529857309,6653889711331937645,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,4626368415529857309,6653889711331937645,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,4626368415529857309,6653889711331937645,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa359646f8,0x7ffa35964708,0x7ffa359647182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,2173678062074860560,16161142373068844351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,2173678062074860560,16161142373068844351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,2173678062074860560,16161142373068844351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2173678062074860560,16161142373068844351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2173678062074860560,16161142373068844351,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2173678062074860560,16161142373068844351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,2173678062074860560,16161142373068844351,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2173678062074860560,16161142373068844351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,2173678062074860560,16161142373068844351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3888055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b6010372e09a8e794e6349c72531d740
SHA154737350bee230bd5c1c6761f0a8ecdc52ffa74b
SHA2569ad4dd9ef57acea210d34276772cd53c9a44f5256785b6d114c1e4093e712d87
SHA512ac96bdfb99a189fb77cedfca9bb393e17f4e74e99869a2fc110e20b039632794cf8ef6955faddbde5ade045f75c04b2f9627900b696a4d2897cf04d5d03ca2e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD548cff1baabb24706967de3b0d6869906
SHA1b0cd54f587cd4c88e60556347930cb76991e6734
SHA256f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775
SHA512fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b56675b54840d86d49bde5a1ff8af6a
SHA1fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811
SHA25686af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929
SHA51211fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1Filesize
264KB
MD561e91e02e756fd638f8245c6daa44e12
SHA1b74b0718ca2852a7bd659cc2eb5d409f4e885f87
SHA25662b2b35a69eec80e4d5e4bc4be531f1593307af0a3fbf19a7e01bd5990c7d3eb
SHA51235a8ef2900b1e1c512e120123bd927c4922dde07a45fb866105cdabfa6e26d654798dc0128359b162b46252d1386ad42f4d512b0de31a05ee6e9f2630bdbee2c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOGFilesize
331B
MD556f57310a73e8addd2cafab11fab2448
SHA1f25a87f91465f633fe51ce8af9030130db9ca8e0
SHA2568f109bf357042256a7432593044bdfb9134f8fd56ef6d24f49c5aa918581b466
SHA512090f35eba3a22c4481bfa2b05c11183e2a23661d56bca446de4bd9e4c1d9635bead89831bd10bcea2fc6ca14562d74e6765065e26128ac42e1f7b55020d034b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57c3938dc48265d978a1b8631d680e352
SHA1d5274cfbc6f965f308e458c8fb7d1a979c8accdc
SHA256501e02cff678a6129391f9ad75452d6efbbc32e5f78f57dea030faaf94b13192
SHA5126504bd124919f42ad91422d857a5932e6b6c517283c05bd4a703f08b671a2b857ece5cc9e35c18f8100599afd9884eb40d69435cd4c85dc43e0c5d6f394c7c19
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD504935c48a48760d1434a2b3b6a3ef899
SHA1310c3c5e542e5a711058402a8762ae15be2f170c
SHA25641b2211d5ed40eb6cea9de69bd42999903e8b0399185c55ccbfe506dd339fa89
SHA512cf325457ac88b41c3a025578f373bcd746818a852f68fda7eb0221a67a0793d6bf495ba11d442e68faca8c114a420ab0e75dd08845f751749b3b14712bc50b64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD518863cc754cd2f9f8fae4b5783cc7657
SHA11864b2469f77a4306d03948a6a5c73b69f121531
SHA25678af51bc7998f92efc323c6d15c5285aec588e901d390e53adb4775361ce7462
SHA51206c5a1a6548d46e2a222a0203c53961805fc17116ddd2dae0f1a3d1780560c475f90370de4403e6e39a69bd2d8477ddc1df0113c5a8a4e66a39f0c760560a61f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
350B
MD5f97554af15a547fbe7e2e335442d092c
SHA112da2906f8f2878ec599cec5d91cc772415d8e91
SHA2562789ab347ff74432774f0a81a16061a1d6542e2b63830418926f3c058e83a44c
SHA51208248d8d93623f819179a36d4899114a3b20fd865a7343f3724b5d98498ed6962962d196a079657bdbb274856701ad7c08d6473ba6c6a934b519c4c8fc1a0d1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
323B
MD5d700f21794add24ecb4c764aa62b2211
SHA1f7363ad665263e32734ec81cd6f4e62bcf423304
SHA256f655265bc4dd034f9ae37383763fb8147a81d6e0d015fff9cb098a6fbf665d65
SHA512e683d2b90d6f812d52ad2abc634c0330e9a6fce61417621da3c4a3f564435e4a87e33e059788f194fbf0fe9e4100fdb0a8249a8223a60e96f5549f55fdb58bfb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD5091e4f2c926d2d36b1880506947cf82a
SHA1c8f915cd5367bf66f3cf4874090e1f40bdc3d689
SHA256cfb9c0f543558b6d2e3ca374b722e6792257576fde5700742d45e5c29d012fc8
SHA512dc48e0b1bf68b681b491b8bcd31f56c6c47c2ebbd9e2d8c2a49c48be384b5d7347865de3444370e0aafce9cf5f131a9a856d71df0a22bb1c3a935cc904b19821
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b9cfeec4a8e22a810d2d75a97a2bc9d3
SHA15e47a3144d4e5c6c41c372a8271f16add812d517
SHA256d991f69686c556d6f9794cbaec4f752e42af40ec29e34a5b194856b9125538cc
SHA512b4e179530403eee686a24c83a10feed3d3ca59287eddc4590c76584188a48790e58ca0a88faea7dcadc02c496ff988aefd706d9e1e29a65aa83e5235f4377a5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
256KB
MD5563088ad0f20fabf9dd62c6ba8ae1636
SHA1f9cd2fd153afa1a12ff990cf27c32b8c9c44e878
SHA256eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184
SHA5128229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XMLFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Temp\wmsetup.logFilesize
1KB
MD524739201e4181823285f128d634749f0
SHA109bb9586a8c4e3b198fb6f36ad640737162e37a7
SHA256512fc00d9db121d16ab9d02892009c371f93e0027b925d6aea8dc6f4efde619e
SHA51225acb160e074511f01a850eb9377c4d2fe9e267b8bc303a31acaffa028c3e436eb58088b8638c8173a6e84fd10246a1597a109528b74be527cd91df5af1b77b4
-
\??\pipe\LOCAL\crashpad_2320_GVLTPCLYWGBICDCTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e