hxxps://www[.]roomplannerapp[.]com/

Analysis

max time kernel
103s
max time network
110s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-11-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.roomplannerapp.com/

Score

5^/10

steam discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand STEAM.
phishing steam

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exechrome.exe

pid	Process
1008	msedge.exe
1008	msedge.exe
1616	msedge.exe
1616	msedge.exe
3044	msedge.exe
3044	msedge.exe
3048	identity_helper.exe
3048	identity_helper.exe
3304	chrome.exe
3304	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exechrome.exe

pid	Process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe
Token: SeShutdownPrivilege	3304	chrome.exe
Token: SeCreatePagefilePrivilege	3304	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exe

pid	Process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exechrome.exe

pid	Process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
3304	chrome.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1616 wrote to memory of 3648	1616	msedge.exe	77
PID 1616 wrote to memory of 3648	1616	msedge.exe	77
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 3544	1616	msedge.exe	78
PID 1616 wrote to memory of 1008	1616	msedge.exe	79
PID 1616 wrote to memory of 1008	1616	msedge.exe	79
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80
PID 1616 wrote to memory of 1608	1616	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.roomplannerapp.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9a8e43cb8,0x7ff9a8e43cc8,0x7ff9a8e43cd8
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1728,15706320823089141804,17617125925026269142,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:5552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff995e7cc40,0x7ff995e7cc4c,0x7ff995e7cc58
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,11715892660675600963,13140322342817537663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1716,i,11715892660675600963,13140322342817537663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1976 /prefetch:3
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,11715892660675600963,13140322342817537663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,11715892660675600963,13140322342817537663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,11715892660675600963,13140322342817537663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1.5 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4436,i,11715892660675600963,13140322342817537663,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:5612

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5440

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000478 0x00000000000004E0
1⤵
PID:5604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
55f01688ce7fb7aa0eb6149c0aa50568

SHA1
af9d59af87259d1499de3e19f5b4c31cdc69fe5e

SHA256
9ec93a974c05f20de4e034390730c93af9fec7f412630b60ce3de0167eb4ba8b

SHA512
4f747b48fffb4feac1d7b3dd95029e69782d24ad8ab2b167ec01bd96c5ea738706f2d97d77f24142176cf908af2390812849ae8ce287597f95109467b20da7de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5f0c2f2fffb5ff1018d25f28299b883d

SHA1
ff7c06263a077f90ba54e5517ae69b379e22afda

SHA256
55f8a5f244f6a2ce77f965a03ba075a4e9f02d1f2cecfb68ac5ab5c86725f5ab

SHA512
c4229367d62d2e079daaaa438aa30fadb505fc9e91f63c5f9de8ce8d7e02cd08e7bb120571fca680651c0d608f8400e3a70d1aa1698d5c4c501eb64f14f0312f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a70a9e3afd28a77af6bcf6c3eb70bf8d

SHA1
45fdce80e102df1476024ecd59021d1d20419524

SHA256
993c229092c1f3b3921369d02de21aefaac3ecaea74853fc165c956235782ecc

SHA512
409b6bd0b93f83bc69fd87d7b222ba15fe43ec546bc505548f378735496224486a721854560acd06dc5ff560fe9dfe31a725e6483a3f1b4b68e09853a7ed8c76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
30d65404047f583556b6a36f91a20af4

SHA1
73f5be714d357d7b8358ecfc7aa27d7e93936953

SHA256
4175ba9f1e65e5a3a127e750a26db0f6b07553ac034a029650757b96898151c9

SHA512
56ba601b7b2ffed60343a116aa94e0543e793975d5cbf06ecddd4541cc348dc8769205f020623ee7e3595d879cee0300a3e0d810d7091b361a58a895ab3eb2b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
24KB

MD5
9661f391f69ddbf1e8bbf879c1c69660

SHA1
60e78567cd82d5dec158be4ae4d365f45412fb36

SHA256
59fe3fa5daacb2b18c734a563d4e8e9df1f51eb24672249ca4962f3132149191

SHA512
dd61b2a9827be092d779b36dc1c4f3983e78cd42f3b6bb07d61758502ef0eedc2fa562ec028374d072e1ace9d82c2c816d2bbb742523f43cf5a6371b79064722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000071

Filesize
24KB

MD5
4b750bfcda32f496a5bb29df2164b054

SHA1
988adb663452e20504591bd9eeeca877ab8056af

SHA256
d6ac2fdbb12fbd545eee19c7e3b3e88221d05bb641c8493370f33052898dc67a

SHA512
ae9b7f97c8c409f12dc1ad3a974a4623ca7aaa82647c632c6f927bd45f3d097944c9c65f76171f3cafdddecf280b7f1007b6a08071f98c9b561797942294935c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
65bdf71a7e9210c6008d9255baf0465c

SHA1
9b3d3dfa2ae48e6d196f065de62fed4a59958b0c

SHA256
95906512f502faa4e96cef79ac3f990b2733414f3aecdabaa99aa3995ea67334

SHA512
371244863baa951440b53821a6cd9b26a9ceda8b1769e03826b483d0bfdc5530bcee24e91b68a1029f5b7abc857b1dd2caaf55e6e84df5c7b71d250edacdd441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
536c2bb7c4cb1e1facdbc1e11150eb0e

SHA1
857128ccac7c0c04cb7b00cb229ef7f597d6abec

SHA256
9fc199987bf00b260cc31872618e815fda459d76ebfab6c9ea3a87d51d3f736d

SHA512
a62d8dae78c5b0c0509e53768c0ab04b948d51c07a305f6f265f72dafbfa3e960fe05534103eb6d0d4e28dfa32b47916b0d9cfd86b7b56b4bb309e3941760b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3693f0ffee5cc9d1035df82ab2c000a5

SHA1
e9d6d88d9c882d28f126eb722f4e4cdefccade4c

SHA256
3c6bcb8abd62c0a303b6d8ce2686470aa8bd79744d2fd05dbe00f3d11cae7244

SHA512
cad322a37a9d2fc4d8e0ac15ae0d5cc18430f4826218b76d624900b260ec7d7c3444aef94f5b63fa503cbb4db656adec9f070d311c82e86567840eb650388e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a72c97cba9fcc42fa56570f7131b5110

SHA1
c7ec555bebc04b1088deda897e1ee52d8cac7e91

SHA256
43461d4692260677e9d87dfbd69905747d017bc76d96ccba87680634855afd37

SHA512
0e4d8a8c4dd85f5a602599338cebb1ecf51939761fa88333bcfcb1f673c3ef97760f19b99c4a95dc96c10217e40292b32a9bc707a5d6180f2a4c6d91c1a5626e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1809b3a50d5aa1ba4f37a3980fe0f5ad

SHA1
8e29d0e9e87ca9adc3235ccd66ae7f0234e18636

SHA256
5ef8c251f5df77c6b1c88e55f2482860a690b87f9c898bae07ad2d7def7b9850

SHA512
43aa18183e3c4eb8a2c76cb495d8983cbf122f619e4e30dd2dbeba8b17fa9da99bc99e651afc495c325c4272576eccab2d50bf58b2b31d7f160d03cb077f6db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47b7e4c7a8dbcdfbdf865afbe393c6af

SHA1
26c5b43bbc332bef63291c88a9186f69fd7d5cc1

SHA256
99986fc527d49525ab8059ca24f915e457181e0bee84beb3b2bb4e269183fcb6

SHA512
c6caaacf99390b577622a2edc8cc2414eca90cea054d990fd1a9faec922cd9a06d3790daf16bda86546299fc840983b924054c3e37383d7fc7ed66cc8b7a0b5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0133ec6a562fbdbb814cc61fa6ce9ea9

SHA1
23df3ea6a40328eb9781ee66a39008b979664693

SHA256
2765637e983d4ed52ee83c3ac343500e07da16713bfc6dab7a2b61e34234e5c1

SHA512
ed9137d966649aeb0b8ad04a9509682fc7f4f41f07734d4b03f4e0056cd1084ca69784f864f98b8e87d8a79a1ce455f47c04eaedc86799087203ef91c40362f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80bc18cf6c200d372677c3e703b32515

SHA1
37cc06fcb04e370d988a6cfad48bb5039d6912a5

SHA256
5a31ee7bc319d47652b1451aa3cdc89ee291dfce667d2a1e3284d2ba5696d0fa

SHA512
5b6edd26bae2724d9de6f8fc06161a34f4a9e30c0beb5ac2fafde2a3389236d1321980714e35f4544979a19e61f6646157c6206d79345085c041e1215cf82ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
30b8c85f941f44a916a22f36d5c7e2ad

SHA1
7451c143ed1f35edc98a0b40249a3c9efd76b1e5

SHA256
990144d4bdcb65a7bea8e5dbd4083cc3e26138d1ff99f168c0e1471b8453bdf2

SHA512
dcb213748e7e1258ea7b2f0e6b75c3fb6f963f815e7319ec1a0bcf0e7d215aca866dade9bc9b75e577e192b694b9bac720338dcfebb4b4c990f4ffe68a83c538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cfdc44c38e9fc78d3ad037b35379d3b1

SHA1
8bb4f3565765b8826d199e5c690a6e659008cf0d

SHA256
a3dea5a446f593169d2584b216161705bb238a8cb22abd442afdd86d2560668c

SHA512
be64b65e07cab13a94a7af432bd699cb712361396db0af49724eff98aabf06180cb54a8348c5d4bb3e7c7e57add5077b5cbc24e0be53966937d1833d83098199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2ebcd5e7be443d6810f88c3aa3baf25e

SHA1
6c861e2390a1f428558728f89870e94d0849e6f2

SHA256
ccf69aadcd599ab9b711ee6b0cd39ec2a843b1033a762e161ab069271948617a

SHA512
4bde414a8074ee50246d169c9e64d1681a247d6371a383b56d08da93634cfeea9b27e0862eec76320f02b8f82a2953101e4dba5492b4bb1517ce62c28efefd6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2051b73d1fd9d3b09640740c0b98aaa1

SHA1
4d6ea6f587c9b0ce91c755f56d86d3190e915bd3

SHA256
2b6ec32e3cda8785c985755809587a119956522081ac369486e42ef99453df89

SHA512
23de881643cd37fde8363db5a85cdbdcba0b17c333a13b5f500ae21f5eb1126fd014d7aeaf34741112004b2af49b37c969a7e4690bba4809dd691b90e2ee8d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5807db.TMP

Filesize
1KB

MD5
030fd9e67920017e7daaa3ef96311823

SHA1
693190ed27ab75f9808622774718bf5372a86e1b

SHA256
e54bb79efb45b09f807c114bddbc9b3f96b44e6feabc7809dce0c2bff8261987

SHA512
3c70018533a2e04d07917ce07c99335bc069106273621b870b29d11b46fe411c0bb4a4e385abc4d4bb3506e24bb7031fa89eab1e8a1656a5f9a3f707bc5f30aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d232444a-ee27-4df0-a788-84e16e3cb9ab.tmp

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3ddac19e497d359592ea90114e0be5b0

SHA1
6cdcdd6cf816eb101d9ae24f7c8ff3931d080bb5

SHA256
dffbc0b721d4dfc4bff6678f9690d563582aea00562cbbf210442a09a7a1587d

SHA512
6b4bf9ba4d43033a6907b197c93f87fd40d8aab16f0edddac11ba31fd5854d0ed24fb01f699dcd721fd7a3e3541736d97f873a63c5c82af09bf093b0a077a2f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
64425c601412f8302caa644e40f6d527

SHA1
19381e555ab5b3d6b4261d8ffb2ebe3084be5490

SHA256
eb3cbc6ee078da4842f1c6f3287493bdd2395c1a3fd25a5b779293edbbfe0668

SHA512
145df13d02eaaba69a1f4c279d19cbd3c36bcc4b6bf980b46620244592a3d42277608df7af60d21c1eaf82dd6153c28abf4a1353303110c9c626fc442ba4c645

Download Submit
\??\pipe\LOCAL\crashpad_1616_LHEFNWZYUFXPDSMY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit