hxxps://www[.]mediafire[.]com/file/wxbl5tk88yw38yo/autotexture[.]exe/file

Analysis

max time kernel
56s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 21:31

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.mediafire.com/file/wxbl5tk88yw38yo/autotexture.exe/file

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 356673.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1204	msedge.exe
1204	msedge.exe
4320	msedge.exe
4320	msedge.exe
5728	identity_helper.exe
5728	identity_helper.exe
5320	msedge.exe
5320	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4320	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3316	shutdown.exe
Token: SeRemoteShutdownPrivilege	3316	shutdown.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4320	msedge.exe
1140	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 3860	4320	msedge.exe	83
PID 4320 wrote to memory of 3860	4320	msedge.exe	83
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 4720	4320	msedge.exe	84
PID 4320 wrote to memory of 1204	4320	msedge.exe	85
PID 4320 wrote to memory of 1204	4320	msedge.exe	85
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86
PID 4320 wrote to memory of 2572	4320	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/wxbl5tk88yw38yo/autotexture.exe/file
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8c3c46f8,0x7fff8c3c4708,0x7fff8c3c4718
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7256 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7752 /prefetch:8
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,17086884511639722740,5374895247852070185,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\autotexture.bat" "
1⤵
PID:2628
- C:\Windows\system32\shutdown.exe
  shutdown.exe -s -t 3 -c "You got a Virus"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3316

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3901055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2b1465a47b5e58250edea55afe7c9b6d

SHA1
dba054a4dad313d47cd3bb68f2c4f86429b6e39a

SHA256
49a13783defa054bd04879bfad9dd2920aebca78fe72be206cd4ccd88b63f1ab

SHA512
0b9604e42c27e6bdf64af55aa0376009faf57e79daf890bbf430e3b53ffc21c5b313456d974270532da453fa1dab5503027a0bbbf9698f8e6266adc1e0003a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
9f8e8c3670aecefa2fb7be12269d138c

SHA1
2463cca9c784e488e2f247e13ff752763e3b376e

SHA256
21d66f07f185dd2410f5e033d6a210033eefc605919cb7a64d7415c7d9b81ab7

SHA512
ea831e330655a81492e37134cd524fe995dc7b48eb5a3b9848cc3e5e5111ed290f37d02b7828289da4c4373e9ff913be9b34543ba29cfae22691ed3cce43bfff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
06eedb80cd2bb4d6dd27a6e9de880c77

SHA1
8b2dee65ef22902ef2df3e70737d0d901aed4e77

SHA256
216dd1ec71c1c14f2da9e7a417e40c7face3a6b57a22babd814b478cb4927787

SHA512
bb47b5c106d9ccb062a334b7f0cb0c36c5b439eaf99b0b997f444964822521239672bca0be4c08af19828afe8c655bfc8e086f907c7005c88ef138be96834089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
2b7cacfd7db807b6e838e88414d904a1

SHA1
da8074f073968d4eaffdd246999a529709d7ae0e

SHA256
a71b81c0b4372781fe8961ff3e1dec453e0e1f38c9adc71b039b8d37844d29c2

SHA512
064687a3afc50d7eb7890e119a14bfa13b29cd6aef90e26025a045e6cfec871dd1e73efbd0e15e5b7f2bfd35e02fabcac94ceefa5240347c0796f5d9709b7416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
e0634aad7f7fa46b50d63e6e9e457bb7

SHA1
55f1ae87ddfc38c6bb62c401b066d17036a6e5cb

SHA256
e0cdfe2360420817cd3009c5e4046db12e551dd82067066c532fe13805fe7575

SHA512
a54bd45fcaefd1027d38237ca1de32db17590846174f158f8b930d0b87345b600592a3a50ba061d65712cf2e44d5bdd8f37fbafb19415cd50f5fb4d0d500b695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c69d27b89e6b55b23e11b30c51b1cbfd

SHA1
5e201281cbd0efb4925cd35135865b5c14106392

SHA256
561b017333ba6cb7d9894c267ee7f0695520c205f4a1f89eb9aa6136495a5a23

SHA512
09663a42735ef0b4ecdeb74b483d625c87e9c6c6743ba6990bcadc11b74fb1d6f44a47607102dcc64e33554c102183b9bfed63cd662e8b34cd807eb147a88c93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
504c248a49f1aebb13ef48d55e3e4d65

SHA1
f9d8195cac199743e48216c160b43c11f760968c

SHA256
644744ca72ac2dab3b3c8c49a1e9820fc15b52109380dc02700af61af60e6a73

SHA512
b6843d9f67a133701c312f36933a8d520ee955ac076aac392aae4de9069f3d15bb93f29c39b293ebcff2c260aa2aed15390f6c864f017e3ecb10a44ca28ad22a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 356673.crdownload

Filesize
41B

MD5
f614a11656674561a49a529cb4223e7e

SHA1
2f68f76932ff4643e4cc17332d9d374e4e8e0d96

SHA256
2d4a5d0e7bb4d1a5d675a14e9386f5e153903ce63e03e3c031f6bbb6068ff7c8

SHA512
86ee8b6fdb9c19b47e2ea048defaf2dbaa0a56cf6380ff4d19bb7d72b8e359b5df12151e666ed08747ed87a9a8ee019cc6424e5797228f4d9e1b07d52266aff4

Download Submit