b97fd5c260a812244120a8d3df6e8756fb0c74222a5e6197a2f440f6b59807e2

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FiveMods.exe
Size

158.2MB
MD5

e12c45583ac31a8afa96f24063171a26
SHA1

8f8c78887d588c26157db83d0bb134e65031360e
SHA256

66a71009df713a4c8bbb16f0b8df41c8de5a65ec49e06b18d43f5deac89abe0b
SHA512

953d104507dd89a1c108137d724f9cb59be408912ceaeea45fb4b42ff62065825b85305eed00c9eafcd192df73c8253add305488feb0e3bfc9ae69e1130d9b1d
SSDEEP

1572864:ybVZx8PLGKEULTQ9hm/C1tdUKYjgTwFoKnRQwsu/YfWXV/NiisGItlAdgAnEk0Hj:pvCqSkRmj

Score

6^/10

discovery execution

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
74	discord.com
78	discord.com

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	FiveMods.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	FiveMods.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	FiveMods.exe

Loads dropped DLL 3 IoCs

pid	Process
1176	FiveMods.exe
1176	FiveMods.exe
1176	FiveMods.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
728	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3828	ping.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\fivemods\shell\open\command	FiveMods.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\fivemods\shell	FiveMods.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\fivemods\shell\open	FiveMods.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\fivemods\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FiveMods.exe\" \"%1\""	FiveMods.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\fivemods	FiveMods.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\fivemods\URL Protocol	FiveMods.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\fivemods\ = "URL:fivemods"	FiveMods.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3828	ping.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4052	FiveMods.exe
4052	FiveMods.exe
4052	FiveMods.exe
4052	FiveMods.exe
4108	FiveMods.exe
4108	FiveMods.exe
4108	FiveMods.exe
4108	FiveMods.exe
728	powershell.exe
728	powershell.exe
3888	msedge.exe
3888	msedge.exe
4072	msedge.exe
4072	msedge.exe
2944	identity_helper.exe
2944	identity_helper.exe
1176	FiveMods.exe
1176	FiveMods.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1176	FiveMods.exe
Token: SeCreatePagefilePrivilege	1176	FiveMods.exe
Token: SeShutdownPrivilege	1176	FiveMods.exe
Token: SeCreatePagefilePrivilege	1176	FiveMods.exe
Token: SeShutdownPrivilege	1176	FiveMods.exe
Token: SeCreatePagefilePrivilege	1176	FiveMods.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeIncreaseQuotaPrivilege	728	powershell.exe
Token: SeSecurityPrivilege	728	powershell.exe
Token: SeTakeOwnershipPrivilege	728	powershell.exe
Token: SeLoadDriverPrivilege	728	powershell.exe
Token: SeSystemProfilePrivilege	728	powershell.exe
Token: SeSystemtimePrivilege	728	powershell.exe
Token: SeProfSingleProcessPrivilege	728	powershell.exe
Token: SeIncBasePriorityPrivilege	728	powershell.exe
Token: SeCreatePagefilePrivilege	728	powershell.exe
Token: SeBackupPrivilege	728	powershell.exe
Token: SeRestorePrivilege	728	powershell.exe
Token: SeShutdownPrivilege	728	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeSystemEnvironmentPrivilege	728	powershell.exe
Token: SeRemoteShutdownPrivilege	728	powershell.exe
Token: SeUndockPrivilege	728	powershell.exe
Token: SeManageVolumePrivilege	728	powershell.exe
Token: 33	728	powershell.exe
Token: 34	728	powershell.exe
Token: 35	728	powershell.exe
Token: 36	728	powershell.exe
Token: SeIncreaseQuotaPrivilege	728	powershell.exe
Token: SeSecurityPrivilege	728	powershell.exe
Token: SeTakeOwnershipPrivilege	728	powershell.exe
Token: SeLoadDriverPrivilege	728	powershell.exe
Token: SeSystemProfilePrivilege	728	powershell.exe
Token: SeSystemtimePrivilege	728	powershell.exe
Token: SeProfSingleProcessPrivilege	728	powershell.exe
Token: SeIncBasePriorityPrivilege	728	powershell.exe
Token: SeCreatePagefilePrivilege	728	powershell.exe
Token: SeBackupPrivilege	728	powershell.exe
Token: SeRestorePrivilege	728	powershell.exe
Token: SeShutdownPrivilege	728	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeSystemEnvironmentPrivilege	728	powershell.exe
Token: SeRemoteShutdownPrivilege	728	powershell.exe
Token: SeUndockPrivilege	728	powershell.exe
Token: SeManageVolumePrivilege	728	powershell.exe
Token: 33	728	powershell.exe
Token: 34	728	powershell.exe
Token: 35	728	powershell.exe
Token: 36	728	powershell.exe
Token: SeShutdownPrivilege	1176	FiveMods.exe
Token: SeCreatePagefilePrivilege	1176	FiveMods.exe
Token: SeIncreaseQuotaPrivilege	728	powershell.exe
Token: SeSecurityPrivilege	728	powershell.exe
Token: SeTakeOwnershipPrivilege	728	powershell.exe
Token: SeLoadDriverPrivilege	728	powershell.exe
Token: SeSystemProfilePrivilege	728	powershell.exe
Token: SeSystemtimePrivilege	728	powershell.exe
Token: SeProfSingleProcessPrivilege	728	powershell.exe
Token: SeIncBasePriorityPrivilege	728	powershell.exe
Token: SeCreatePagefilePrivilege	728	powershell.exe
Token: SeBackupPrivilege	728	powershell.exe
Token: SeRestorePrivilege	728	powershell.exe
Token: SeShutdownPrivilege	728	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 1736	1176	FiveMods.exe	84
PID 1176 wrote to memory of 1736	1176	FiveMods.exe	84
PID 1736 wrote to memory of 4832	1736	cmd.exe	86
PID 1736 wrote to memory of 4832	1736	cmd.exe	86
PID 1176 wrote to memory of 4688	1176	FiveMods.exe	87
PID 1176 wrote to memory of 4688	1176	FiveMods.exe	87
PID 1176 wrote to memory of 4052	1176	FiveMods.exe	88
PID 1176 wrote to memory of 4052	1176	FiveMods.exe	88
PID 1176 wrote to memory of 3828	1176	FiveMods.exe	89
PID 1176 wrote to memory of 3828	1176	FiveMods.exe	89
PID 1176 wrote to memory of 4108	1176	FiveMods.exe	91
PID 1176 wrote to memory of 4108	1176	FiveMods.exe	91
PID 1176 wrote to memory of 2424	1176	FiveMods.exe	92
PID 1176 wrote to memory of 2424	1176	FiveMods.exe	92
PID 2424 wrote to memory of 728	2424	cmd.exe	94
PID 2424 wrote to memory of 728	2424	cmd.exe	94
PID 1176 wrote to memory of 4072	1176	FiveMods.exe	99
PID 1176 wrote to memory of 4072	1176	FiveMods.exe	99
PID 4072 wrote to memory of 4752	4072	msedge.exe	100
PID 4072 wrote to memory of 4752	4072	msedge.exe	100
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 2436	4072	msedge.exe	101
PID 4072 wrote to memory of 3888	4072	msedge.exe	102
PID 4072 wrote to memory of 3888	4072	msedge.exe	102
PID 4072 wrote to memory of 3008	4072	msedge.exe	103
PID 4072 wrote to memory of 3008	4072	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\FiveMods.exe
"C:\Users\Admin\AppData\Local\Temp\FiveMods.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:4832
- C:\Users\Admin\AppData\Local\Temp\FiveMods.exe
  "C:\Users\Admin\AppData\Local\Temp\FiveMods.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\FiveMods" --mojo-platform-channel-handle=2392 --field-trial-handle=2384,i,6973524651494719155,411902840580416904,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:4688
- C:\Users\Admin\AppData\Local\Temp\FiveMods.exe
  "C:\Users\Admin\AppData\Local\Temp\FiveMods.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FiveMods" --app-user-model-id=electron.app.FiveMods --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --first-renderer-process --disable-breakpad --disable-lcd-text --enable-threaded-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --disable-partial-raster --enable-gpu-memory-buffer-compositor-resources --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2452 --field-trial-handle=2384,i,6973524651494719155,411902840580416904,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- C:\Windows\system32\ping.exe
  C:\Windows/system32/ping.exe -4 -w 5000 -n 1 -l 32 fivemods.app
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\FiveMods.exe
  "C:\Users\Admin\AppData\Local\Temp\FiveMods.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\FiveMods" --app-user-model-id=electron.app.FiveMods --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --disable-breakpad --disable-lcd-text --enable-threaded-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-zero-copy --disable-partial-raster --enable-gpu-memory-buffer-compositor-resources --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3724 --field-trial-handle=2384,i,6973524651494719155,411902840580416904,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -NoProfile -Command "$Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Temp\FiveMods.exe' -Argument '--task'; $Trigger = New-ScheduledTaskTrigger -Daily -At '18:00:00'; Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName "\"Updater Task FM\"" -Force;""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command "$Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Local\Temp\FiveMods.exe' -Argument '--task'; $Trigger = New-ScheduledTaskTrigger -Daily -At '18:00:00'; Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName "\"Updater Task FM\"" -Force;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90d8d46f8,0x7ff90d8d4708,0x7ff90d8d4718
    3⤵
    PID:4752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5903484426546877894,402548089050037776,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:2436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5903484426546877894,402548089050037776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5903484426546877894,402548089050037776,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
    3⤵
    PID:3008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5903484426546877894,402548089050037776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
    3⤵
    PID:3476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5903484426546877894,402548089050037776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,5903484426546877894,402548089050037776,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4176 /prefetch:8
    3⤵
    PID:4428
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5903484426546877894,402548089050037776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
    3⤵
    PID:3144
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5903484426546877894,402548089050037776,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5903484426546877894,402548089050037776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
    3⤵
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5903484426546877894,402548089050037776,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
    3⤵
    PID:1608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5903484426546877894,402548089050037776,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:2748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5903484426546877894,402548089050037776,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
    3⤵
    PID:812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f4 0x2c8
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
2102f7b545867bd80f4a89c28a61a176

SHA1
560c33e9eb643383e96c2314bc15a6e867b3311d

SHA256
0408580dd16af8da9e5c30e1f3288f064a0238843ae29584e6a2c796c4b02747

SHA512
4afde8d5638ae361c1d0c862c23e7f8d1650fe227a5e965757366003e96be3a37ef2780c53fbd4ddda44cd33fa5872d4851be0b00d821e232035373d193ad00e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c6c690ac03d25084217e309a98d5301b

SHA1
095ecabc9f560443f18a0ef3256cde14b3fea178

SHA256
bc8be8f537644a6b13875ca7ba441c85688d2d9702e2946445f9d5b531d82ae5

SHA512
de75c42ca92e660235b51d7fe87c10d1dcbfeebf85cf34a5f0cee976223afff880bb0cd1ea481fbb382dfe42f8b5249692eb4bb53304855be3c5351cf0266870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1fb42fcc21d0befaa8fe80576a5d4fe6

SHA1
61d40c343f677943ed517d9917dbd8c35ad8bc13

SHA256
57210ad4fd4e8ae5f6e7010642da5e3334e7aa68a3c1f5f2c5a30b28e73c0d9d

SHA512
207473995cbd30975bec0038229aa9ddb72b7a6e76dce3e7986f242b8708d17386194337fed0ccc1d5e904cd44a834d4b12e292f8a3707a4a861a2c002a697c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92135010820647063fd4bc6017f37b4f

SHA1
90bb34c0a582df08c6f8f7d67685245f2bf5a636

SHA256
e7217f0d4bc3a371ae3cd3da6ebc45602002cc9d04964b2612821a4647aa0270

SHA512
544ed3ae8e002fc338196d5dfe12114c261d260ac1591307267b48a69b36a2f30ce7cefa185178c30a83d9fa3df10455e70bfbb11d3f14c01a3df9add880f080

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c425ee4-828d-49c4-bdc3-eba9c34179b9.tmp.node

Filesize
613KB

MD5
174c50bb9795f9d23b87158da5cfa977

SHA1
f5d963f733d9a82490bd828051b45c2b322b032b

SHA256
77ad8327ae7fb12e0d6b8f3d806311be07d2c34cca0da720cab2af4cb8c30435

SHA512
bf9bb12ac5b4a38fba44736ddefd48afb98ba3b5ce9ee262ea24ae7d41b8d4a41cb5a8c66336218e40cc20c2df75166b11587ea4c4a6764e5942a7cfa110b769

Download Submit
C:\Users\Admin\AppData\Local\Temp\223c3476-83c8-4d19-a9f5-e576bb643e25.tmp.node

Filesize
143KB

MD5
1d0d8685ce856cbab1f50034e2b6a423

SHA1
06c480eb785c4fe82f007a39cbcb58e124602a32

SHA256
3185bb232e572193f94ac13139cf7574645c834028f63b4bd77351f174d8b6d6

SHA512
8d1ae40378c680d78dfd5dce74657bd767e2db9d09a2a798a73b5a2f541f6729af4991ea828dfe52844011737e7c260db37b73748ff73b843fd80125927f25f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2nacynf0.atp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a11f5930-cae0-49d6-a2a4-30f659bbcd38.tmp.node

Filesize
251KB

MD5
0b3ffb5b756beae28d8d9da67c288283

SHA1
7c2a0be0a5ab1b936c4752254927f5ed066abe5a

SHA256
462e527de86494f96ed0d42a80c261e46bb57352e86d6175607186c1dcdfc7b0

SHA512
a1568e7d02bd34992236c587cd77404e4cc9c25011a075dc0cbe52b59ae254eea65cc31ee7fdf26898386e370a752df8bbb2ce70592244d6f24b10d39f9f7854

Download Submit
C:\Users\Admin\AppData\Roaming\FiveMods\Network\Network Persistent State

Filesize
893B

MD5
4f0401f3daf2a9f1dff69a6b51c5f140

SHA1
e21528a5c1eb35e460fb6bbf17bcc1dd3e4265b2

SHA256
42432c944ceb466ad40218af1d7221738f531a3ab0a6a02738bedfc1b58a39c4

SHA512
9493531d447abb0c278e1eb2df48d4af50c199f8d9408d3a7e19be111e55b717d95e04ccfd56e62ffbc666b8ce35401963280dd497427b269f638e6163920bb6

Download Submit
C:\Users\Admin\AppData\Roaming\FiveMods\Network\Network Persistent State~RFe58bfb1.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\FiveMods\Network\TransportSecurity

Filesize
356B

MD5
366d604f555851190661ca9a916c64d1

SHA1
e255d3ea852e93d7dbd08b785fae5ce8021d387f

SHA256
cf11e228b0c2d6f3c8932a6fa5f15eb8d632b0a160cc3838f57e1c06405798ec

SHA512
0829ebecec9101b4964c72c634afacaa8f70b36053f1b8d6fdc49a860c13ed8e889a57814b791292dcd6c49b02f88ab0eece927354c7839706915c8bdde9c23d

Download Submit
C:\Users\Admin\AppData\Roaming\FiveMods\Network\TransportSecurity~RFe58c109.TMP

Filesize
356B

MD5
5851c16c2fc8552534eed330d5cb7f28

SHA1
d1e3dbdc6d03771917bebbdaa291f75b6eb61321

SHA256
d921f18a3032becc41a1be05cdfeca80906457b1fdbe0c20c3a559d70b583990

SHA512
1eff59eb49bb40252654ba6f04bb3a11e0be2c708f2f08bd007760890ed9cd6f524465acba84903799b733c678c2c7d49b3efb5ee2d434ae5b6b45569e60be67

Download Submit
C:\Users\Admin\AppData\Roaming\FiveMods\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\FiveMods\Preferences~RFe57cec9.TMP

Filesize
86B

MD5
d11dedf80b85d8d9be3fec6bb292f64b

SHA1
aab8783454819cd66ddf7871e887abdba138aef3

SHA256
8029940de92ae596278912bbbd6387d65f4e849d3c136287a1233f525d189c67

SHA512
6b7ec1ca5189124e0d136f561ca7f12a4653633e2d9452d290e658dfe545acf6600cc9496794757a43f95c91705e9549ef681d4cc9e035738b03a18bdc2e25f0

Download Submit
C:\Users\Admin\AppData\Roaming\FiveMods\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/728-88-0x00000170D4C10000-0x00000170D4C32000-memory.dmp

Filesize
136KB

Download