Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 00:17
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://domslayer342.itch.io/five-nights-at-freddys
Resource
win10v2004-20240802-en
General
-
Target
https://domslayer342.itch.io/five-nights-at-freddys
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 5672 FiveNightsatFreddys.exe -
Loads dropped DLL 9 IoCs
pid Process 5672 FiveNightsatFreddys.exe 5672 FiveNightsatFreddys.exe 5672 FiveNightsatFreddys.exe 5672 FiveNightsatFreddys.exe 5672 FiveNightsatFreddys.exe 5672 FiveNightsatFreddys.exe 5672 FiveNightsatFreddys.exe 5672 FiveNightsatFreddys.exe 5672 FiveNightsatFreddys.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
pid Process 4112 GameBarPresenceWriter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FiveNightsatFreddys.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{508730D0-736F-4DE3-AB23-7798B20D96C1} svchost.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 634098.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1260 msedge.exe 1260 msedge.exe 1888 msedge.exe 1888 msedge.exe 1868 identity_helper.exe 1868 identity_helper.exe 5252 msedge.exe 5252 msedge.exe 5340 msedge.exe 5340 msedge.exe 5340 msedge.exe 5340 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5672 FiveNightsatFreddys.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4508 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4508 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe 1888 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5672 FiveNightsatFreddys.exe 6020 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1888 wrote to memory of 5048 1888 msedge.exe 87 PID 1888 wrote to memory of 5048 1888 msedge.exe 87 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 4296 1888 msedge.exe 88 PID 1888 wrote to memory of 1260 1888 msedge.exe 89 PID 1888 wrote to memory of 1260 1888 msedge.exe 89 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90 PID 1888 wrote to memory of 2280 1888 msedge.exe 90
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://domslayer342.itch.io/five-nights-at-freddys1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaae9546f8,0x7ffaae954708,0x7ffaae9547182⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:4296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵PID:2280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:12⤵PID:924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:2364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:12⤵PID:1148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:82⤵PID:4812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:4164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵PID:2024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4804 /prefetch:82⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:82⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:12⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:12⤵PID:444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:5292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:5460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:12⤵PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:12⤵PID:5908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5252
-
-
C:\Users\Admin\Downloads\FiveNightsatFreddys.exe"C:\Users\Admin\Downloads\FiveNightsatFreddys.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8780291019113638853,1640806141137914894,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5340
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3400
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3796
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵
- Network Service Discovery
PID:4112
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:6020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:6096
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x50c 0x4101⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize696B
MD564054b37c0eb4fc637ac67c8118ff4ca
SHA1877c80e0c0a31bea92091064bfb137430f0f9498
SHA256559202b322e231a73092f40706fa0f7f0eeb2a327d9862df5687084aa75edbea
SHA51299b35de13bde27b9c7591f50c103f6c5bd49de7f18173c2c3582d6f11bd32aea3f28db05231c17a19e17a2f664762fd92e0ed96798f1081ce4896f590332b9c6
-
Filesize
3KB
MD507ebcd490ab714fede103f08cb947458
SHA10d556dcd2d062f0390a0a8fb4cadf38638738881
SHA256c46f01eb5a2c2fb62c2871a90935c12b4d24282680b8d4f755c01aa4b624355f
SHA5129449c64ea3db3b5e847637a883edb840d1ed7d9358ac7ecf8c3e82343ce99afe7593c078af3e0ee262dad799aead5c7f50391faee542868bbc3585428d18b012
-
Filesize
6KB
MD58c83090a5bb70fcee4d56ad176bd0b6e
SHA1e0e31f689ed3e0e2f0ca2b463e22a013f2764b37
SHA25631429a0b17d28b4dd3f6c2475a0988f484c603b2c4bde4f25a2d404a26f8fb12
SHA51226ba2be2b42c0706a42d1cad481dd118d09daf33d6303a2fbf5bb5e19697a0fb8e37bb0dd48c0e63dadea81e66f63e72acc1d2b679d1e22d22ee542f5d7110c5
-
Filesize
7KB
MD515ece927b4efb442991ce6907ecd0b5d
SHA10498334b0b214c6d6722aa0766e0a6fea8bb505f
SHA2561c5c1660344406ec7dccf99557ed20bd4cdf2aeed71cd5b745b2fbb7f42a28b7
SHA5128e5e69fb3a9015808d71f44a311945fceec8e37773b4e156ea8871c5ac0ba725e9ce7daa4f8d2e20693ac2548ca17f83365558a6354f1e4b2b8181401d09f4ff
-
Filesize
367B
MD5eb7cac5f097799d462f59beb921e38e2
SHA11c71d99de95d3933170138f0d7aa2391b1f51a6a
SHA256e5f9b3b9d05e407a4ce38e9944024051d23a54fcca2d18422e32ea09caf544ed
SHA51279a225cb21b46cb69cac5eeaccd55f25bec59cb3d56ed9b423ab3d9576b87a5d3eee8c007205f9588fed32480c91c55c5ff4a18374fe02bc68b0db3202ea3b01
-
Filesize
367B
MD5b498d4b45028681b64115140dbe44ff7
SHA17ea6521ddb40e05c5adc3ac0ac421fc6aef1df38
SHA2564b12f49fe24a0354ed7c31422b044e3ee47ac8e2e3ebae5db0fe039bf054d551
SHA5121fdcb74ec07c737ed309f141b95f88269fdd27cf1678ad8667c90809185dcfd12fd36028a1e7918216f49d81375ab96e93ade52ecb53b87b20572b115088a110
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e5b0c551c92c949b8d4894b65a887b0a
SHA1323843f1250f11a4662e03a2ec1c127cdd32ac35
SHA256cd44afcddef198a6b77f0824144df1452c12b8a02bfd605a7bb2963f17754578
SHA512687b2cb5a3eca919825a5ad99d032e4072596f4b29020b4574b229f24f1c4d7d9a9ec258f502183766561b5b0d229af483e3e598bac88b9ce0e64f252b30cae1
-
Filesize
11KB
MD5fffa0714511e3c8d71b91048c8af11bb
SHA1d0cc0571c04b4212190a912524ef282552ab7129
SHA2563155530ba64ec76cc0b74f340f02fc4748aa66d880bed75c46dadfef7d56c38e
SHA5129129615fa3918e6b85678171daba4db7be88c90e31ac444428bd631c53661ee4c44ef7fe280a723da0d3d237c4553a56547b27440c0a7dcf5ce2e1a002f63ffd
-
Filesize
11KB
MD57bc5914056b162c3e43683694991eb01
SHA14341ce924f068a1524dad0a905ac5609add53ef8
SHA2566a9faabd193f52bf497d39b7f61714f71f8339da7e573a8cb3ea31754a49f7b7
SHA512a695302fd9116162c14b388f9bbf057aad2ac8c2f04e440ce41833bce4f34211d537681c2a2b7642ac068a2511d4fd28e4b27844f1b48e2f1aa7d9f647762f84
-
Filesize
15KB
MD59f064bdcb066daa428db0ed9e33e785d
SHA13c0df73cf247ce49d1010fe0e2f722424fe43f4f
SHA256090925a4cd961f22b1ecd2fba4ce04ab063e26507a1dc09b1d6a40c4860a8777
SHA5124a510ce13c379e8cb5ccb9f9c69e28e9440f48156c8c4c1fef6987495cace7c028d45530ac961f47786e8f503f90c54310cb1ccf43d7fd584506461c1bd616d5
-
Filesize
64KB
MD5a20165b7e7dfee46a59e48c175523af0
SHA16ed627806753d11e1a121689369668294d15be74
SHA256cba1c0fa69bc6b106408d06878390a5699cd2b25adfed1a2610ee01ae2524cbe
SHA512a9295b814fe77aa4ba4dec5cbed790858852f775799fe9da01bf07d67fa294d4ca1c5a68c9255c3fb716d0dbeb8b5a5ea38b8ec72263f40957beafe7bf323cd4
-
Filesize
36KB
MD535fa0df588606e5a382e7c155b28d0ff
SHA10552d9a6124b11d3ccea7ff8170b3a84c2afd0a7
SHA256d320a4aeb6940a6a8589a99e5e16abb086e96c4c3376fdf4f066c0e125302247
SHA5120421292d49fcf3bc87091f52fdc6def36cf7ace90123ee16289e6893c57d8ff23b72c8e9ad2261b9267c7c13f9de9d8c38246d6d68d3bad97c8967470d81ef64
-
Filesize
28KB
MD55522465eba7c81f1fb67d6ad1a5df233
SHA10ec415bfaa9db6984cf922d5503d9fde67d0b3e2
SHA25682c4f5af3c25a8daf60185833d3d61f2e8e2851ad640b59af54060eab6bc859e
SHA51230d0ed91bf072e7b7367a708eb6a7d92cc0f326249ffdd44a0d94c3b8feb37b38387141c88add61a578393a186e9fb379d42ab0018aa14e917705e4344233f6a
-
Filesize
1.1MB
MD522284d6bb382967ff72363f828050e13
SHA15c98e25d24aacafffded9353c9526be0128c6dbd
SHA2569eaa342059785bd584df956574c637e6d0e6016a099221a56e0397f8c86cd93f
SHA5122e5a5bf115b1d2a07d0647b6f4925ab84301ca6354e3f3beb8d44f51900ff21b06b97b23128160fd94dfd33116d03094ca47c49143ae98473eaaed441f9705b2
-
Filesize
459KB
MD54cf7bb74d8104280b7e986f4df21109d
SHA1edc21a43136afddbf4786593e84b934d40591b74
SHA256c0d56cefb509e5600ac6b430adcaf53b81881d3fff4e62b7ede158d66d826622
SHA5122bbac48354657659795697e67508d777ee595348e1fb3d4b6c65d8618c346b3be0052b1e2e2fe669dcca19c3c00d59d1833acc21d88a97efbde2694935e3c292
-
Filesize
8KB
MD5f76739536860a0bdb4a7e3bbb0c06d08
SHA1b21581aa36eda87db8845caf58c668749e26b29f
SHA25641136b09b033a20b9acc430620ea095ff76afbdc7aebe7f26f7d2b4315afddef
SHA5126e65f23a4c1e3b0068b190f9aaaedcfa0466b0185cd6bbafa5f6f6940c8bc332e7c8c611d1b3b63bb2c5fcda48bbe2a678d81a3819940ecc0c701d6fec4194c7
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c