hxxps://drive[.]google[.]com/file/d/1Rp93AMn-e6f79rzWBOjUsRaQKRgOa7JT/view

Resubmissions

15-10-2024 00:16

241015-aktrnstdqc 7

15-10-2024 00:14

241015-ajnh9stdle 6

Analysis

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
15-10-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1Rp93AMn-e6f79rzWBOjUsRaQKRgOa7JT/view

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
7020	EASEncoder UI.exe

Loads dropped DLL 2 IoCs

pid	Process
7020	EASEncoder UI.exe
7020	EASEncoder UI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
3	drive.google.com
6	drive.google.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EASEncoder UI.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9.7z:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1148	msedge.exe
1148	msedge.exe
2976	msedge.exe
2976	msedge.exe
1684	identity_helper.exe
1684	identity_helper.exe
4916	msedge.exe
4916	msedge.exe
3672	msedge.exe
3672	msedge.exe
6944	msedge.exe
6944	msedge.exe
6944	msedge.exe
6944	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5252	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	3144	7zG.exe
Token: 35	3144	7zG.exe
Token: SeSecurityPrivilege	3144	7zG.exe
Token: SeSecurityPrivilege	3144	7zG.exe
Token: SeRestorePrivilege	4624	7zG.exe
Token: 35	4624	7zG.exe
Token: SeSecurityPrivilege	4624	7zG.exe
Token: SeSecurityPrivilege	4624	7zG.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
3144	7zG.exe
4624	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4436	MiniSearchHost.exe
5252	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2616	2976	msedge.exe	80
PID 2976 wrote to memory of 2616	2976	msedge.exe	80
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1376	2976	msedge.exe	82
PID 2976 wrote to memory of 1148	2976	msedge.exe	83
PID 2976 wrote to memory of 1148	2976	msedge.exe	83
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84
PID 2976 wrote to memory of 2280	2976	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1Rp93AMn-e6f79rzWBOjUsRaQKRgOa7JT/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc86703cb8,0x7ffc86703cc8,0x7ffc86703cd8
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,11474837353214163975,1034895896053427773,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4932 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2852

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2204

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4488

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5252

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap13653:106:7zEvent18543
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3144

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\" -ad -an -ai#7zMap16736:106:7zEvent15005
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4624

C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Audio\EASEncoder (by Wolf20482)\EASEncoder UI.exe
"C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Audio\EASEncoder (by Wolf20482)\EASEncoder UI.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:7020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
93f95f852a48c2a997d13434f7bc88ac

SHA1
72a7cbcb68ecacbd3d16a6643003999ea9a45c63

SHA256
57c9dbf62f759af7d0fc3d23001ba7d899a573ae033cbb84979deafcec82a66b

SHA512
f074c42d66953f85b186ce62613cf4cf7b2e7743b5f3782e0018da98323cf7ad0dda9d199cee303c6d1c67d6e8492a983806a26aece717d3bda090a6cb2ec020

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
183e21d492eed07e4bf667e243e43850

SHA1
e2f11a3f4a3b4920dc8befe653d343c5cf3d685d

SHA256
11f55fbca6339eed4adbf1b35708a47918ef242afde67904df22d9db21954510

SHA512
9f2c029a86775dceb668e01da1ad08f43e56683f1a4fff8cfdc8a7e2ecb5141952fad36a20066e677f782e29682c221d73d9b49cb9cd105cab6388a16862cb8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a545b46f67f6c76526173107db99fe3d

SHA1
700f8e71087688d4cc508e0a40bed21025340f98

SHA256
2e3660605d14c110ae154bd5a4134d7e7f2d4e91a625339d3d007f40118181f0

SHA512
ecdbc489889f38b9a53f9362661da854272a70787a76560889138e632c21dc392cb9ad48347ed1354968a3cd560f54bc98a3e0f7a669e71aa364be0a9c2790e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6ce83d1f9582e7c5610e59ec5ab59aea

SHA1
8dc3180f9e1a8e377c6b086857bed6ebdedf0ea9

SHA256
7626dd62272c2ee76d050d5d1ab7bb4592ba0eeb20b13f7aee3464ba350ebcbd

SHA512
b6653b5ed9c414cc283acbb4abebe7ee67cb750b2ecf26a48eea5f63f446f34188bc88440d689a345dda3294d8f5bbe00162f33de2a8f3df2a85da31fdecc7d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06b65afaea8980a783ff130f75bc5193

SHA1
0fcb076eaa567d4f39a52250ea5f96603f8ff59a

SHA256
d296d118c4f666900b862be52f0b76b52f3691a658e1a2cbe6eef19425f5b26a

SHA512
235bfd8325f5893a593f61fbaca7547b1120a4990703938d3bdfaec32fc1ba523bba42426e43872f850e9d1648c35eb74a519c4c52c5735b7d44da4c6b72da69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36ca4ba2f654f074a8ce934ac6393cf4

SHA1
03e75b4b6e733d7d90c62746c7ed8876e4c34ea2

SHA256
c9a326263e9837c3656d033f9cd4599bb8cf66f94a6f5d08959d3b872fb3b9bf

SHA512
888663d280e3d7fad289444c8f0a39fe98991fcb6485622c06a05351c9432fc38a132a80ed8c125a883cfb36be742534e5f9935acd92693becaf64ab3a5a490c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2fbe106ca21ede24b3075751f388736a

SHA1
51a5d9df93b0c2c0f14760ac0703f9c2736eace7

SHA256
572ddca7b0db830cee8c53dea77ccc8f01528216750972cd28df8a3a2f527276

SHA512
71799282ded47b7e7381f4d05421d342bdd4d11c4d45134f157d2d51801c94f91da426c0d453faf529a5ab450298b89b4ffea076f9f7259ab116c92c5b7a2f69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
855048b3d7ff615042a85952db4cc99f

SHA1
900bd4c7960dd225dcafdc0c337953d43de2971e

SHA256
2645b1de2857316e07f86cfe95fae3f8bb913e35eca33af051f7edb0885cca2f

SHA512
3f39e963ecac87f30d2540bd63ac8c58e178ace90b300d29e1578c23ce4dba716aadc6f895be85ec2fbf5f8b8e593d475ed5768d3d919dfd2bda52555f7677ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e369f202dc05d1b25318e565dfe7475d

SHA1
c278120929dd648b867d6f342d78c0f6d266a5a5

SHA256
9d68b455911bc1ec0911d17c222863b52890cdb4386504553640c569fc292081

SHA512
1546f925c26115f22eb110207fbb4e73949056d569deed61dd1306b6144fe132e3bf91219f9a72337e948d0884906adfd8d3b0c19432e706a5aa32d499149180

Download Submit
C:\Users\Admin\Downloads\Audio\EMnet Voice Files\LOC\020085.WAV

Filesize
44B

MD5
a0346ee7cbd84740878b82fcfabb3b45

SHA1
5ab3ae9298bc9fe84c2046a147a8a3c59bcbb910

SHA256
3e2e518b0f599b52e196d814871afc4ddc97b95f324134ffa10a673e1c38ce79

SHA512
ab1039794683ab3ff48ccfb8aefe3c80095385c86e5a62238bce7e4958824462defa1a16aa5382760d167e3e4fc9ff9a279a9235a74273dcf8ffc4426a92a3d1

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9.7z:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Audio\Attention Tones\AlertReady Attention Tone (Canada, by TuesdayOra).wav

Filesize
1.5MB

MD5
cdfbd140f7d20b584d61ec7def48fcaf

SHA1
d89ce5b0306e80fcae9759b2ef10f13910a272d3

SHA256
9ca279c1178b1e7a4a0e35c3dd366c158910810cb0503e043030c4a693b7adb2

SHA512
e291a437e99bbaf121de94b3ecc5046844faf80653617700dc052b3a95d33a975c9525dea8a6645efc95fee292dfdb292e575c166b5131671476a52956ec3ad6

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Audio\EASEncoder (by Wolf20482)\EASEncoder UI.exe

Filesize
551KB

MD5
adc0856a2c40c0ba29278f5576a7bd4a

SHA1
99b440136ab517061c806a5386f7f8e362ac04db

SHA256
854da733e8afeee1d8c85f7d57d5b177e5e134dd4946948174a24d36d628bc94

SHA512
de24f6365347516449830eae8d280ca7a5b6645f9018ad266439e95e3798c68102a37540015a1ffcd5d449054a5da1e35829d61c3f743e2c88d8396c08c001a1

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Audio\EASEncoder (by Wolf20482)\EASEncoder UI.exe.config

Filesize
171B

MD5
661628b39a08a5a311757501ad055421

SHA1
19c598cb1debbb781e9079f3794132f596fb7351

SHA256
7f9aa9c0d7c10cc121acfcedd4eace6d8813ac30161487b82228bea70ffe448e

SHA512
60a29a160da328391254754e6beb7d079dde90501ff4228186b91d8dd22f78cb1ae061764008015e4fe3dc722c2c8a6331e8490b59c2f127f5f6c54cbcdea9ba

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Audio\EASEncoder (by Wolf20482)\EASEncoder.dll

Filesize
160KB

MD5
bfedd46ebf677da5c3682b0c52944aca

SHA1
4ee774bc5b2603f841402a78fb6c08d7b119c135

SHA256
3fca3ad9306935131983543b91f52ef3cf710750fcf442a72f29a936a58730ea

SHA512
9f4766a9109682c83aea039f75f3da392da1281dd018b34510ec6e9c00314f42c4a8e262611b49b070b9a59e7fa54f76f7d03dcffce4e72920399576b4762f2f

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Audio\EMnet Voice Files\LOC\011533.WAV

Filesize
11KB

MD5
8c01db1c96b41707d1bc307d34761e0e

SHA1
83adb98fde8f8b5dc4eafb1b565bd4c27041b6cf

SHA256
3ae2c050cd0af490569cad71df98f8533b060b283cc615d87a319dbb32caea9d

SHA512
3d9651708eceff8616a76b745a0b655e62213bc451e5ec2090e8f4e4b64612fea59e28d6d957322520e0ac2f3e1862412c9ab974fc61bc40b6a2b1984731abf4

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Audio\EMnet Voice Files\LOC\018045.WAV

Filesize
13KB

MD5
1ca5cfd72fdef4006b9a0eed326cd788

SHA1
874f92d51821b7fe83d97431de3cc37af4129ec0

SHA256
33ef3170f7c4bd062006f6a128323360ccd256c6937683b3d91e697922bf8bc3

SHA512
5686835c5b7081501898c92d4ffe6b2956524be78965df95c78b71694a79d58da8d58baf3d9d44725fbd0c2bbb1b312a394ddec2088740a626e0d19b6eb2b5b7

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Audio\EMnet Voice Files\LOC\118902.wav

Filesize
13KB

MD5
72e59bdf9c0de145bb70253cac664be2

SHA1
befc3cfbd26f5d4704fa5764df0d47a8f8ab635e

SHA256
de3e3f6f08fbdc64fc202ba795a550a25a5805e95810d24cdfe6e3bd5c905738

SHA512
46a5b374bb58e853b1eae7fc46a819a9642882f7925711f774c0ca9b88b8006a4c77b8c81170c417620d95cea80ddd7e08c288493e0d4ab1b108950262455adb

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Audio\EMnet Voice Files\LOC\318902.wav

Filesize
14KB

MD5
80f99cf39577244825ca899a299ee771

SHA1
cd74d80228551e02f4ba3694afb01e670e864eae

SHA256
ba09d6f0237db7ef1913ff957bf5845acb992582466ae00fafb1087d638bac68

SHA512
b01d11f6f927c3f476ad3c7ab4ea209785875efbd6338d4276421f2e53e9f78412ab2627399fec8be9f4dd78f54f667d88bfeab7521e6ce5a8fb4c8ee1664488

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Screens and Scrolls\Emergency Alert System (USA)\EASyPLUS Screen\Other Emergencies and Tests\Bottom Scroll\Black.psd

Filesize
204KB

MD5
ce52c6d99d51b70883957b6fb9801627

SHA1
cc9a693f5b9d23a5c7076cb75749b9e4d4bf36ed

SHA256
2c565b06f5e690615a1056b2ff69fbaaf340fa0f1895bfb13b6034dee757980f

SHA512
e48167c6426026c589b2ea44d1516da447b514547f5e6b8c8c3d826d279fdbb5b9a6b7e1adcbd11beb03260f4771e7b08a44182258e95544b31c62087650b13a

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Screens and Scrolls\Emergency Alert System (USA)\EASyPLUS Screen\Other Emergencies and Tests\Bottom Scroll\Gray 2.psd

Filesize
209KB

MD5
72d2fa38399c3ebaab6528599e49b420

SHA1
96867af3fed8ba5ba9df7bc84a2224ce156b61cd

SHA256
19b054bcfe5b722f5ce9c6fba1a7d67b597687a558b77ee2ff74a2481a9d777c

SHA512
62e08061739ba9301456671273435536ce99aa3f6936f64ccaf8047e34fdb4b570ff9b452b81ac2684594b18ab0aa50dce89cad5062c4b1d78092769218897bc

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Screens and Scrolls\Emergency Alert System (USA)\EASyPLUS Screen\Other Emergencies and Tests\Bottom Scroll\Gray.psd

Filesize
231KB

MD5
c19da4d9637b008d804fdcc6dae36458

SHA1
26e8cf59045eb2ff61f0a78a363cdf0bc1769c66

SHA256
ef3c9afbc5153d40b0e149f15a618d6dbb847034b3f72846dc1a8219ddf59ee2

SHA512
38aa1b2bdc3cccadba5c8c92b0e6f50c95b9a804fb9907832f776a0a682dedc979257c18172a235a30cfc17b9f7c6491a8cc3fc83d5f0489dd159a7dca25d91c

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Screens and Scrolls\Emergency Alert System (USA)\EASyPLUS Screen\Other Emergencies and Tests\Middle Scroll\Black.psd

Filesize
210KB

MD5
628557652c9a76d9119e7e9a3c8ee4c1

SHA1
d13fdde7d0b0a62d449ed04f80feca131b585bb2

SHA256
50de4130d310a4ce7f83cbdc582e62db8f7d49c38a1c028d0e8b3daa0229d322

SHA512
5b1b663fdb9dfaddd7134d00c336cfbdaa6fe9d0f0b087e187ee4c162f25ae2e57071d8aaabec8699dfb94a923c092fda088f27c0a281a8a1f12be2c1697c876

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Screens and Scrolls\Emergency Alert System (USA)\EASyPLUS Screen\Other Emergencies and Tests\Middle Scroll\Gray 2.psd

Filesize
211KB

MD5
ab59a6090c455b77b30c19bb92cb8fad

SHA1
3f51ce13648eb33c0d2d7c7188de036c6d2810d7

SHA256
c6be4104c24e9d42856ce2d3a7240f428a55599aff658fc2c179e36357c70f96

SHA512
c3ca64c54c00db3247a48620eaf1013c782b32f5461ff7f4dfa25c310067c52dcc78d1018b5fd480cef8c73cb000c3a2fcd0eac66d958c3b84b5103a99ad9528

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Screens and Scrolls\Emergency Alert System (USA)\EASyPLUS Screen\Other Emergencies and Tests\Middle Scroll\Gray.psd

Filesize
237KB

MD5
304bd4fa171207036f1a75850611ab33

SHA1
ba3c871690ce36906b4572e07370f186dbb85e65

SHA256
5cf98ead2fb564bc5785c4fa1062237cbf863e85d4eda958400244723f4d63bb

SHA512
6a2aa609ed5955fcff15d77fff04fedb6d8570d99f3255e8752cd5e5f7a0daff67474f3e5322c779df5e669602f27ed6a6570c169db47669cfb6f8f2932c90bf

Download Submit
C:\Users\Admin\Downloads\EASyKIT Public Beta 0.9\Screens and Scrolls\Emergency Alert System (USA)\Idea onics CG-1000 Screen\Emergency Screens (And CIV issued RMTs)\Variant 2.png

Filesize
1KB

MD5
d9288042161f310d07dceb51085627db

SHA1
f9c281478163aeebbb1da631bcc9cd1a4101d4c9

SHA256
30cc7548ccdbe5ee22634736cdfbaaa1d9e5b59a66d7d77f4ae218d878e906e9

SHA512
135d9452641189605f0922f37be1571c6361f850562b8b7079b66c6579ad0044677cf767987a860e9afaff0a3283d2db9dcd8eaec82bca1cd980e2671391bd22

Download Submit
memory/7020-14443-0x0000000000570000-0x0000000000600000-memory.dmp

Filesize
576KB

Download
memory/7020-14444-0x00000000057B0000-0x0000000005D56000-memory.dmp

Filesize
5.6MB

Download
memory/7020-14445-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/7020-14449-0x0000000005050000-0x000000000507E000-memory.dmp

Filesize
184KB

Download
memory/7020-14450-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download
memory/7020-14451-0x0000000007F90000-0x000000000803A000-memory.dmp

Filesize
680KB

Download