hxxp://dubbing[.]ai

Analysis

max time kernel
90s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://dubbing.ai

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DubbingAI.exe

Downloads MZ/PE file

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SET5E38.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET5E38.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\AudioMirror.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\portcls.sys	DrvInst.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DubbingAI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DubbingAI.exe

Executes dropped EXE 10 IoCs

pid	Process
6008	DubbingAI_v1.6.2_08162000_Release_C_Setup.exe
6060	DubbingAI_v1.6.2_08162000_Release_C_Setup.exe
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
5408	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
3460	SetAudioDevice.exe
5968	devcon.exe
4368	find.exe
4300	devcon.exe
2712	SetAudioDevice.exe
5940	DubbingAI.exe

Loads dropped DLL 23 IoCs

pid	Process
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
5408	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
5408	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
3460	SetAudioDevice.exe
3460	SetAudioDevice.exe
3460	SetAudioDevice.exe
2712	SetAudioDevice.exe
2712	SetAudioDevice.exe
2712	SetAudioDevice.exe
5940	DubbingAI.exe
5940	DubbingAI.exe
5940	DubbingAI.exe
5940	DubbingAI.exe
5940	DubbingAI.exe
5940	DubbingAI.exe
5940	DubbingAI.exe
5940	DubbingAI.exe
5940	DubbingAI.exe
5940	DubbingAI.exe
5940	DubbingAI.exe
5940	DubbingAI.exe
5940	DubbingAI.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/5940-5304-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp	themida
behavioral1/memory/5940-5306-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp	themida
behavioral1/memory/5940-5305-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp	themida
behavioral1/memory/5940-5309-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp	themida
behavioral1/memory/5940-5310-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp	themida
behavioral1/memory/5940-5312-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp	themida
behavioral1/memory/5940-5315-0x00007FFAD9060000-0x00007FFAD9A06000-memory.dmp	themida
behavioral1/memory/5940-5314-0x00007FFAD9060000-0x00007FFAD9A06000-memory.dmp	themida
behavioral1/memory/5940-5316-0x00007FFAD9060000-0x00007FFAD9A06000-memory.dmp	themida
behavioral1/memory/5940-5317-0x00007FFAD9060000-0x00007FFAD9A06000-memory.dmp	themida
behavioral1/memory/5940-5334-0x00007FFAD9060000-0x00007FFAD9A06000-memory.dmp	themida
behavioral1/memory/5940-5335-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp	themida

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DubbingAI.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\audiomirror.inf_amd64_fa0c1758ba5964c6\audiomirror.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1598507e-0179-7248-98d6-65f3c76ac213}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\audiomirror.inf_amd64_fa0c1758ba5964c6\audiomirror.PNF	devcon.exe
File created	C:\Windows\System32\DriverStore\Temp\{1598507e-0179-7248-98d6-65f3c76ac213}\SET5C85.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1598507e-0179-7248-98d6-65f3c76ac213}\AudioMirror.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\audiomirror.inf_amd64_fa0c1758ba5964c6\AudioMirror.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1598507e-0179-7248-98d6-65f3c76ac213}\SET5C73.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{1598507e-0179-7248-98d6-65f3c76ac213}\SET5C73.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1598507e-0179-7248-98d6-65f3c76ac213}\SET5C84.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1598507e-0179-7248-98d6-65f3c76ac213}\AudioMirror.cat	DrvInst.exe
File created	C:\Windows\system32\sysdbdn	DubbingAI.exe
File created	C:\Windows\System32\DriverStore\Temp\{1598507e-0179-7248-98d6-65f3c76ac213}\SET5C84.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1598507e-0179-7248-98d6-65f3c76ac213}\audiomirror.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{1598507e-0179-7248-98d6-65f3c76ac213}\SET5C85.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\audiomirror.inf_amd64_fa0c1758ba5964c6\AudioMirror.cat	DrvInst.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DubbingAI\vc_model\is-PF8UG.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File opened for modification	C:\Program Files\DubbingAI\updater\libcurl.dll	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\blind\is-5SFAO.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\is-6CB46.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\is-L62TI.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-0EJJU.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-DJ0PK.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-NG9SO.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-VUBNK.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-TJ0GO.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\is-UGLV1.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\guide\is-9J3LU.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\layout\is-V4K2P.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File opened for modification	C:\Program Files\DubbingAI\updater\libcrypto-1_1-x64.dll	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-GIOPT.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-SLBO0.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\cloning\is-UC6BK.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\subscription\is-CRB9E.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\subscription\is-JREOG.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File opened for modification	C:\Program Files\DubbingAI\msvcr120.dll	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-34EGI.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-3SPUH.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-OERVK.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\is-RLTUO.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-80BE3.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-KC509.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\is-KBQ9T.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-K4P0U.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-JA3G2.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-TRBUT.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-F2RDF.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\guide\is-J8BKH.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\layout\is-S7PBO.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-3QJAR.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-HBHEC.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-FI48C.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\is-IVBK2.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-VF6LL.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\subscription\is-ST0ND.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\subscription\is-QDSTQ.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-H0DMQ.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-3S8F6.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-SRT8N.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-VNJRV.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-CATUR.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\is-GVOCC.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\is-V4558.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\is-944EK.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\layout\is-LLSLI.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-GH401.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-MKJIO.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-NRF3F.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-U49OU.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-UQ68B.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\is-ICUSO.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\subscription\is-KOBA2.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\res\drawable\subscription\is-ONNNP.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\AudioMirror\is-RJHVV.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File opened for modification	C:\Program Files\DubbingAI\logInfo2024_08_18_08_55_01_46.log	DubbingAI.exe
File opened for modification	C:\Program Files\DubbingAI\api-ms-win-crt-convert-l1-1-0.dll	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-V84JF.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-6C42F.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-2NSKT.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Program Files\DubbingAI\vc_model\is-44J7S.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	devcon.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Fonts\is-6DE3M.tmp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
File created	C:\Windows\INF\c_media.PNF	devcon.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DubbingAI_v1.6.2_08162000_Release_C_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DubbingAI_v1.6.2_08162000_Release_C_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	devcon.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	devcon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5736	taskkill.exe
5804	taskkill.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\DubbingAI.exe\SupportedTypes	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\DubbingAI.exe\SupportedTypes\.myp	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\\OpenWithProgids	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\DubbingAI	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DubbingAI\shell	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DubbingAI\shell\open\command	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\DubbingAI.exe	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DubbingAI\ = "DubbingAI"	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DubbingAI	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DubbingAI\shell\open	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\DubbingAI.exe\SupportedTypes	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DubbingAI\URL Protocol = "DubbingAI"	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DubbingAI\DefaultIcon\ = "C:\\Program Files\\DubbingAI\\DubbingAI.exe,0"	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\DubbingAI\shell\open\command	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OpenWithProgids\DubbingAI	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\DubbingAI\DefaultIcon	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DubbingAI\shell\open\command\ = "\"C:\\Program Files\\DubbingAI\\DubbingAI.exe\" \"%1\""	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	devcon.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	devcon.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 629179.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4808	msedge.exe
4808	msedge.exe
3636	msedge.exe
3636	msedge.exe
4156	identity_helper.exe
4156	identity_helper.exe
6040	msedge.exe
6040	msedge.exe
5408	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
5408	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
5940	DubbingAI.exe
5940	DubbingAI.exe
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: 33	5624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5624	AUDIODG.EXE
Token: SeDebugPrivilege	5804	taskkill.exe
Token: SeDebugPrivilege	5736	taskkill.exe
Token: SeAuditPrivilege	4556	svchost.exe
Token: SeSecurityPrivilege	4556	svchost.exe
Token: SeLoadDriverPrivilege	4300	devcon.exe
Token: SeRestorePrivilege	5928	DrvInst.exe
Token: SeBackupPrivilege	5928	DrvInst.exe
Token: SeRestorePrivilege	5928	DrvInst.exe
Token: SeBackupPrivilege	5928	DrvInst.exe
Token: SeRestorePrivilege	5928	DrvInst.exe
Token: SeBackupPrivilege	5928	DrvInst.exe
Token: SeLoadDriverPrivilege	5928	DrvInst.exe
Token: SeLoadDriverPrivilege	5928	DrvInst.exe
Token: SeLoadDriverPrivilege	5928	DrvInst.exe
Token: SeLoadDriverPrivilege	5940	DubbingAI.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
5408	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
6060	DubbingAI_v1.6.2_08162000_Release_C_Setup.exe
6008	DubbingAI_v1.6.2_08162000_Release_C_Setup.exe
2792	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
5408	DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
3460	SetAudioDevice.exe
5968	devcon.exe
4300	devcon.exe
2712	SetAudioDevice.exe
5940	DubbingAI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4636	3636	msedge.exe	84
PID 3636 wrote to memory of 4636	3636	msedge.exe	84
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 636	3636	msedge.exe	85
PID 3636 wrote to memory of 4808	3636	msedge.exe	86
PID 3636 wrote to memory of 4808	3636	msedge.exe	86
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87
PID 3636 wrote to memory of 1144	3636	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://dubbing.ai
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf28c46f8,0x7ffaf28c4708,0x7ffaf28c4718
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1532 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1500,7701065502463122603,3627364295009442442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6040
- C:\Users\Admin\Downloads\DubbingAI_v1.6.2_08162000_Release_C_Setup.exe
  "C:\Users\Admin\Downloads\DubbingAI_v1.6.2_08162000_Release_C_Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6060
- - C:\Users\Admin\AppData\Local\Temp\is-K38GL.tmp\DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-K38GL.tmp\DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp" /SL5="$120066,103001501,928768,C:\Users\Admin\Downloads\DubbingAI_v1.6.2_08162000_Release_C_Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2792
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM DubbingAI.exe /F
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5804
- C:\Users\Admin\Downloads\DubbingAI_v1.6.2_08162000_Release_C_Setup.exe
  "C:\Users\Admin\Downloads\DubbingAI_v1.6.2_08162000_Release_C_Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6008
- - C:\Users\Admin\AppData\Local\Temp\is-TJ8LE.tmp\DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-TJ8LE.tmp\DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp" /SL5="$9002E,103001501,928768,C:\Users\Admin\Downloads\DubbingAI_v1.6.2_08162000_Release_C_Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:5408
  - - C:\Windows\SysWOW64\taskkill.exe
      "taskkill.exe" /IM DubbingAI.exe /F
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5736
  - - C:\Program Files\DubbingAI\SetAudioDevice.exe
      "C:\Program Files\DubbingAI\SetAudioDevice.exe" get
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:3460
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\DubbingAI\AudioMirror\install.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:3628
    - - C:\Program Files\DubbingAI\AudioMirror\devcon.exe
        
        devcon.exe status "Root\AudioMirror"
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:5968
    - - C:\Program Files\DubbingAI\AudioMirror\find.exe
        
        find "Dubbing Virtual Device"
        5⤵
        Executes dropped EXE
        
        PID:4368
    - - C:\Program Files\DubbingAI\AudioMirror\devcon.exe
        
        devcon.exe install AudioMirror.inf Root\AudioMirror -v
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4300
  - - C:\Program Files\DubbingAI\SetAudioDevice.exe
      "C:\Program Files\DubbingAI\SetAudioDevice.exe" set
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2712
  - - C:\Program Files\DubbingAI\DubbingAI.exe
      "C:\Program Files\DubbingAI\DubbingAI.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4556
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{125ed60f-b8ec-1248-8275-23f00a4eeebb}\audiomirror.inf" "9" "41823b7ff" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files\dubbingai\audiomirror"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2308
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\MEDIA\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:f1d97002a6aaffa0:AudioMirror_Device:12.33.40.11:root\audiomirror," "41823b7ff" "0000000000000148"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:5928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DubbingAI\AudioMirror\AudioMirror.inf

Filesize
5KB

MD5
f5d9ad8275255b0fbee239f3960da265

SHA1
0f4bea0d2f4e488b66d52668a0ce8eabbe58e057

SHA256
b4216f74d8c68396e5b2ee5da78ed4802347986e4f9ebf918d783579f8708202

SHA512
2740a19538c72591c0a825b9adfb36f168df59c059ebbf8ebda6acea03e9e1016f5aac44e839a4e24c7713d27c8005e1b5e3f0b027b589dde2a18b983be5a837

Download Submit
C:\Program Files\DubbingAI\AudioMirror\devcon.exe

Filesize
81KB

MD5
816c4e245b286b4e4903131f75a94948

SHA1
eda70c1fc8a461efb0e376d42e35a72b96175e4d

SHA256
aca1bda08690dcca930254f96f9185c776671a85a58ffa1b59cf16017546f218

SHA512
d0dc74956c57403c0638e6595aaf1c2eb75233997a15170b064261a5d3f1f525a3e35e13fef04c36cc20fd1d5d1cf000a5fb7a646bf2cf1cea73817e5d3335b3

Download Submit
C:\Program Files\DubbingAI\AudioMirror\find.exe

Filesize
17KB

MD5
ae3f3dc3ed900f2a582bad86a764508c

SHA1
1e44ee63bdb2cf3a6e48b521844204218a001344

SHA256
1a1876c5eed2b8cd9e14ebff3f4eeb7e21552a4c6aab4bf392a55f8df3612dab

SHA512
059c0a371aada5f36e72196109c06208b68475ed0fbefb950beb0cbea2c29595151d65b087c5113af41df926596c4fe4e01102daf4b75e999cf6d6517d26ff63

Download Submit
C:\Program Files\DubbingAI\AudioMirror\install.bat

Filesize
223B

MD5
70e7c009a4f8a420755c0efc4197e642

SHA1
6dcae12ede6c84626a6cdef9614a8ead66f42ba3

SHA256
b517734c72a6bee139b181ce8ed7926d0e2e1cf98a1e2a0bdbc28806549c3003

SHA512
7dee3e85f7b60c847c4e628f1380512e4f58d78dabfac62f10130c637b0cadf6897e8f6dc48aa4c034d013e75d187cda587747fb311688cf51a0a953c333708e

Download Submit
C:\Program Files\DubbingAI\DubbingAI.exe

Filesize
3.4MB

MD5
4ea3d22adb4d3246a94afc167308cade

SHA1
0e4866c27c21e1d4e0aa90f1a2cb5fa5f06aca2b

SHA256
29d73df4d1433dc43c5723d870f2ccff4747ac9beb44bd31ad1d5d7f02bb0e5d

SHA512
ae01512c2c19727a153550b40a2b2ac32943d31e418058a3d62b246b6efcf33610d4706fc0b5f9f6a46516d9717d1bfe1d1bb73e7fd93b6a34e495e581342b41

Download Submit
C:\Program Files\DubbingAI\OutDeviceId.ini

Filesize
55B

MD5
f1abb9035fb1ccbd4e874c29a9871080

SHA1
7b9222d1d88204d7eef30e1c29c2f08ebbc6f91b

SHA256
ff5666d907ab238dad46f4c21342dbb36f91d7f78dc758de135af58feb0dd22b

SHA512
25f4d9f5fe9810ab997b76455b470bf1b5932f1399ebb2985a06a4188dd7f5b573baaad858c0b8480e0b42eb262aac44126ae0e4a6b7ad4c7fcb045003bf1a7a

Download Submit
C:\Program Files\DubbingAI\SetAudioDevice.exe

Filesize
82KB

MD5
cb084353c30a8a949a133ce647e9d6d4

SHA1
d04d9b214b928fede9aa895e95b9fdb1f7874496

SHA256
def90008d015ea9c5b935208dacd4371c071bc96f390dd8b6a79af3a45336cde

SHA512
f2c1b43773f38320fb63c9f95272f689d59e9b8762c6534c81552fe9ca5408f0eec8fb393f9ec16e29baad7d57eb5ddc52931d04d578f383e2c57a1b711f4baf

Download Submit
C:\Program Files\DubbingAI\msvcp140.dll

Filesize
555KB

MD5
0d9ffc3f4d6a9e762282891c7b4c61e1

SHA1
15468bd1183b091b92f9e9a3bd352c0562b5b9a3

SHA256
b2bd81e9ae5cf2714c8a245428ef22fa5eab3e3b92a926ef395e1f3733939e25

SHA512
9d8529f9f043196b101a2bd3c9d13a5b8b9e09bc827f5afdd86894998ca1463fc8f74fea66c5b33498b2685294c2f90c75ce9efd77f7bccf19337ebd37ea413e

Download Submit
C:\Program Files\DubbingAI\vcruntime140.dll

Filesize
96KB

MD5
882da7657405a220fa53d14d663bb216

SHA1
aba49ae69d6c5622ff0598de541aa4d126a4a16c

SHA256
e808fc3824026ba2216c89d3eec46c8202d5eef8d47f797b4f0e7ffa4644cce2

SHA512
833d5fded349da03eff8b20bbdfffc39acf79fb813f506956e28ca064247e5cc2b0ec959f7133ea89448d2ba06d3baad7cb1f64ece37b1cdce52b69bf898c966

Download Submit
C:\Program Files\DubbingAI\vcruntime140_1.dll

Filesize
36KB

MD5
ac5f3720519c641e361ee6ec12d1775a

SHA1
74634eb85c3eadfefe7bcd4520526eca266a2990

SHA256
07ac39c0043a84bd55acab926e84068a24f7824376037da8e75535c2ca7b0c01

SHA512
a024329a567c92bd3f018f9389a6f5043d7194bc26fc7569c3519208697cd84570e0e6f94c4ae34e7ce0e3bc3d26503351493127bd5aa727dd9b1eb2d84f996f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
2eaa0dd8fdfe1037ff6e162bae9fe78b

SHA1
44b3461ae1973ba2ae8ef35c773dbb2942e39d33

SHA256
6b6a6402f0bd7faccf17a80222ee52b91d6adb10f25211b1f3224a406f999304

SHA512
5239a956b8e4a458ee4108e9414b25e4de7b799f2844e4fc3a27418571e21d8f50a31365ce2acdf8325a6e32283e2a4dbf4cda7ae7cf8b1177123a4d1f912572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
67KB

MD5
a074f116c725add93a8a828fbdbbd56c

SHA1
88ca00a085140baeae0fd3072635afe3f841d88f

SHA256
4cdcda7d8363be5bc824064259780779e7c046d56399c8a191106f55ce2ed8a6

SHA512
43ed55cda35bde93fc93c408908ab126e512c45611a994d7f4e5c85d4f2d90d573066082cb7b8dffce6a24a1f96cd534586646719b214ac7874132163faa5f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
41KB

MD5
c79d8ef4fd2431bf9ce5fdee0b7a44bf

SHA1
ac642399b6b3bf30fe09c17e55ecbbb5774029ff

SHA256
535e28032abf1bac763bffd0ba968561265026803eb688d3cb0550ad9af1a0e8

SHA512
6b35d8b0d3e7f1821bfaeae337364ed8186085fa50ee2b368d205489a004cb46879efb2c400caf24ba6856625fe7ee1a71c72d2598c18044813ecde431054fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
272KB

MD5
37a2739824a6bf649fa3c9d543d442b0

SHA1
ba790c81d0d592bf35ab69a8793728f8d5b3fd25

SHA256
3344359b2d8b8ce489cadc91998882702b156fb99805f4c3483b5525d5935638

SHA512
00fe147cf6490f9b5c3979919258d6e2147968421e6eb08ae7a0d49b9c3a2ef7001049a3722b025aa895570fc90261384c8b3e1c2f27491cd9204fe3908b985d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
267KB

MD5
5497c6371a3b03adb4b167285dcfb318

SHA1
4322f8c7ee8f36b637ffe90dd7d25658ed0253cf

SHA256
d60304857df5bdf96e12d218f2854115443779f2040b291e298229510ae24fa7

SHA512
3281d0f5c3e7eeeaf5086cddf1c6eec722276fe5a9e9aa2df411130d6b7e0689f939d10c2db01b474027f19c560dfe7f943983019e8b30a2fa63f4964a8bd3e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
20KB

MD5
bb230bc3d37f53b35f0853bf0f3dc299

SHA1
b5fc159fdc209b61f2fbba0f43413ff641f763cf

SHA256
a0a9b809b65c96022cc2c30139a4f9a48b35d16292af4f604b7e06f099051ab1

SHA512
c103143d3f20ad7d579f31f097772be9f3763037ba6ec12ad95351c7899cbbe5a3c58307479030ca532713417e206aeb324bbefc90c0a33041ab160c6f739e46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
232KB

MD5
ba88b96787bda8e55dff152fcb986796

SHA1
161631914fac1011bd9ecf7da5092ee8ff37ecb4

SHA256
45826bd1bcd14537852d822d534627e52f2461ad2c88809580e79d3678fd27ee

SHA512
70c8efc37b4f69ff56f8818fa3557ef79cdf3f4ce572471463114ef807ce7dbfebc1e1d57299cb6bce73d82b88660d11c08e2b85456c20d4b6da45ae73cc6789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
232KB

MD5
875eb69a0266b98f49eb8e217a14a10f

SHA1
172b448cf787eb456b4b01b99e19c2b6d3872605

SHA256
3bb3b4000f1601dcaa382a1961103d15a57ba74d1d511d26fbfb7ae192107237

SHA512
76375cbf4a318701baae3629f0bfa00b7785ed1ed2cee5f9d9c2ffcf57439254ee3367414bed476c9b86cb04ebd9c414a1fe0980436ec3faa43044b81121cc1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
32KB

MD5
b1e8f56542fba2f663ef70444a82a75e

SHA1
38f1034007db83a3b1f664ec7332ae4a910cf118

SHA256
608aa7f028f230acd9ebc897a83686a52646b5ee89325f415b76ae03291a51c6

SHA512
e1288466265575376a77cfb5b224a672faba67e0fbe44f609dcc25f789313bf9c182c0dfe4596d471bc4ee12e0da8402360f55ba19456329ff3fa305648c7fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
20KB

MD5
6d31fb8ce3cbcc0ce68a804df5e10921

SHA1
e8ccf09cbb27f5b24c8a4ecc3ebe7f00a207a645

SHA256
4b0e3dd785ab9c3a4982afe09af5a5bc66ccf7eaa10a7e0d055cc0b8a0fa5cee

SHA512
cafef4291de79e3d68b00ab741cbd302d2b5bbada79ff76bd80188f04b7db9a1d3909072ee4d97bdc3e95a243f928bdc9ee4a7c55d4346ce8191f404e16459e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
25KB

MD5
42e84ebcf5470237abd1f9e322b751fe

SHA1
a828a45804554507d9e8521c36109e8bc3d5eca2

SHA256
a9fc7baee3689f0331e46617f60d6e7c3ed631209b7211e7dd09cf20d22a64c1

SHA512
36606d42aee5689819dedf221af3c6c0da06aeb9997b9ce84b42db42ab80a0926352219f1e47f2287dcc850fcc96e4eefd5e487e09e1f1228102eced11271e25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ab084f0749fa7e0007926bab9ce18bcd

SHA1
2b482abd4f7018568872b9eab6842000502e717e

SHA256
f39e6c70125080db71b5abf4af0f86a6fad4d6c3034d2b373ebaa2c733ed54f7

SHA512
4cd80646d9f46f9ad707d81d7962648129c54e83f9c392557136ddaeb1045fc82e56dc8d138b79b528a722be6cbdad8d9ab14d1123488532d22ce72124d9bc2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a0ad3ecd0001a7677efb3c9e2b4a9faf

SHA1
2d844efd26b836cef490102191ce88c104d2d4e5

SHA256
b143757ece1fe1695af57468b29142f12b461c830f11fe5150ee0e342102f62d

SHA512
68120c3d9016a9ab6736e2f98cca6bfb98a5a745abe551a1c0b9686b76384192da911956a51da0e5b1d4b7d9b3cbfcdd61fe40e68fdbf47b07750dc365750455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ee221e0c91a89ff865276b09fcc71d5a

SHA1
9d2cb121113509376526eb1b71ca48a41b413a65

SHA256
7faac2a91f4ae56063975550507e25eaa0a3dc04a4792d6b717969d3f2b7b54a

SHA512
816a72521e9622caa94e93fc6f5256017d3df5a789bde312bc8ca06943dae3f7d9e4158cb131ceb5410411f48088bf9a2d6b141049fd08861ac814a8ea5b1c14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9364e416fd15b0be27c0fe9c16084465

SHA1
7236aee88cfe491d89698016fbd90c97b2f1ef22

SHA256
e366915f861524e6144ef57706cc5f4297d5c1f655271c24265e027719291d0c

SHA512
bd814b4fc9105a939292738a92bcf2acc0f807c45a52b6f63015989f27008085fe238982136d80df619ce9eb93b599f16fc95522488ff470ef0a5701d0079ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1c522640d16459d19a0fe1138d59ef10

SHA1
212c79e6be2250bbea34970296f03eead9f012ad

SHA256
924ee621cd0957c66682371b8e5bcd10fcdd118ec0294c7a93eff1fa9f1cf204

SHA512
9275e048d17a551a1fad86f747aa717d63c3438d8215228b70db0a276b454d6d5ea24dd09e8046ec5e4bc788da787963113daf5a06998c25ea3cae08f08d5721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
496ab49c64bbf5266734ddb627e26d4e

SHA1
76e90f305f534ce007d41351977b0eca1356ff4b

SHA256
7acf4d530190334e48f760e8dde0ebe0c1c7438444bc40220a9e22e42d1bec9d

SHA512
aa9616a6feab42543ce38df6f16afdd1c789c78c92ff0cfe1903fb7ae3fa16a5ac246cf3d398eef841a2133725577013c66f16c6e4accc46c823666b8da22e07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f0dddb9caf16bd903530eda546705138

SHA1
0fc103c1152d1adb990fdde31b9c06f9fdc65954

SHA256
8ce1da92366ddff9293855246fa36a96cea5c763dc094500fe93fbc4dbc5c926

SHA512
19c475b0e4f73489281c0e5aa23ac3cef719e25f62eafef283339ca422da4792914f56bc79a109d56f6776e3bd6c0a606f7ed95991666831cc84a12a5c7cd3fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a640327c8fc2239cf6e03a3d59375a62

SHA1
50f1dca328c1ff7b147f27d7185adc13a0c9e677

SHA256
1889148f98df6cadc20d769abe32131fc71105f49de6122400ee979d15321b5d

SHA512
c7987aba43dc8e12d9e511f858afb332c89a3d283ea581cf1dfe43aef3ef710a590c30c655de274b0388afccadcb9108220eac6889fbcdb2ec97411d46892476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e1b5.TMP

Filesize
1KB

MD5
1dc397d2cb60def192e8869f93f1cb3a

SHA1
7de12304ab8fe548411139b67a65f501f9eca3d3

SHA256
71a83b8f11ed8ae3ebc77dd51d2cb5d12d8097f951ad29131a74f5eddb2aae18

SHA512
d8c3bc573326378798a869e05ce008a3dfa2f4e2bbb2c5b4bfa5defb06de548cb2b414832a5d74490051f1c6e57658ce92042c3c6df05e8aef3d93f65fc0f224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
29fe4f9f3d56914663b2b1c9d323fcdc

SHA1
5317980eae9495b30461dea9a2db0450305030c8

SHA256
04fd028fe8620d41e426b14dfae3c59485385b143cb11e6bd0bb13e0130427b1

SHA512
9eb2c26025760b6f6e340522789e578517225a6d6d402e2e523797d32ba2341f3199e77ef600bd2b1f4c4b5a61603e9a9045f3161d631ed3090b4e4150003b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f8c287674260f118dcd8ec56df77a4e8

SHA1
ee76bf8ad7f00217c8d0e9a2c0d2c1d14b7a2248

SHA256
9454f771295e7ba64cb8925817d4c3f2088d5a36e15d5535ae982c69e30b0c0a

SHA512
e6e2b5ac034bf513f77e461882c6723c0798ab1a6f934421ded77dc5aedecc8a8613d78391763cde6f17549cb3c1b74effb9dacd3e330242fc099fb27a6136af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IDF22.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TJ8LE.tmp\DubbingAI_v1.6.2_08162000_Release_C_Setup.tmp

Filesize
3.1MB

MD5
82f36924d4d3a33686ef15d33c150f10

SHA1
50eb1335cbac715ebe2baa7ab7c197f9cf89f519

SHA256
90d44facabc9621dfca9c2fdce76ce2e7b5375e14b95418d7ec1591122ee9052

SHA512
cc1a6e23eb4a735f786cb80a2175f97fb866671367f33bdca68b3bc718082e6f49995e0edc5082745fba79c825a588e507bc7cd8f7e9e43513c05e43ad2773d5

Download Submit
C:\Windows\Fonts\SourceSans3-Regular.ttf

Filesize
421KB

MD5
c056d313af09e05a5912778e0834bece

SHA1
f63b2573a8d85c28fbe8fc15d732e88b381faa4c

SHA256
4644c81b86ec9caaa76b634889968ed3c4f4f52f054855933acc7c2b21e53b0f

SHA512
4cfe3f262c5fd33405af5ab3dd315e291738088f569cd5bd99946dd3c9959e95898f5f1c6f6c7d23494a9b013d5475c8c954686abd560870f3339881cd158318

Download Submit
\??\c:\PROGRA~1\DUBBIN~1\AUDIOM~1\AUDIOM~1.SYS

Filesize
60KB

MD5
52d2a437987ad25f2089ab0ab72f05f5

SHA1
3bf5aef0a7b31ab8da46174a0ede8d52384d629b

SHA256
9ccc1546f7df007944af1fe77e1a7769b3b692167e065af53b0c6fa43c180490

SHA512
7a3eea971aaa250997aa0a7fc7201908f16dcd58f355c9781d31a5b96cd949a71b5f8b0f9d185ef2c4121c953229f767a649363cdaf25bb17eb51c29cfa2f119

Download Submit
\??\c:\program files\dubbingai\audiomirror\AudioMirror.cat

Filesize
11KB

MD5
8caa25db0b3e09c258435159ddb11123

SHA1
1419fddd79cf5adf908c19019d6d82875026bed9

SHA256
a7c19e8213d87f5949a4db449798997a71c3ffeca600618c607e8aac9c787814

SHA512
ea2c3fdab25fd6a69dff7f44d5aa5df39ed62108eba27b68fd4e9c2b570b851f20c4b6100626b06f30e78fbde6f242385fb4d3c48e5bfec275c871aebf3a1fd3

Download Submit
memory/2792-5123-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/2792-5321-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/5408-5275-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/5408-5134-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/5408-5311-0x0000000000400000-0x000000000072B000-memory.dmp

Filesize
3.2MB

Download
memory/5940-5314-0x00007FFAD9060000-0x00007FFAD9A06000-memory.dmp

Filesize
9.6MB

Download
memory/5940-5317-0x00007FFAD9060000-0x00007FFAD9A06000-memory.dmp

Filesize
9.6MB

Download
memory/5940-5304-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp

Filesize
10.3MB

Download
memory/5940-5306-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp

Filesize
10.3MB

Download
memory/5940-5305-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp

Filesize
10.3MB

Download
memory/5940-5335-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp

Filesize
10.3MB

Download
memory/5940-5309-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp

Filesize
10.3MB

Download
memory/5940-5310-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp

Filesize
10.3MB

Download
memory/5940-5334-0x00007FFAD9060000-0x00007FFAD9A06000-memory.dmp

Filesize
9.6MB

Download
memory/5940-5312-0x00007FFAD8610000-0x00007FFAD9057000-memory.dmp

Filesize
10.3MB

Download
memory/5940-5315-0x00007FFAD9060000-0x00007FFAD9A06000-memory.dmp

Filesize
9.6MB

Download
memory/5940-5316-0x00007FFAD9060000-0x00007FFAD9A06000-memory.dmp

Filesize
9.6MB

Download
memory/6008-4640-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/6008-5313-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/6008-626-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/6060-4639-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/6060-628-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download