Overview
overview
10Static
static
10FD4DC9B2BF...4B.exe
windows7-x64
1FD4DC9B2BF...4B.exe
windows10-2004-x64
1Flyper.exe
windows7-x64
1Flyper.exe
windows10-2004-x64
1Flyper2.exe
windows7-x64
1Flyper2.exe
windows10-2004-x64
1Flyper3.exe
windows7-x64
1Flyper3.exe
windows10-2004-x64
1Free YouTu...er.exe
windows7-x64
3Free YouTu...er.exe
windows10-2004-x64
3FreeYoutub...16.exe
windows7-x64
7FreeYoutub...16.exe
windows10-2004-x64
7file (1).exe
windows7-x64
10file (1).exe
windows10-2004-x64
10file (2).exe
windows7-x64
6file (2).exe
windows10-2004-x64
10file (3).exe
windows7-x64
10file (3).exe
windows10-2004-x64
10file (4).exe
windows7-x64
10file (4).exe
windows10-2004-x64
10file (6).exe
windows7-x64
10file (6).exe
windows10-2004-x64
10file (7).exe
windows7-x64
1file (7).exe
windows10-2004-x64
3file.exe
windows7-x64
5file.exe
windows10-2004-x64
5file_ (1).exe
windows7-x64
7file_ (1).exe
windows10-2004-x64
7file_ (2).exe
windows7-x64
7file_ (2).exe
windows10-2004-x64
7file_ (3).exe
windows7-x64
7file_ (3).exe
windows10-2004-x64
7Analysis
-
max time kernel
139s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 03:43
Behavioral task
behavioral1
Sample
FD4DC9B2BFF8D75A704E8FE33C63DA4B.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FD4DC9B2BFF8D75A704E8FE33C63DA4B.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Flyper.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Flyper.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Flyper2.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Flyper2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Flyper3.exe
Resource
win7-20241010-en
Behavioral task
behavioral8
Sample
Flyper3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Free YouTube Downloader.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
Free YouTube Downloader.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
FreeYoutubeDownloader11012016.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
FreeYoutubeDownloader11012016.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
file (1).exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
file (1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
file (2).exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
file (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
file (3).exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
file (3).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
file (4).exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
file (4).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
file (6).exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
file (6).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
file (7).exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
file (7).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
file.exe
Resource
win7-20241023-en
Behavioral task
behavioral26
Sample
file.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
file_ (1).exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
file_ (1).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
file_ (2).exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
file_ (2).exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
file_ (3).exe
Resource
win7-20241023-en
General
-
Target
file (1).exe
-
Size
136KB
-
MD5
0b37809ae839d24f5a54c3a16f5b4f35
-
SHA1
d3091cee95575a53ce93b886469924f2603efbdc
-
SHA256
2902a063774a2092d85dfca18650b87fdc087a337add8012e67ea7cdd5debcc2
-
SHA512
0a9267efc5c0fc25d812f52ff95bd20bae31a12e78fe1ecf07a6d5a993f2a71a66180ae826b3097982b78c221a7f8313c45403042e54a7247a50e7c3ce984895
-
SSDEEP
3072:4PTKQFRiVdubWibOQNi3MWL4FksNYFfPK:4PFRwAbpi3MDEK
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" plugin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" watcher.exe -
Executes dropped EXE 2 IoCs
pid Process 4040 plugin.exe 1168 watcher.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Module = "%ALLUSERSPROFILE%\\Media\\plugin.exe" file (1).exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" plugin.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA plugin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" watcher.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA watcher.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File created C:\ProgramData\Media\plugin.exe:Zone.Identifier cmd.exe File created C:\ProgramData\Media\watcher.exe:Zone.Identifier cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language plugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language watcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\ProgramData\Media\watcher.exe:Zone.Identifier cmd.exe File created C:\ProgramData\Media\plugin.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4040 plugin.exe 4040 plugin.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe 1168 watcher.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe 1000 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4040 plugin.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4684 wrote to memory of 2492 4684 file (1).exe 83 PID 4684 wrote to memory of 2492 4684 file (1).exe 83 PID 4684 wrote to memory of 2492 4684 file (1).exe 83 PID 4684 wrote to memory of 2356 4684 file (1).exe 84 PID 4684 wrote to memory of 2356 4684 file (1).exe 84 PID 4684 wrote to memory of 2356 4684 file (1).exe 84 PID 4684 wrote to memory of 4040 4684 file (1).exe 87 PID 4684 wrote to memory of 4040 4684 file (1).exe 87 PID 4684 wrote to memory of 4040 4684 file (1).exe 87 PID 4040 wrote to memory of 1168 4040 plugin.exe 88 PID 4040 wrote to memory of 1168 4040 plugin.exe 88 PID 4040 wrote to memory of 1168 4040 plugin.exe 88 PID 2492 wrote to memory of 1000 2492 cmd.exe 89 PID 2492 wrote to memory of 1000 2492 cmd.exe 89 PID 1000 wrote to memory of 2844 1000 msedge.exe 91 PID 1000 wrote to memory of 2844 1000 msedge.exe 91 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 3152 1000 msedge.exe 92 PID 1000 wrote to memory of 596 1000 msedge.exe 93 PID 1000 wrote to memory of 596 1000 msedge.exe 93 PID 1000 wrote to memory of 5040 1000 msedge.exe 94 PID 1000 wrote to memory of 5040 1000 msedge.exe 94 PID 1000 wrote to memory of 5040 1000 msedge.exe 94 PID 1000 wrote to memory of 5040 1000 msedge.exe 94 PID 1000 wrote to memory of 5040 1000 msedge.exe 94 PID 1000 wrote to memory of 5040 1000 msedge.exe 94 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" plugin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System watcher.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" watcher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System plugin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file (1).exe"C:\Users\Admin\AppData\Local\Temp\file (1).exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\cmd.exe/c start http://youporn.ru2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youporn.ru/3⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac05146f8,0x7ffac0514708,0x7ffac05147184⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 /prefetch:24⤵PID:3152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:34⤵PID:596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:84⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:14⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:14⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:14⤵PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:14⤵PID:2472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:14⤵PID:996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:14⤵PID:2812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:14⤵PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:84⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:84⤵PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:14⤵PID:2648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:14⤵PID:2780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,1022533162666252705,10778519582212624218,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 /prefetch:24⤵PID:3296
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\Media\rdb.bat2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2356
-
-
C:\ProgramData\Media\plugin.exe-wait2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4040 -
C:\ProgramData\Media\watcher.exeC:\ProgramData\Media\watcher.exe3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1168
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3348
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3260
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD50b37809ae839d24f5a54c3a16f5b4f35
SHA1d3091cee95575a53ce93b886469924f2603efbdc
SHA2562902a063774a2092d85dfca18650b87fdc087a337add8012e67ea7cdd5debcc2
SHA5120a9267efc5c0fc25d812f52ff95bd20bae31a12e78fe1ecf07a6d5a993f2a71a66180ae826b3097982b78c221a7f8313c45403042e54a7247a50e7c3ce984895
-
Filesize
97B
MD55303b5018a6cd19200b98d31ab04f25d
SHA18285eb92f131111e40d2dc864d3b386dad6b9129
SHA256464648d492af6bb50cf65ddcbdca3e90d4b224ccc6f4ce3944d439b6c32da524
SHA512654aed00850f6b7e424a5ec5acad086a51fb54f5f944238979f43fa1aac430661250210fe5f38dcd78e46311adc7e6b282cb5c41bebfe5a7d297afd6db6de21b
-
Filesize
13B
MD538de427224a5082a04fe82e2bd4ea9ec
SHA17e4a53de1f83762dd2febd39b818e2258bc83bc1
SHA25612f99f53144294750fe8713d580eda286f4bd95cd9c840db8ab957def8040028
SHA512ec3f3c324eeaad91ab0efd47b3084493d863f969344fa1ba87ace1974908053d396673b44c33b4dceeef792a74ad9278e06acc27c83459af1153de52f83afcbf
-
Filesize
1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize328B
MD531fab4ff1555ff625a375f70d3a6183b
SHA191a27d6797ea79fd87fa323832b9dcc6e7d4c047
SHA2564b0ce9e60e5ff1f0f9a75d15f0542bf24aa9374a363dbd86b8575ab60b482424
SHA512e8ec9fd1af044cf0179a01720faea8448662d365b7979db73217fe2b82a7ed1f2afe2c072a74937b41eb2e3e9826e929fb4bc7991fc4cd3baa3444e68af5fa7b
-
Filesize
152B
MD5c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA14d16a7e82190f8490a00008bd53d85fb92e379b0
SHA2561e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd
-
Filesize
152B
MD5e55832d7cd7e868a2c087c4c73678018
SHA1ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD589abc6d23ad0490db9d8cb189dc739cc
SHA13e91985a8723b38397bffb9e881f877ff0e72323
SHA2568afd08eeff987928aefae287722af32c4e3c500ccc60dcf7bc03a1c98957a388
SHA512074aeb650f59ce296c9b761be565c2e75583eb72d8d8843a64d093a468115339f4d817a83f93d25d511259dd6ef8f327b7ff27000201f80582f3058cc979a559
-
Filesize
1KB
MD5f6b44c18acceb2a57bcf30da0371a6e8
SHA1ce5774920580fc8d2213f3055ec8cc0adab5620f
SHA2560dad6744f98f32171c0e630c619ce8943fd1b31b1951aa7a88592fa59b274617
SHA512940638144908f64fcb12fafffebfc286f8c909e94d0ba1e5bcb42484d3bd6f7b8dd107e75183423351b6e56bd69377ebd100226477595040f7931639bd3f9e4a
-
Filesize
5KB
MD56066978909ff8bd0156aac98779631a1
SHA1f6d8d4fe0f1980eac600dd59b54a7ace97a59a70
SHA25658699bdfc239701455f4eab338eaa57313a296c5d5176a3f1aa6186011f87e9a
SHA512f1338f9c5b6bc3d47313174a9cd9b1c79ccb0574d9d04ec5ef93c6c53c8427f58d97a34588f1270f903faab56f82f2f9491898e82ab7d2f6645847e3790f253a
-
Filesize
6KB
MD560628419f284b3be6f2a14ba68f4c2da
SHA1751fa3d45dfb072a11c9650aa04c237b132f74f0
SHA256e620a259a39b1bd914608d94e4bdbdc0009163de05ae6ef2f3a69c885820e4c4
SHA512774d4f6cc5e040a911158625450f2fa5e4418c2d314475e1dcf538829cb4185e1555aecfa6ed6632b083e401818804b791a29e120243429783d1414b294067b6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5d97f805121ef4c776c78f57934273d93
SHA1f88dad4be4fb8dabdc6b614a5a2d3b692cb84c8d
SHA2565998c31c912a0d8286b78295bedf1e956c792782ed35ee7e25ac551d985becad
SHA51256069c5499046e4e35b2979f58d5229ebc6df47ff9c657f214f14595b119ea55743d018ae15cf3a2c8c3c055a0ae1e56c33d53abe5bf76908159e23e59358962
-
Filesize
10KB
MD590abca8ba1f19bbfc6f20b5f369d9d0a
SHA141edd36bc853b3008242899fb2ac7fadd4c2a703
SHA256f1053d30f2219a2e611792c1599aa3dc3bfbaa18b12e6f175461a4a3b0920c06
SHA512345b23a8b0fa2e914065bdbd7acaa797e7a4426dfdde2424866bacb0f3af53364bc57a19486021ab715eb71ef54b1178f70b5c0f53c68f0eae066d9a231da55d