Resubmissions
10-08-2024 15:21
240810-srb5bayhqh 610-08-2024 15:16
240810-snljksvemn 610-08-2024 15:12
240810-slh1nsvdpj 6Analysis
-
max time kernel
85s -
max time network
85s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-08-2024 15:16
Static task
static1
General
-
Target
Helldivers 2 Main Theme - _A Cup Of Liber-Tea_.mp3
-
Size
8.3MB
-
MD5
2f6f56e371da28c646dc1b3108680fc6
-
SHA1
225e019f54fe8ad1b4f544e67bc2a4efd0058e65
-
SHA256
110cc04be2c257d3b64b427bf39c64e1d347b50bc18953d96610a731a5bd98c3
-
SHA512
e5b0af1e749f82892e66f1b80fb1fcd181b9fb4ba18d6ce527650ce5828e02f4ac55b8ffc4ed1243cb0dc0dc199433f312903d91c93b39db88ca45108dc02e52
-
SSDEEP
196608:aSY+jtkDyYV58HiqdCdR+kFj4E9HOWy64pZPuyK:aR+jOh58pdy7FsEROWyLOyK
Malware Config
Signatures
-
Drops desktop.ini file(s) 7 IoCs
Processes:
wmplayer.exedescription ioc process File opened for modification C:\Users\Public\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Videos\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\Pictures\desktop.ini wmplayer.exe File opened for modification C:\Users\Admin\Music\desktop.ini wmplayer.exe File opened for modification C:\Users\Public\desktop.ini wmplayer.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
unregmp2.exewmplayer.exedescription ioc process File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe -
Drops file in Windows directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
wmplayer.exeunregmp2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
Processes:
wmplayer.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2227988167-2813779459-4240799794-1000\{B6F86F65-57E8-47DA-805E-2F439D1DCF80} wmplayer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2227988167-2813779459-4240799794-1000\{BB4D6780-B44F-403C-B721-17EBD2644F26} msedge.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 4160 msedge.exe 4160 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 3456 identity_helper.exe 3456 identity_helper.exe 4260 msedge.exe 4260 msedge.exe 3112 msedge.exe 3112 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
Processes:
msedge.exepid process 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
wmplayer.exeunregmp2.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 224 wmplayer.exe Token: SeCreatePagefilePrivilege 224 wmplayer.exe Token: SeShutdownPrivilege 3712 unregmp2.exe Token: SeCreatePagefilePrivilege 3712 unregmp2.exe Token: 33 4772 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4772 AUDIODG.EXE Token: SeShutdownPrivilege 224 wmplayer.exe Token: SeCreatePagefilePrivilege 224 wmplayer.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
wmplayer.exemsedge.exepid process 224 wmplayer.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe 1716 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wmplayer.exeunregmp2.exemsedge.exedescription pid process target process PID 224 wrote to memory of 4344 224 wmplayer.exe unregmp2.exe PID 224 wrote to memory of 4344 224 wmplayer.exe unregmp2.exe PID 224 wrote to memory of 4344 224 wmplayer.exe unregmp2.exe PID 4344 wrote to memory of 3712 4344 unregmp2.exe unregmp2.exe PID 4344 wrote to memory of 3712 4344 unregmp2.exe unregmp2.exe PID 1716 wrote to memory of 1380 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 1380 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4512 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4160 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 4160 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe PID 1716 wrote to memory of 5028 1716 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Helldivers 2 Main Theme - _A Cup Of Liber-Tea_.mp3"1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3712
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffaa0e13cb8,0x7ffaa0e13cc8,0x7ffaa0e13cd82⤵PID:1380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:22⤵PID:4512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4160 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵PID:5028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:3836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:3636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:12⤵PID:4344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:12⤵PID:2528
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:12⤵PID:2008
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:1272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4260 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵PID:1124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵PID:1552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:12⤵PID:420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵PID:1968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6140 /prefetch:82⤵PID:444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6008 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:12⤵PID:5284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:5776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵PID:5804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:12⤵PID:6132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:12⤵PID:5168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,12000990721800245094,7819577262615882988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:12⤵PID:5192
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004CC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4772
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2372
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e8115549491cca16e7bfdfec9db7f89a
SHA1d1eb5c8263cbe146cd88953bb9886c3aeb262742
SHA256dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e
SHA512851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54
-
Filesize
152B
MD53e2612636cf368bc811fdc8db09e037d
SHA1d69e34379f97e35083f4c4ea1249e6f1a5f51d56
SHA2562eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9
SHA512b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD51d178f617b46f187643f804c60296462
SHA1fcef3a48e370ade106e56034d7eb7459c68acabc
SHA256e3e7661f799786b577cafe9b73ccbe72b051b35d6e5a58226563343f2a71c8b2
SHA512eb7cf46d1bee7ceaa2e62e30edb7356c1b746a76d1e19ff7880b1800037597422059f3e3864d2e6f7ff6b1119bfef72de78237ba43b18d8cdf7e8cbe1838d365
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5828973efbd7cebc7301eafb5a1cda229
SHA117dbfbc68a2fb42d58f279d8170682159322cbff
SHA256cc11e3ea9f22e6a09b9d3af41f4050997719fc9406a7b536e6261a9e9daae951
SHA5120fbdfea6d41be31dfc48e3dd86f14f479ff0e7ea5fac7ab3d0305a5920f30f3f44a5a3b814cf3b641549c3fe5a879ca4b7855922a0802339e101a30b9a1b1a2c
-
Filesize
551B
MD56ef4e22150a3fd90a406965c5b555b71
SHA14881656aa30599c96ac8bd9c8362570b258b0ab8
SHA25665835c2f3012f9c615faf206df96ef22da96a2f2dc7bd44c14347d0cd150b530
SHA5129c2d46e11a8c976194299ae3dffa329d42f40672e3e927b28d68af8ba38149afff76966f1ae059587b1ff47fbcbeffdebe41b2715f24e4efd34aa5b759586fa0
-
Filesize
5KB
MD5bbc3577c7dc5efe6a9cef1ed3c11fc6b
SHA1a2a50081cf45bbfa8dd1a0d6b97496d001f2889b
SHA2563028460ac91d206d2f6762669b04e63c0530539fc9da7bedb7f7a7c6a727e600
SHA5123a129b19944953b80a60998cd4298a62354e38550b5039270be6fe432a8de640206093e2ab966aeeaea8cd13bfae706d684f5a98e8586ac92805ead81d740cb0
-
Filesize
6KB
MD5cbd5762054c836dcb0f32124e63150a8
SHA126842bae5e9cc8f18727429e026f66f04229ab40
SHA256f366fd8618520dc297a15adfd6a539c379af0fcd037b8c69651bb6a909737c83
SHA512f0490c2a109809d997654f843af4d2940a42bb7eddc8a29a1a7f6b08cfb4853941bc86e1f1a5c7a374f7e6db37dc24bb92a64ec1809d4f288e50d44c7e16b8ec
-
Filesize
6KB
MD5929b4bd494e1f95aa3521c7946bab899
SHA14ec97dc8d32dcaded743fc30e08937aad9a634f8
SHA256c4568c071f395f77160b2975774f507e9d9685297b103cedd5c442bc2fbebce0
SHA512399ee918e28cff0ae120d8df770ff4d4718a15e06056a873a053cb2fc836910f07015fff7d39822c0e651a49a3f60564a9ae7b0cf58404069a915ebc49bf662b
-
Filesize
6KB
MD59b477aad225b2fdc99b76e1bdf88bba0
SHA109d02dbbb8327ec1664c637bec2a756773b3aadc
SHA25608984c343ec727b690d9dbd103fdf8c319cdf995aaa9a2525b85fe76203cf079
SHA5124957d0e635d8c149b412d4bd244a8ce5559a952a72d07ebfad6b7a8f1ddc2a4af4aba7b84e18d22277914fd4e8df4b21ebf1c6c192675660b421978dae58c306
-
Filesize
7KB
MD544287506f5199cdc9cf37c005ea4f257
SHA10463c6d71e9ecb333ca04ca33fe489ff42ad41f3
SHA2563548c08a674369c3e6e5eec6e00c64ad193564c7380a748c30ce98a8bd609db4
SHA5127f697e5120efd82d57fb6e35a2ec2e7bb4240e6a7f94d4fb4645261b0ed69745540deeac76bf8b06eec865a562955b840aae7a28c111a755d1bcb3b85b2f4d94
-
Filesize
1KB
MD50db9b9c9be4e97b11e75653792e3a55e
SHA19036875327e3dc91432760f0738f1fc71eb95de5
SHA25613d4245f1c28b45ca208ddfb47a30dba7b1306715c2365236bca787d6e9cc2e4
SHA512fbff8d47fb2db3b6d721896fb3c3ba820b1ed75593681db1e85d9d3e3484fa9ee603166da72a177b0caef674ff4785736b77dab11e1150d4856bb8ca260a250f
-
Filesize
874B
MD5ab037bf48c2e605bc473474713132e01
SHA1e927a532061503e776b5e7b80b95b282dd228a98
SHA256668eb5a071e525cb0897536c7b20ce29108fdbcceee19bf2dd72bf2c2c45bbd5
SHA512407c6af7087ebf693083981e2723044c71f189f4789a14a7c55fb89730b7cf7e904a8fac0fab6642eab1a6772b0c47bdd782fe1d2cef9a3933737dd370bc745a
-
Filesize
706B
MD5359228bb36e7c97f294c4dcc9400afc5
SHA181ac5d8bd450e09d06a01ab1c827596906290baa
SHA256e4dbd6bc0e33f3d8535c7900434255bf85d2334d88eaa1e862a882c0ffda46bd
SHA512fd3114fffe06566055b639f8f5b99eade4e05faef5dff4f74408ccc45a27f251530f0521d70c4434b9666519beff8fe4e8aef3ace9f10413f5e9a3ac5244887e
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5961e4803a354fb34df8683432a4b8f3d
SHA199defe9071f78815c898a0b3bb40727f97bc586f
SHA256c1fcedc19d3fad5320df435a57188d1c6061ade9aca5597904a3adee31ce1273
SHA512c5df2436655231b3092d1aa020f79ff46ed1a7eb0583675e3bf7ad88bb55b8c65e558dd7375fa5862ccfea36b56167d213782ab9d9c93bf7098ebef7387b2935
-
Filesize
384KB
MD59094c783418a02287a50e36fa6c8a56d
SHA1668133014fe33c9e8116f99e7398a9882f3742bb
SHA2565fb3c0c9cce8a7576c7fb22424d9e702dab7d81d4aba2e8098264f4092a358c3
SHA51200b947b28b1988897729dc6c37b094441a489d33a02ff961d6934e8d5755894cf094e66ce76400c46bd035bda867516a5d5404b3ce05b6120efec3f0c981d1a6
-
Filesize
1024KB
MD5fee2989654328e7a57b428a1d6b0f25f
SHA1194adc0ab2fb320bca36da34197a4cfd99721a4f
SHA256dd45496a8556643aa924804c2142214e8654396877ebbcc1e4ee206b697d2742
SHA512aafd7cf6c6354123affb7b12303585365b55f7eeb8af2d803d1aa54b48995929a231599b9e0bcf56b3f17a44bff06b4266cd424fb386f78b7a22801610e9a122
-
Filesize
68KB
MD5f3d70262dc5773d019b4a019592a6a20
SHA108119f2875d53a296784ad306346717e6069d8b7
SHA2566ad367e7a6ec57626531bf009e94aa5a7264aa54cfff6443552c10e40b9b175a
SHA512a246d3e537c21690f0aa89e0bbfc78424f1b3056e580f646a0fbe2e8e69dadeefa2807152b5e069f0527b5eb8ae277d826b3b0acd6cfebcf82f1de17de50b253
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5a56c996f70cf968078c9d923abd0225a
SHA15b9000255d6ebf9fbd0b29e820f10325ed3de0af
SHA2569f8b7d9f7c87f37cac9876ff797b0a5779c81d01f773617a59bfbfb1dfa33085
SHA5127cd50ab672783c741acbbd68271ef27cb6df30395eb06aca0e3b80e9f2e53163192e78715ee10bb7f53a6b628cf91edacebc47560ad47f0cd77d769184877afa
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e