faca9623e7841c5634c17b56fa17d50a3c86eb9d2302b418563e3d26601343d3

Analysis

max time kernel
1868s
max time network
1870s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

_five-nuker-contents-dir/api-ms-win-core-synch-l1-1-0.dll
Size

16KB
MD5

48ecbb112f1f1a8e74a18ea760478ceb
SHA1

b39bf955a5988abc26b04f5987b642caab781bff
SHA256

46b06d95648802953ab4cf26aea89ea52bf2085c2d4f44381cf36d053fef44ca
SHA512

90d16242754780009645677d419a41050bf67d5c75a76ae1792a36dfe2357ac413c2a2281dddb2cd7dc110865082c7dc4f81035785f469730f45720dcedcf8f4
SSDEEP

384:Idv3V0dfpkXc0vVaOW2hWlZZSf+VIYi+veAM+o/8E9VF0NygM:Idv3VqpkXc0vVam2o/Yi+mAMxkEd

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3648	2280	WerFault.exe	141

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-523280732-2327480845-3730041215-1000\{5913A5E6-9E5F-44A8-A18E-212F533517C4}	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4784	vlc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2668	msedge.exe
2668	msedge.exe
2076	msedge.exe
2076	msedge.exe
3460	identity_helper.exe
3460	identity_helper.exe
3088	msedge.exe
3088	msedge.exe
512	msedge.exe
512	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4784	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3112	unregmp2.exe
Token: SeCreatePagefilePrivilege	3112	unregmp2.exe
Token: SeShutdownPrivilege	2280	wmplayer.exe
Token: SeCreatePagefilePrivilege	2280	wmplayer.exe
Token: 33	748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	748	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2280	wmplayer.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
4784	vlc.exe
4784	vlc.exe
4784	vlc.exe
4784	vlc.exe
4784	vlc.exe
4784	vlc.exe
4784	vlc.exe
4784	vlc.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe
2076	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4784	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 3504	2076	msedge.exe	104
PID 2076 wrote to memory of 3504	2076	msedge.exe	104
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 4888	2076	msedge.exe	105
PID 2076 wrote to memory of 2668	2076	msedge.exe	106
PID 2076 wrote to memory of 2668	2076	msedge.exe	106
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107
PID 2076 wrote to memory of 4932	2076	msedge.exe	107

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\_five-nuker-contents-dir\api-ms-win-core-synch-l1-1-0.dll,#1
1⤵
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff904ef46f8,0x7ff904ef4708,0x7ff904ef4718
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,17021388198715196240,3617460172424961879,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6564 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:428

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2280
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4320
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3112
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1420
  2⤵
  - Program crash
  PID:3648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2280 -ip 2280
1⤵
PID:3204

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnblockShow.mid"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x4b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
48a9b49f25387d6a7990798aadb3d244

SHA1
7758d772d4f006d1be4762eacfa12fd64b69a4c8

SHA256
522afd3344e01eef0d7d8a5ace82a52a3cac54822baa3a376add3b95386c5cda

SHA512
95ba83ad5ac673e26146f138245ff47e0d5c73583235df5094e09ea4bcca6e9ab7a142de03a373da84f4505c9344efe418e6dba959b847df151d39d136448638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
399B

MD5
849b8486fcfd57511ac4fce3ead0b3b1

SHA1
83c112facd1a312c4c3959bf5eb5f5a08a8c4895

SHA256
a6b978fc1e4c59ce98799be5843aed5d54e3cd87678850f3b0c5c73e609672c1

SHA512
a1e14aadb908d81f47cfe20abe292713aea72fdca7c2a8915590f974dc0529e940feb8a5fe9f8a1f2f2ac62f476fb2ae2f5a8f140cc72e6c560257ba848173df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3f7c20d24cdad9d5986a1186612cd1d2

SHA1
7b6c544411751b280d731c98971ddeb440c9a9fa

SHA256
ce6c226d520a0f5dd06f21b6b3cedbdbb7ae14ffc431c757089528ff3210913f

SHA512
a5859c5bd01906a8cb6d1425f068dad4ba815995911c36cb4d55e47085d1a0c09b2505bd16f31e2a13a4489c50f117449af26f4f6fca3ef9f04f19d735ed531d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
74a2b9d30c2f0317f9dca60b72b689de

SHA1
4a7a9c90e386507b240618f9b9ebb878cdcc42bf

SHA256
4fdd792c0a1d7ce68528b5ac415f2e7cd3ba1bd4cc74fc733d267db98945ed57

SHA512
f208d056e64e9e00adad90f89d0d390a1c76035ee13550649c0b221d98bcf21f38b1d9b4588da26aeb2386cbe1e41983638a5750071212c0b824734c498dd647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
609f7f07202936aaa673a66252c8d092

SHA1
a0ea8ddf2c5048578fdf385c883e031ed583c27d

SHA256
50cefcf7180321e061f122e6c11bb88090314f8efaeffbe1fa8c444764df93ac

SHA512
4556d46733289e2c86d77fb5396e1593fa4ea15cf693721c997140443186c74cb6db4f5227ad1f87e413eabd583b1c75374cd926555baece872c7e0118d0a47a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b9e0fddee639441d1a409ef3229c2752

SHA1
ecc4b65641682fbf6755f25abefc331ef17e6a8d

SHA256
49806e31182de95e2b1d0f8e62b3bc39616e1c4522790a68f070d06684baa6c6

SHA512
a8e9775fb3dfdbceddacd2c6a2ec8cfc01f5c86852de5045ff2a256073861a2dfaf61b74d141836af8a963e51867e42a22391ad2a352cfeb6a2b5941ccad2702

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
485fe7ee028b2986204022e434097158

SHA1
1c43aaadca8a246e98d7f41fd122c134e2af8ea9

SHA256
bb180edb1d67974a2695c24f19d324f2d73bcdfcc07f89bfefb8d6e5ed15d9c7

SHA512
6f61fe6283cc4e71b26405806dbacec38b1024aa7378a7edf5cb3bcfafc64fd3bd751e68d66a7d9b4bf2f76443d77e3523d1d4685ee2238aec697d10b2300b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a72f24462681dd42158eeee6031083ad

SHA1
0bc1cfab1f0457cb81b66673b438cf6b6f8788c5

SHA256
cdc71a333de84e2cea09779a391a43ce40c98d7a08f70a7873304bc7d84865fe

SHA512
6709bd66cc17e7da088b9bb228d2992f09a2c283240a39501c5c18d8ec88cae551e5ba97b271d719f910032451778f25e7ea9ad4f4b61ade376b5600c300bbd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
82afb9dc5e51ad3b2c1695ddf9bf4881

SHA1
c3867fb6cbc2932fa81474ec93e77e7be25d976f

SHA256
a2e9a26e9b0038253f615c78447fe1cc3c3856d54112a5d00f30711acd33e259

SHA512
4086d2136ccbe84bff7295aa20f4c6e367403ef34e6900ae69901bf264904cc8747472aabf76701d9febef9872ad9890e94c98c724ffdef68b99f3f0bad2abf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
286209d901a8b2d3a3bfed6ad9de175a

SHA1
fef15ba661f8ee1d1f0db22d27e762e24f63dff7

SHA256
51229d26f1e3d79890d8b5199b2d206ce12016306083a86167de2e641111c511

SHA512
377c20ab791b1184890f8a03962a2107bebd4220c6cf16c098dbbdd9e683f39060861bb96473f1551877f7f9ed5b7bade0f8161c208c2b03f94e025daed59ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
227d11d156f956b8b49aa2516572697b

SHA1
8f9985d4f814e8a72652c2bdf06bad2423a52a45

SHA256
86dcc877315c63befb0fa9618ed64e6265cb6ad6ca96103b7c5173eb77f8fd77

SHA512
b2ba94448aa8250c428c535a00f20ce9de1ce3658865c951cef32d4163db0509d026e10639618a682090326d5f1257721aca73933408df53f1dd3635425eed62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
62303b75a44f72371956015bd6f280f0

SHA1
3220831653bb63b61036185d19ff446629941531

SHA256
22a579ee28455fe46d6270ede35db57a44329c44e9ee0e899bfc9215c46774d9

SHA512
77f3f6a4f74483c441d76d2a396040aa01f70cfbe3fb9065e580fc1b0868e3377c25297699005dbab8ef98ebe8818ab2e95c694decdb6daf8faefa38748b92d8

Download Submit
memory/4784-313-0x00007FF8F31F0000-0x00007FF8F34A6000-memory.dmp

Filesize
2.7MB

Download
memory/4784-322-0x00007FF8F17D0000-0x00007FF8F2880000-memory.dmp

Filesize
16.7MB

Download
memory/4784-319-0x00007FF8F3820000-0x00007FF8F383D000-memory.dmp

Filesize
116KB

Download
memory/4784-311-0x00007FF64F6D0000-0x00007FF64F7C8000-memory.dmp

Filesize
992KB

Download
memory/4784-318-0x00007FF8F3840000-0x00007FF8F3851000-memory.dmp

Filesize
68KB

Download
memory/4784-321-0x00007FF8F2880000-0x00007FF8F2A8B000-memory.dmp

Filesize
2.0MB

Download
memory/4784-317-0x00007FF8F3860000-0x00007FF8F3877000-memory.dmp

Filesize
92KB

Download
memory/4784-316-0x00007FF8F6FC0000-0x00007FF8F6FD1000-memory.dmp

Filesize
68KB

Download
memory/4784-315-0x00007FF8FDD90000-0x00007FF8FDDA7000-memory.dmp

Filesize
92KB

Download
memory/4784-314-0x00007FF9035A0000-0x00007FF9035B8000-memory.dmp

Filesize
96KB

Download
memory/4784-328-0x00007FF8F1770000-0x00007FF8F1781000-memory.dmp

Filesize
68KB

Download
memory/4784-330-0x00007FF8F0FC0000-0x00007FF8F1058000-memory.dmp

Filesize
608KB

Download
memory/4784-329-0x0000021F06790000-0x0000021F068CB000-memory.dmp

Filesize
1.2MB

Download
memory/4784-320-0x00007FF8F3800000-0x00007FF8F3811000-memory.dmp

Filesize
68KB

Download
memory/4784-327-0x00007FF8F1790000-0x00007FF8F17A1000-memory.dmp

Filesize
68KB

Download
memory/4784-326-0x00007FF8F17B0000-0x00007FF8F17C1000-memory.dmp

Filesize
68KB

Download
memory/4784-324-0x00007FF8F36E0000-0x00007FF8F3701000-memory.dmp

Filesize
132KB

Download
memory/4784-325-0x00007FF8F37E0000-0x00007FF8F37F8000-memory.dmp

Filesize
96KB

Download
memory/4784-323-0x00007FF8F3710000-0x00007FF8F3751000-memory.dmp

Filesize
260KB

Download
memory/4784-353-0x00007FF8F17D0000-0x00007FF8F2880000-memory.dmp

Filesize
16.7MB

Download
memory/4784-372-0x00007FF64F6D0000-0x00007FF64F7C8000-memory.dmp

Filesize
992KB

Download
memory/4784-373-0x00007FF8F3880000-0x00007FF8F38B4000-memory.dmp

Filesize
208KB

Download
memory/4784-374-0x00007FF8F31F0000-0x00007FF8F34A6000-memory.dmp

Filesize
2.7MB

Download
memory/4784-375-0x00007FF8F17D0000-0x00007FF8F2880000-memory.dmp

Filesize
16.7MB

Download
memory/4784-312-0x00007FF8F3880000-0x00007FF8F38B4000-memory.dmp

Filesize
208KB

Download