fd84148426c6188c0bdec2e66d1f4fda9392342adb0c225d64aaacce24ce8653

Analysis

max time kernel
135s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file (3).exe
Size

146KB
MD5

f26c45393af03e80a40ea06aafb01c63
SHA1

7c7e2f2e97269fce1777e00fd9a02f378cdc2e60
SHA256

9ce3b4f8b78146df14692b934919b6449227ec79e0e51e446d9f07aabad3415e
SHA512

a445023be352a5055e4e681cb075bad0a3b401c21b30a2aad83c898421b8afd76937bd92326e22119556b390fb1bfb78afd649b98a552e643ee640ad1d62d755
SSDEEP

3072:c0f+6XYD/v+IE1ntwfEqZKfW03DKk9eOxdN/7uzNooX2MsNYFfPu:L7C/Wz1ntwfEq4fHwOZ6FXoE

Score

10^/10

defense_evasion discovery evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

plugin.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" plugin.exe
Executes dropped EXE 1 IoCs

Processes:

plugin.exe

pid process

2188 plugin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file (3).exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Module = "%ALLUSERSPROFILE%\\Media\\plugin.exe"	file (3).exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

plugin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	plugin.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	plugin.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

cmd.exe

description	ioc	process
File created	C:\ProgramData\Media\plugin.exe:Zone.Identifier	cmd.exe
File created	C:\ProgramData\Media\watcher.exe:Zone.Identifier	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

plugin.exefile (3).execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file (3).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\ProgramData\Media\plugin.exe:Zone.Identifier	cmd.exe
File created	C:\ProgramData\Media\watcher.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

plugin.exe

pid	process
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe
2188	plugin.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4532 msedge.exe
4532 msedge.exe
4532 msedge.exe
4532 msedge.exe
4532 msedge.exe
4532 msedge.exe
4532 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

plugin.exe

pid process

2188 plugin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file (3).execmd.exemsedge.exe

description	pid	process	target process
PID 3028 wrote to memory of 3660	3028	file (3).exe	cmd.exe
PID 3028 wrote to memory of 3660	3028	file (3).exe	cmd.exe
PID 3028 wrote to memory of 3660	3028	file (3).exe	cmd.exe
PID 3028 wrote to memory of 3096	3028	file (3).exe	cmd.exe
PID 3028 wrote to memory of 3096	3028	file (3).exe	cmd.exe
PID 3028 wrote to memory of 3096	3028	file (3).exe	cmd.exe
PID 3028 wrote to memory of 2188	3028	file (3).exe	plugin.exe
PID 3028 wrote to memory of 2188	3028	file (3).exe	plugin.exe
PID 3028 wrote to memory of 2188	3028	file (3).exe	plugin.exe
PID 3660 wrote to memory of 4532	3660	cmd.exe	msedge.exe
PID 3660 wrote to memory of 4532	3660	cmd.exe	msedge.exe
PID 4532 wrote to memory of 4544	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 4544	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 3452	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2980	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2980	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 4936	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 4936	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 4936	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 4936	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 4936	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 4936	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 4936	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 4936	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 4936	4532	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

plugin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	plugin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	plugin.exe

C:\Users\Admin\AppData\Local\Temp\file (3).exe
"C:\Users\Admin\AppData\Local\Temp\file (3).exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  /c start http://www.tnaflix.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.tnaflix.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe585646f8,0x7ffe58564708,0x7ffe58564718
      4⤵
      PID:4544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
      4⤵
      PID:3452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
      4⤵
      PID:2980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
      4⤵
      PID:4936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
      4⤵
      PID:3332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
      4⤵
      PID:2436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
      4⤵
      PID:3492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
      4⤵
      PID:1448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
      4⤵
      PID:2300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
      4⤵
      PID:2280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
      4⤵
      PID:2856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
      4⤵
      PID:856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 /prefetch:8
      4⤵
      PID:1156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1668,17032217392086847434,5597332828399235564,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3504 /prefetch:2
      4⤵
      PID:5008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\ProgramData\Media\rdb.bat
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3096
- C:\ProgramData\Media\plugin.exe
  -wait
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Media\plugin.exe

Filesize
146KB

MD5
f26c45393af03e80a40ea06aafb01c63

SHA1
7c7e2f2e97269fce1777e00fd9a02f378cdc2e60

SHA256
9ce3b4f8b78146df14692b934919b6449227ec79e0e51e446d9f07aabad3415e

SHA512
a445023be352a5055e4e681cb075bad0a3b401c21b30a2aad83c898421b8afd76937bd92326e22119556b390fb1bfb78afd649b98a552e643ee640ad1d62d755

Download Submit
C:\ProgramData\Media\plugin.exe:Zone.Identifier

Filesize
13B

MD5
38de427224a5082a04fe82e2bd4ea9ec

SHA1
7e4a53de1f83762dd2febd39b818e2258bc83bc1

SHA256
12f99f53144294750fe8713d580eda286f4bd95cd9c840db8ab957def8040028

SHA512
ec3f3c324eeaad91ab0efd47b3084493d863f969344fa1ba87ace1974908053d396673b44c33b4dceeef792a74ad9278e06acc27c83459af1153de52f83afcbf

Download Submit
C:\ProgramData\Media\rdb.bat

Filesize
97B

MD5
5303b5018a6cd19200b98d31ab04f25d

SHA1
8285eb92f131111e40d2dc864d3b386dad6b9129

SHA256
464648d492af6bb50cf65ddcbdca3e90d4b224ccc6f4ce3944d439b6c32da524

SHA512
654aed00850f6b7e424a5ec5acad086a51fb54f5f944238979f43fa1aac430661250210fe5f38dcd78e46311adc7e6b282cb5c41bebfe5a7d297afd6db6de21b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
359d1412df49c3e676bf03a1d3715f05

SHA1
bc3d832a72ca9c45bc7d2b02c9b3964b9440f4ce

SHA256
970ad8a1ef65617cf7becf2da72abdaf7bf6c75944756141f688e7f17500c8cd

SHA512
a9c68b0e24262389d7370140e828b4c44524e9fafb60368e98d3c914b299038e31d84d7ba0534dbd19a62d52012fcff8d1117de946219cfe3ab68d4117327d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a1df7365cc55ee98f9cac3de0491ad59

SHA1
d7ac725ac0b99c7f14b7a22b683613ddbb5235a4

SHA256
71b87000e839be1b92590009000e06b39f34d847b0f43a20d3eed3dbe8d92d00

SHA512
2db6e15884fdf26d7813bfbe953bfbf85afdda010675f82ff9c01baee1489792fe7e49250b43ebad9dbfdec7a34c0524e38780b27f251c9d0e10e9b258217c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
66408243ed667b6d919453955a129372

SHA1
43a577f93992cdc1b1878fa6f92054bc50ee9626

SHA256
c1118b9238f3d154aefea37c83f54c70c6d87f118dff4dab5f666d5019d6542b

SHA512
4bf357078737880637dddbabd762083ab393b81cd9eb66f50012c10584380616503bed3da78246d862908825d06389a7f11ef20ac5b787a6b93394c504d8c00b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f37ddaa18a82cf0fc58805acd3b6ba15

SHA1
dcc7d9c79bced628a8d851fdda0d6a7111791983

SHA256
4f0eaf752cc5770626e7f101b661cd99dac7ccdeda4ec7e0c7f14cb81bb8ad3b

SHA512
d1f8d6125bb517604e84e808e8493d2a0496890082ea0abfc5d000be2334791801604266c575952c8c3de9527c2e7bb30ee1b7d3162a175920f1087abd56430b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
09755768ba197f58d1d800cd0a02f4c7

SHA1
2f3d8a0fec24c66124bfbff9159487115bb3038a

SHA256
345ad36ddec58d29d6f4298606647e2ac6e25356e97010f95cd4ddf8d79ac0a8

SHA512
e0723888f0f7e832fd509b0f7d1d4e08b00d926dddaa392f324af5e531c09892a6ec50643b0c6ae68069726ad5b5fa54b6d879c247a1cc717d265bd2911f323c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1c11d90373a9d16f2c5c62c27eb2a59a

SHA1
8d40f930971c619c10d6a9fb3262508c47b4f9d1

SHA256
b1191b980aaa95b6cc7a75eedfe9123ca970f05d57cd0c8cb131ac7863373639

SHA512
6eba057aca2d82fad9761625024e47029bc19df2b43b813756cab47f1e7a0c45def05704f6f41cd440de713b69cf7d9a3f60ede03d105258fd7cfd358d20781a

Download Submit
\??\pipe\LOCAL\crashpad_4532_WVJTQZHJNCUASUXP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2188-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2188-184-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2188-15-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2188-227-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3028-90-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3028-89-0x000000000041C000-0x0000000000421000-memory.dmp

Filesize
20KB

Download
memory/3028-0-0x000000000041C000-0x0000000000421000-memory.dmp

Filesize
20KB

Download
memory/3028-2-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3028-1-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download