fd84148426c6188c0bdec2e66d1f4fda9392342adb0c225d64aaacce24ce8653

Analysis

max time kernel
139s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file (1).exe
Size

136KB
MD5

0b37809ae839d24f5a54c3a16f5b4f35
SHA1

d3091cee95575a53ce93b886469924f2603efbdc
SHA256

2902a063774a2092d85dfca18650b87fdc087a337add8012e67ea7cdd5debcc2
SHA512

0a9267efc5c0fc25d812f52ff95bd20bae31a12e78fe1ecf07a6d5a993f2a71a66180ae826b3097982b78c221a7f8313c45403042e54a7247a50e7c3ce984895
SSDEEP

3072:4PTKQFRiVdubWibOQNi3MWL4FksNYFfPK:4PFRwAbpi3MDEK

Score

10^/10

defense_evasion discovery evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

plugin.exewatcher.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	plugin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	watcher.exe

Executes dropped EXE 2 IoCs

Processes:

plugin.exewatcher.exe

pid process

4040 plugin.exe
1168 watcher.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file (1).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Module = "%ALLUSERSPROFILE%\\Media\\plugin.exe"	file (1).exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

plugin.exewatcher.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	plugin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	plugin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	watcher.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	watcher.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

cmd.exe

description	ioc	process
File created	C:\ProgramData\Media\plugin.exe:Zone.Identifier	cmd.exe
File created	C:\ProgramData\Media\watcher.exe:Zone.Identifier	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeplugin.exewatcher.exefile (1).execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	watcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\ProgramData\Media\watcher.exe:Zone.Identifier	cmd.exe
File created	C:\ProgramData\Media\plugin.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

plugin.exewatcher.exe

pid	process
4040	plugin.exe
4040	plugin.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe
1168	watcher.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

1000 msedge.exe
1000 msedge.exe
1000 msedge.exe
1000 msedge.exe
1000 msedge.exe
1000 msedge.exe
1000 msedge.exe
1000 msedge.exe
1000 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

plugin.exe

pid process

4040 plugin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file (1).exeplugin.execmd.exemsedge.exe

description	pid	process	target process
PID 4684 wrote to memory of 2492	4684	file (1).exe	cmd.exe
PID 4684 wrote to memory of 2492	4684	file (1).exe	cmd.exe
PID 4684 wrote to memory of 2492	4684	file (1).exe	cmd.exe
PID 4684 wrote to memory of 2356	4684	file (1).exe	cmd.exe
PID 4684 wrote to memory of 2356	4684	file (1).exe	cmd.exe
PID 4684 wrote to memory of 2356	4684	file (1).exe	cmd.exe
PID 4684 wrote to memory of 4040	4684	file (1).exe	plugin.exe
PID 4684 wrote to memory of 4040	4684	file (1).exe	plugin.exe
PID 4684 wrote to memory of 4040	4684	file (1).exe	plugin.exe
PID 4040 wrote to memory of 1168	4040	plugin.exe	watcher.exe
PID 4040 wrote to memory of 1168	4040	plugin.exe	watcher.exe
PID 4040 wrote to memory of 1168	4040	plugin.exe	watcher.exe
PID 2492 wrote to memory of 1000	2492	cmd.exe	msedge.exe
PID 2492 wrote to memory of 1000	2492	cmd.exe	msedge.exe
PID 1000 wrote to memory of 2844	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 2844	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 3152	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 596	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 596	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 5040	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 5040	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 5040	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 5040	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 5040	1000	msedge.exe	msedge.exe
PID 1000 wrote to memory of 5040	1000	msedge.exe	msedge.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

plugin.exewatcher.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	plugin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	watcher.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	watcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	plugin.exe

C:\Users\Admin\AppData\Local\Temp\file (1).exe
"C:\Users\Admin\AppData\Local\Temp\file (1).exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Windows\SysWOW64\cmd.exe
  /c start http://youporn.ru
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youporn.ru/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac05146f8,0x7ffac0514708,0x7ffac0514718
      4⤵
      PID:2844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 /prefetch:2
      4⤵
      PID:3152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
      4⤵
      PID:596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
      4⤵
      PID:5040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
      4⤵
      PID:2736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
      4⤵
      PID:1972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
      4⤵
      PID:4600
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
      4⤵
      PID:2472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
      4⤵
      PID:996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
      4⤵
      PID:2812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
      4⤵
      PID:4344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
      4⤵
      PID:4648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
      4⤵
      PID:3080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
      4⤵
      PID:2648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
      4⤵
      PID:2780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 /prefetch:2
      4⤵
      PID:3296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\Media\rdb.bat
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2356
- C:\ProgramData\Media\plugin.exe
  -wait
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4040
- - C:\ProgramData\Media\watcher.exe
    C:\ProgramData\Media\watcher.exe
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - System policy modification
    PID:1168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Media\plugin.exe

Filesize
136KB

MD5
0b37809ae839d24f5a54c3a16f5b4f35

SHA1
d3091cee95575a53ce93b886469924f2603efbdc

SHA256
2902a063774a2092d85dfca18650b87fdc087a337add8012e67ea7cdd5debcc2

SHA512
0a9267efc5c0fc25d812f52ff95bd20bae31a12e78fe1ecf07a6d5a993f2a71a66180ae826b3097982b78c221a7f8313c45403042e54a7247a50e7c3ce984895

Download Submit
C:\ProgramData\Media\plugin.exe:Zone.Identifier

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Media\rdb.bat

Filesize
97B

MD5
5303b5018a6cd19200b98d31ab04f25d

SHA1
8285eb92f131111e40d2dc864d3b386dad6b9129

SHA256
464648d492af6bb50cf65ddcbdca3e90d4b224ccc6f4ce3944d439b6c32da524

SHA512
654aed00850f6b7e424a5ec5acad086a51fb54f5f944238979f43fa1aac430661250210fe5f38dcd78e46311adc7e6b282cb5c41bebfe5a7d297afd6db6de21b

Download Submit
C:\ProgramData\Media\watcher.exe:Zone.Identifier

Filesize
13B

MD5
38de427224a5082a04fe82e2bd4ea9ec

SHA1
7e4a53de1f83762dd2febd39b818e2258bc83bc1

SHA256
12f99f53144294750fe8713d580eda286f4bd95cd9c840db8ab957def8040028

SHA512
ec3f3c324eeaad91ab0efd47b3084493d863f969344fa1ba87ace1974908053d396673b44c33b4dceeef792a74ad9278e06acc27c83459af1153de52f83afcbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
31fab4ff1555ff625a375f70d3a6183b

SHA1
91a27d6797ea79fd87fa323832b9dcc6e7d4c047

SHA256
4b0ce9e60e5ff1f0f9a75d15f0542bf24aa9374a363dbd86b8575ab60b482424

SHA512
e8ec9fd1af044cf0179a01720faea8448662d365b7979db73217fe2b82a7ed1f2afe2c072a74937b41eb2e3e9826e929fb4bc7991fc4cd3baa3444e68af5fa7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
89abc6d23ad0490db9d8cb189dc739cc

SHA1
3e91985a8723b38397bffb9e881f877ff0e72323

SHA256
8afd08eeff987928aefae287722af32c4e3c500ccc60dcf7bc03a1c98957a388

SHA512
074aeb650f59ce296c9b761be565c2e75583eb72d8d8843a64d093a468115339f4d817a83f93d25d511259dd6ef8f327b7ff27000201f80582f3058cc979a559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f6b44c18acceb2a57bcf30da0371a6e8

SHA1
ce5774920580fc8d2213f3055ec8cc0adab5620f

SHA256
0dad6744f98f32171c0e630c619ce8943fd1b31b1951aa7a88592fa59b274617

SHA512
940638144908f64fcb12fafffebfc286f8c909e94d0ba1e5bcb42484d3bd6f7b8dd107e75183423351b6e56bd69377ebd100226477595040f7931639bd3f9e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6066978909ff8bd0156aac98779631a1

SHA1
f6d8d4fe0f1980eac600dd59b54a7ace97a59a70

SHA256
58699bdfc239701455f4eab338eaa57313a296c5d5176a3f1aa6186011f87e9a

SHA512
f1338f9c5b6bc3d47313174a9cd9b1c79ccb0574d9d04ec5ef93c6c53c8427f58d97a34588f1270f903faab56f82f2f9491898e82ab7d2f6645847e3790f253a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60628419f284b3be6f2a14ba68f4c2da

SHA1
751fa3d45dfb072a11c9650aa04c237b132f74f0

SHA256
e620a259a39b1bd914608d94e4bdbdc0009163de05ae6ef2f3a69c885820e4c4

SHA512
774d4f6cc5e040a911158625450f2fa5e4418c2d314475e1dcf538829cb4185e1555aecfa6ed6632b083e401818804b791a29e120243429783d1414b294067b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d97f805121ef4c776c78f57934273d93

SHA1
f88dad4be4fb8dabdc6b614a5a2d3b692cb84c8d

SHA256
5998c31c912a0d8286b78295bedf1e956c792782ed35ee7e25ac551d985becad

SHA512
56069c5499046e4e35b2979f58d5229ebc6df47ff9c657f214f14595b119ea55743d018ae15cf3a2c8c3c055a0ae1e56c33d53abe5bf76908159e23e59358962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
90abca8ba1f19bbfc6f20b5f369d9d0a

SHA1
41edd36bc853b3008242899fb2ac7fadd4c2a703

SHA256
f1053d30f2219a2e611792c1599aa3dc3bfbaa18b12e6f175461a4a3b0920c06

SHA512
345b23a8b0fa2e914065bdbd7acaa797e7a4426dfdde2424866bacb0f3af53364bc57a19486021ab715eb71ef54b1178f70b5c0f53c68f0eae066d9a231da55d

Download Submit