bded6e175fbdeeedbbc33ef1ff5f98f54ec8d505fd1312b0a74a0a358e02d18d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bplay.exe
Size

12KB
MD5

e057aa4a56a9a2a628a8053f25a27d7d
SHA1

d839e5258bbdb871c746c2cef52e336487535c47
SHA256

2519081eca56fadcf3b62e7cb22e55a1f839b9055e9f1e404fc28145d149e913
SHA512

d968aa76b1483a14b7d829c755a99c7ad09163d18da6806f23b3a33664292f16a4695b596b0d2be619a3b6dc909cfcb8cb7ff236641d1cc012e4f438364945e7
SSDEEP

384:azbge2/99IpWUFyCKaMgXGT/bl55oqyfvN:azb619IpWUFyQiB55aH

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral28/memory/4828-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral28/memory/4828-2-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral28/memory/4220-3-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-5-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-6-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-7-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-11-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-63-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-162-0x0000000008590000-0x0000000008773000-memory.dmp	upx
behavioral28/memory/4220-163-0x0000000008590000-0x0000000008773000-memory.dmp	upx
behavioral28/memory/4220-164-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-167-0x0000000008590000-0x0000000008773000-memory.dmp	upx
behavioral28/memory/4220-165-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-170-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-171-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-188-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-191-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-203-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-212-0x0000000000400000-0x0000000000A43000-memory.dmp	upx
behavioral28/memory/4220-238-0x0000000000400000-0x0000000000A43000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bplay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsplayer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4220	bsplayer.exe
4220	bsplayer.exe
3096	msedge.exe
3096	msedge.exe
2692	msedge.exe
2692	msedge.exe
1884	identity_helper.exe
1884	identity_helper.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4220	bsplayer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4220	bsplayer.exe
Token: SeSecurityPrivilege	4220	bsplayer.exe
Token: SeLoadDriverPrivilege	4220	bsplayer.exe
Token: SeSystemProfilePrivilege	4220	bsplayer.exe
Token: SeSystemtimePrivilege	4220	bsplayer.exe
Token: SeProfSingleProcessPrivilege	4220	bsplayer.exe
Token: SeIncBasePriorityPrivilege	4220	bsplayer.exe
Token: SeCreatePagefilePrivilege	4220	bsplayer.exe
Token: SeShutdownPrivilege	4220	bsplayer.exe
Token: SeDebugPrivilege	4220	bsplayer.exe
Token: SeSystemEnvironmentPrivilege	4220	bsplayer.exe
Token: SeRemoteShutdownPrivilege	4220	bsplayer.exe
Token: SeUndockPrivilege	4220	bsplayer.exe
Token: SeManageVolumePrivilege	4220	bsplayer.exe
Token: 33	4220	bsplayer.exe
Token: 34	4220	bsplayer.exe
Token: 35	4220	bsplayer.exe
Token: 36	4220	bsplayer.exe
Token: 33	5508	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5508	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4220	bsplayer.exe
4220	bsplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4220	4828	bplay.exe	86
PID 4828 wrote to memory of 4220	4828	bplay.exe	86
PID 4828 wrote to memory of 4220	4828	bplay.exe	86
PID 4220 wrote to memory of 2692	4220	bsplayer.exe	93
PID 4220 wrote to memory of 2692	4220	bsplayer.exe	93
PID 2692 wrote to memory of 1992	2692	msedge.exe	94
PID 2692 wrote to memory of 1992	2692	msedge.exe	94
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 2528	2692	msedge.exe	95
PID 2692 wrote to memory of 3096	2692	msedge.exe	96
PID 2692 wrote to memory of 3096	2692	msedge.exe	96
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97
PID 2692 wrote to memory of 4292	2692	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\bplay.exe
"C:\Users\Admin\AppData\Local\Temp\bplay.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\bsplayer.exe
  "C:\Users\Admin\AppData\Local\Temp\bsplayer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bsplayer.com/en/bs.player/download/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa921546f8,0x7ffa92154708,0x7ffa92154718
      4⤵
      PID:1992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
      4⤵
      PID:2528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
      4⤵
      PID:4292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      PID:1672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
      4⤵
      PID:844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
      4⤵
      PID:1312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
      4⤵
      PID:2756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
      4⤵
      PID:2640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
      4⤵
      PID:5076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
      4⤵
      PID:444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
      4⤵
      PID:4796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:8
      4⤵
      PID:2356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
      4⤵
      PID:3276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
      4⤵
      PID:1288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
      4⤵
      PID:5204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
      4⤵
      PID:5212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,13088747696911972119,3512600535337272559,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c8 0x32c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
20KB

MD5
88924e883819450fea6752faf211c02e

SHA1
f65cd48ba61e6854b8695490e82b8ef1256c0ad7

SHA256
2775bac57d4aa61e0bafe9902dda744b81a6bc392a953a125fad1da7c949fbec

SHA512
c3aaeb5f7016f819015b54ac7f2cde14cb71b613b046b7097a61d7836f3cf67d38bc6eaad619561c72828d6f930de0362cacddade2f4590389e6c363755c68e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
3234ebfa008ed2ad2c34e2883f2f784a

SHA1
e7c7ed722028e25d0f72e1387c3c4e268334bcb1

SHA256
58aa7668879e700c04e32686866cdf8077d6094ad0f842eb55de1b64b7eed0ac

SHA512
64b5b363ddaccd0e16b1168c494dc499bdd93953b62915256dcf7c8571f8310329e90838c1510185ba94cfa17e84a7a838d348b84e011c0252d3ef644f101ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3c1d37f434e24e83251574b1f346d7e8

SHA1
d93d53c198c1c4eff4517c84c8bd21fbd94d663e

SHA256
8958bb1bfaa979092aaff6d0ff87dfc982aedf5a388e94c82bb4843868e20779

SHA512
34460e36f740d006f2cc007436da0c37ec47e46cdc89108fa19ae3019779089108cea038ddb31465cb6537de7b2f9ea6b6996c2390915c1fc973ac2cfa1ab2dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7e59ceb3341d08fdf5d692b598f9a8cc

SHA1
38579799a91bf697ef82c0d50a10d571786ed648

SHA256
98034f98b96b76aedb010adef2c94cb8c4cb32b24fa175de7cfd750a5b820a42

SHA512
05b137aa2fa8a472111b0299d6a5a3ef8d754e6573df602849820b2d9ceecd0acd8494a65c6b1ffb64f8556ddcd397c62edec9dece903032a3e3b156070ffe19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a2c40cd58820fd98c0f1dffaf84512bb

SHA1
0519c9ef0cd3921a369a50a493cbd502f6cc740a

SHA256
09cb44497f957ba12f43d9101ad9feddf03f351a738bc56c2f4c49e983a86c75

SHA512
f2f8b327d3242fd2e991a07ab530017cfb9d32f694a5f8cfde0c913cdf88ee74b1201c635afa9941dbe097782735ede3d2b9d945ca0cb6621a885087e44753b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cffb7227b92597e8904dc12eb10966b0

SHA1
ab69d1aca8729c9ee9ddc39955f5714358762919

SHA256
329809cd16cf3d51007fc15b45ab3988b58b0594677869fbb337cdd804972a87

SHA512
1076f2983fc994ca8755294631d3835c971989eec7953107df6678cd1317ffd9ca238660a6192c5f7b46968f1b9b68cd67eff8177bf7f58eb40ec0e1c3401c6d

Download Submit
memory/4220-11-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-164-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-10-0x00000000042F0000-0x0000000004310000-memory.dmp

Filesize
128KB

Download
memory/4220-63-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-72-0x00000000042F0000-0x0000000004310000-memory.dmp

Filesize
128KB

Download
memory/4220-7-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-6-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-5-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-4-0x0000000000405000-0x0000000000406000-memory.dmp

Filesize
4KB

Download
memory/4220-162-0x0000000008590000-0x0000000008773000-memory.dmp

Filesize
1.9MB

Download
memory/4220-163-0x0000000008590000-0x0000000008773000-memory.dmp

Filesize
1.9MB

Download
memory/4220-238-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-167-0x0000000008590000-0x0000000008773000-memory.dmp

Filesize
1.9MB

Download
memory/4220-166-0x00000000042F0000-0x0000000004310000-memory.dmp

Filesize
128KB

Download
memory/4220-165-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-170-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-171-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-3-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-188-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-191-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-203-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4220-212-0x0000000000400000-0x0000000000A43000-memory.dmp

Filesize
6.3MB

Download
memory/4828-2-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4828-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download