hxxp://clck[.]dzen[.]ru

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://clck.dzen.ru

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{D6FF887F-D32D-4B23-AB63-720C84ABAFA0}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3756	msedge.exe
3756	msedge.exe
880	msedge.exe
880	msedge.exe
1124	identity_helper.exe
1124	identity_helper.exe
4084	msedge.exe
2976	msedge.exe
2976	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
652	Process not Found
652	Process not Found
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1444	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1444	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 892	880	msedge.exe	83
PID 880 wrote to memory of 892	880	msedge.exe	83
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 4868	880	msedge.exe	85
PID 880 wrote to memory of 3756	880	msedge.exe	86
PID 880 wrote to memory of 3756	880	msedge.exe	86
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87
PID 880 wrote to memory of 1620	880	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://clck.dzen.ru
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb53e546f8,0x7ffb53e54708,0x7ffb53e54718
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=3432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15374519791569084835,5174062560602316057,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2584 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3832

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x304
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
102KB

MD5
1a0215c793abd0f53a0580fbdea1e05f

SHA1
b2a77dc43d38bfbeec951246ed16bf307561e488

SHA256
7c2be2cc2c0f83a26044dc562b307fd7268e1d50aae1d90c1b4cea5478324c0b

SHA512
9be90f0d4458517a9315d87a0da07aa3b14758be978d27fa83b579c13608a517f1b3374d43d9ca8e7a88b1d4d88127cd7eb7a7d619dd701decc57aaadd010ea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
112KB

MD5
06082e70313f2418922992fe729996b8

SHA1
37f31b9aec982c098408ac1e3aaf7bdc6c6f5a3c

SHA256
1401df5b46831ff885a545d80a5a341615e40229966654fd605d4d98f1846e84

SHA512
8245bb597d9eee8357f29e737b33ad897ef03eea5f5663a52aff9fceee8240837f1bd5452394e9fc610c498eab0e0b1a59323e554390849b2c145cf1c12f57ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
64KB

MD5
c1a70da153f8d7d0baf64aa70970772a

SHA1
fd4d0d67ba187f738c968a6f0a4d415dd8b120eb

SHA256
ef7078f4945901bc7ca77ee130af609743671294f286599f8c4a78302efd04d3

SHA512
1552584566ce88d235967cf5aaf42fbee19fed8e0f1337d0f12a77025c19ddb7ef8a1c795a65fd04c38d3c44b87f7ec6e70532fa5dead7981b15f87655cafa2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007d

Filesize
801KB

MD5
9174752464db1845baa77f58d2e4a9cb

SHA1
f7f3cfc6db8a14c26aa8d7dbf151ef5a329208b8

SHA256
aa8af65674b656f94c6c65ff99897d3810a506c1412654953016faae75a67a3d

SHA512
451a8ebec13f747566510d27d2dbcf9ee2a3d9b08f61392da91a8586a0f25f00ff5f1dbcd968559a91efecc5c467a770f1688cb6f1c59017d3f874819081b8e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
49f2bfb20fa909446a8591470e4aaa21

SHA1
07c20995c3be8b10752e7bf571c60d8c29ca45ac

SHA256
3b8f223155b8ad1908cd12e761809d8385904c2fdb56965f4c3a54d98f4fa9fd

SHA512
107780d8a54635ac2265fb8cafa605dd0566237adf62f87f5706b139046fd9f4b74f88bd881dae2d71a75982053181d29f9a3906acda6c94c7ca4e9017f7146f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
00e5ea78736222195059ad1c357d5329

SHA1
3a8b22e782f1c5f3a3b8e78d7139b3526b010caf

SHA256
5d5f67bf64d6bbc83d0837beb282d7542bfe261bfed2fbe83436593b303dce2d

SHA512
4c228483b1478eabb2374eac3a3b28433815280c90cff91b32010055e8240fcdaa606d9a108030d771d9722f164ac5322699e102fa560edb320bcae28be81194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
caf0f92f9c573d896c4b571a9a7f6795

SHA1
0c472ed9b23869475677f1475d4fa53bee74ea5d

SHA256
7de62c6b4a694998f8cc0a05d52a0444dfb48355129174582dadd4c4cd2f14d0

SHA512
e16f1087f2391fedac5858e764ab3a26869201460c7faffaf21fa6b37b41ac896cab31758e5344739e93cea012ef8d07b8c0140a10527dcc9cbe4c5603a296f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5d7f2a66b1a2a936beba210cfd652422

SHA1
5a84092fea97dae74825b581603f6a5475ac27d0

SHA256
93d92ff359aeb5676997c30414e39cda464edcadc4c86d8a7b576847ed512d36

SHA512
b78b8a4b3ac3585bc50983e1a07772d15acf010a8e0cce90d18108ab0dfee7e965886dd487c6413f6b554e7db4c53d265b29db4aa599ca87c9eb7c6f10ffa5fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4720d09709d553708bfc8bd4ab9244aa

SHA1
627fa5fecd9881bf417be28e02662e448a9eb571

SHA256
60ede9d24d17efe295f1d5b41590fa53781a77a6eef5ebaf302b82f51d6bd8f3

SHA512
e43ba963adf946d925b66d1c782f606dd24ecaf713096cdfcbe2b1db723f7f5b917c225f61aada140a01a298fccb3dbae0157e2854665feb57c66be921a612ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8971809141bb9b9463036e9b4d3a4cea

SHA1
8f2c61313f6424f9c56712f67348f01cbe76f3d7

SHA256
902b2a7fc2eb35d5a345cca3afe2823c21c43b1a46c4cfd75a5c11ba46319785

SHA512
5f3980f3c6aaa487afac8e30141182ab8745680a7f6dd70c6c52a184904a712611c47f4a08b296c1c570f1279fca55b4600311dc87ac147849848da273870f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
56bbb06fa60967e9702c24d7ea586012

SHA1
7271ecbc782ac452ff102715156ac784ea8d3a3a

SHA256
b306f3f1d50ab6074b8028844705474afb245c8eaec0598dfcd2b60d549c1db8

SHA512
efb06cac42ab6adc14087efff0670ae965935bfdccf2c29789957d2e40a8d42224978fec49e4ec9aba78a3b9dc7d02565fafd5f0c3ec8fec6c2e028caa9cfda6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
13e18b9dae745f9ab779891e05fa2a8e

SHA1
bfcaab403bc275e30dd1b7795e7ad37cdcb9864f

SHA256
b11b0263d6192d1ee1b18600f03fc5facb7d32506e799e7c94f2ccf9dfc750b1

SHA512
73e90b11a0fae5780116cad95fe1ebfc058843b6fb24715463ccb225d7f01ebc456f58fe4fc320a5ea463f3610c4be7e94004b2caa9574c28e887d489156427e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aeffdb49ccc5003581f408936a8d8dad

SHA1
2356e1f9710c40d0d72cf8683ea36eff0126bf85

SHA256
15661c7f990df530a32ff38204ed52198c8d5dc96c8682b9a146fa9b24734d3b

SHA512
82cad2ad3d884f1dd8743efa47ccb72209847d5d8037e821e5217cf39b2e6ae34bc746218371fc5e7cb98e04736c3ccf6f561bc507ff4a9eac10dd98fb888783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a6133800f652c6478b748debab85eef0

SHA1
5047eef8cee17622a4d302fed80403803e14b65c

SHA256
4bae07fcf5ab4c85d6c5893b426a0a6b09d2bfe18ffbde6beced99b5724b9b2f

SHA512
40f6f357c98fd9ce91ee2829654c0d246b399ce368bda36656b12aa42a5b10dde07665401923753e3a908d1d8179b87de2635fb651e7378834fbbd691b9d7dab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d151cff2a7b87575a02adc40a9d9e5b4

SHA1
474d410365446b7045d40b64735fb4f2483748ee

SHA256
5eee3d4a64204576f4fc34846282338c9429903d7c7f3eecef7bd91f6c58dcb3

SHA512
13c1ec0b5f0b8155240cfed062461f2a1e83c60db173de7c758027b5f9a153eb1f40be271c64538e3b0d0a74bc82b8d2eb42fb694785b68ddb3faa7b31c0b550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583dfe.TMP

Filesize
1KB

MD5
603902e9b95af4cb175665209a3644d4

SHA1
bfdac72268c912a133923cdef8e79aba066f9346

SHA256
08f451460e0ef98e76dc19e2cd11a3ea54bcfe7eef89988605b7c7d4336b2e16

SHA512
dc166a363b84b1a2063d2d4ced9815cbb8bf73cc78a3c52b2e6f9b4ffe28764f3624a20d6402abdabc667320c46c5c2ae86d5b846ebc0b67e416832a00106002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f500bd475605edba2e69899a28a19f3e

SHA1
f88b56f8bccd310329d7937c0673f950e303e34e

SHA256
4c44a9a4ac6b0adc7bed03d31241d6665c1ab2aaadc0c59927d5a9fd09ed05c1

SHA512
266d18ba02ce6a16f9645af993591ab8669c913c8d2c27c9f41b9cd4c0df5c1c8235188b95b761c785d6b2c57d2cccfa0eaeeaf1935a88cfd6da5044108a2ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5db234386a0555f04498cdf41e6be55f

SHA1
6da5a557371f93405bfd5dcfb9904dcd2d94b11c

SHA256
3f08ecd4c81bfec19fccea6678a5ffc6dac7ab74705062952917ca25628daca5

SHA512
cd13ee04e4653c4b78563c2a02dfb0013d722d91b12d963b946ba02720eb811350b005ec88535733c07a45e578a111c76a3440dd60d002ac7eac2793a78d1729

Download Submit