Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
30-11-2024 04:07
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1QUAiuz2O64llSNMg_JzUFDwFzD9si9ac/view?pli=1
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
https://drive.google.com/file/d/1QUAiuz2O64llSNMg_JzUFDwFzD9si9ac/view?pli=1
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral3
Sample
https://drive.google.com/file/d/1QUAiuz2O64llSNMg_JzUFDwFzD9si9ac/view?pli=1
Resource
win11-20241007-en
General
-
Target
https://drive.google.com/file/d/1QUAiuz2O64llSNMg_JzUFDwFzD9si9ac/view?pli=1
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: ERROR 408.exe File opened (read-only) \??\J: ERROR 408.exe File opened (read-only) \??\K: ERROR 408.exe File opened (read-only) \??\S: ERROR 408.exe File opened (read-only) \??\V: ERROR 408.exe File opened (read-only) \??\G: ERROR 408.exe File opened (read-only) \??\W: ERROR 408.exe File opened (read-only) \??\X: ERROR 408.exe File opened (read-only) \??\I: ERROR 408.exe File opened (read-only) \??\L: ERROR 408.exe File opened (read-only) \??\N: ERROR 408.exe File opened (read-only) \??\Q: ERROR 408.exe File opened (read-only) \??\R: ERROR 408.exe File opened (read-only) \??\T: ERROR 408.exe File opened (read-only) \??\U: ERROR 408.exe File opened (read-only) \??\Y: ERROR 408.exe File opened (read-only) \??\Z: ERROR 408.exe File opened (read-only) \??\A: ERROR 408.exe File opened (read-only) \??\E: ERROR 408.exe File opened (read-only) \??\H: ERROR 408.exe File opened (read-only) \??\M: ERROR 408.exe File opened (read-only) \??\O: ERROR 408.exe File opened (read-only) \??\P: ERROR 408.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 8 drive.google.com 10 drive.google.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\bce67fa8-154a-40b6-ba3c-5d6c9bee4ebe.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241130040807.pma setup.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ERROR 408.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1669812756-2240353048-2660728061-1000\{3AEA7504-1BE3-45CA-A12E-13913B1AD121} ERROR 408.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1972 msedge.exe 1972 msedge.exe 3488 msedge.exe 3488 msedge.exe 4632 identity_helper.exe 4632 identity_helper.exe 5328 msedge.exe 5328 msedge.exe 4236 msedge.exe 4236 msedge.exe 4236 msedge.exe 4236 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5876 ERROR 408.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 5876 ERROR 408.exe Token: SeCreatePagefilePrivilege 5876 ERROR 408.exe Token: 33 1116 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1116 AUDIODG.EXE Token: SeShutdownPrivilege 5876 ERROR 408.exe Token: SeCreatePagefilePrivilege 5876 ERROR 408.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe 3488 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3488 wrote to memory of 3896 3488 msedge.exe 80 PID 3488 wrote to memory of 3896 3488 msedge.exe 80 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 2728 3488 msedge.exe 81 PID 3488 wrote to memory of 1972 3488 msedge.exe 82 PID 3488 wrote to memory of 1972 3488 msedge.exe 82 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 PID 3488 wrote to memory of 3684 3488 msedge.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1QUAiuz2O64llSNMg_JzUFDwFzD9si9ac/view?pli=11⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa11c046f8,0x7ffa11c04708,0x7ffa11c047182⤵PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:2728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:82⤵PID:3684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵PID:788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:82⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:3772 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6af545460,0x7ff6af545470,0x7ff6af5454803⤵PID:4068
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:12⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:12⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:12⤵PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:12⤵PID:476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6176 /prefetch:82⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:12⤵PID:2116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:12⤵PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,2509741295804750816,16064755425440401374,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3848 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4236
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4440
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1500
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5636
-
C:\Users\Admin\Downloads\error408(Fixed)\error408\ERROR 408.exe"C:\Users\Admin\Downloads\error408(Fixed)\error408\ERROR 408.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5876
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x450 0x2d41⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b9fc751d5fa08ca574eba851a781b900
SHA1963c71087bd9360fa4aa1f12e84128cd26597af4
SHA256360b095e7721603c82e03afa392eb3c3df58e91a831195fc9683e528c2363bbb
SHA512ecb8d509380f5e7fe96f14966a4d83305cd9a2292bf42dec349269f51176a293bda3273dfe5fba5a32a6209f411e28a7c2ab0d36454b75e155fc053974980757
-
Filesize
152B
MD5d9a93ee5221bd6f61ae818935430ccac
SHA1f35db7fca9a0204cefc2aef07558802de13f9424
SHA256a756ec37aec7cd908ea1338159800fd302481acfddad3b1701c399a765b7c968
SHA512b47250fdd1dd86ad16843c3df5bed88146c29279143e20f51af51f5a8d9481ae655db675ca31801e98ab1b82b01cb87ae3c83b6e68af3f7835d3cfa83100ad44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD505486110e997851fe92dcb786e65ce93
SHA167121cfcea705895e25957744456d785e39638c1
SHA256334a131f7976f6b5d1b3aca30efdc51d500ea7d22491f98eff88b0c3e118c5d2
SHA512969885f183239d5fab70c8b8794f0e7722e683dd49d62331cfe08c8a8fb5c9daad6894e69f31556e8a0fbe8b89f7679924192e888af58bade43975c3565d5699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize480B
MD5f0ddbf7623fea795c188df48ffd10d64
SHA15f4da5dca6b3456785239b1b17946efcb470555c
SHA256787c3e2f0a60b254b757f2e6508a7ded2f15b5dbad4ae2c3b2254312f0dd9dfb
SHA512d8292f6b6f4b0c8463c2e2d60cbf0c797a2e69fc999455da6956608e353c2ea1e31c9e49a073214494f8f90533ee169fd5ce9b007c8cf27a083d65adfcfd8946
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
3KB
MD5923f04a5806deb8c88c5ce056cfc26ff
SHA1ce598dd937f936191a09757c96cff9b1584d9005
SHA256d0bbbb4942db2f7731a89be0c270a03e687dd0a0fff215b51f06a314722537a2
SHA512bdc596c27ab31ebf460a6a713075678f1e1f0a894bde983b55a5a48cb4c653c26bddd31a30c73a21550a3085ec49b40e53e5f0b1ba4e7fc34dc994055c5b52c1
-
Filesize
3KB
MD5315b09d808f78db19a1ab78972b2dba4
SHA1c52bd72ff0575a71ff089d42bbb1f2ea2ad1fab4
SHA2562e1b9d428993933f28b86d93576242e3b0a2f461b5e225c8a0c22adf01d1b8ae
SHA5129d0c88b74bf664f498bccc90b27620fdcd512c4bd4c22bfc777fc7fff44d8b8ce838c92f488338df5a568b16a4e4660439712bb1a9efd44fc51115c5f410e4a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5892b6.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD5bdaf153d79b23329f9ea353bc220ac67
SHA1444eefa5d81bcf807e777849ee69e18eaef6ca6d
SHA256933f21d385f8463f2a6d37829fff76205b75f4e2c37d9a0ca19c88f44ea5497f
SHA51294cad01d4d0e58821faefb4bf41bc60ed26a542febcc17e667c3eca9599a4aee7a9ee0fa314200ddd28d56f5395d8622ff74a43574bc09a8ffc96156ae98c020
-
Filesize
6KB
MD5d04057b46d7e31d213906270c55c4178
SHA14a9cee165a52dfd66d7aba81070789b296fa6f83
SHA256a17bbe70bbf2906205675d08e8e2fabdb98d465fc65b368465f8b5285bdae31a
SHA51252d8559209e5fb850d4758fd3b1107462b243c13281a422aaee17b4638b68b90c234d8c45f047a919ad2dc64dfcd5e578a8d7d1e7d23ac408363ca2a2802ee10
-
Filesize
5KB
MD590494be0f5b053c02904c5c783124ea3
SHA1bf1ba1311a31859788eacbd12864f10e1c51e1b0
SHA256632b0ec448815baa0c4cd8694a8392316a14297f52201d1c31a07eb661d3a261
SHA512d03b0f39825a1edff549e7e4fc613527d4892f163f6e33d737c76ca85eb4df7c8777dbc68885296243a093be256a78b574028dde7dd829f1aa7dc3429ff8fa6a
-
Filesize
24KB
MD5f9055ea0f42cb1609ff65d5be99750dc
SHA16f3a884d348e9f58271ddb0cdf4ee0e29becadd4
SHA2561cacba6574ba8cc5278c387d6465ff72ef63df4c29cfbec5c76fbaf285d92348
SHA512b1937bc9598d584a02c5c7ac42b96ed6121f16fe2de2623b74bb9b2ca3559fc7aff11464f83a9e9e3002a1c74d4bb0ee8136b0746a5773f8f12f857a7b2b3cb4
-
Filesize
24KB
MD5d3412a01d4c3df1df43f94ecd14a889a
SHA12900a987c87791c4b64d80e9ce8c8bd26b679c2f
SHA256dd1511db0f7bf3dc835c2588c1fdd1976b6977ad7babe06380c21c63540919be
SHA5127d216a9db336322310d7a6191ebac7d80fd4fa084413d0474f42b6eff3feb1baf3e1fb24172ea8abcb67d577f4e3aea2bc68fdb112205fc7592a311a18952f7e
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD56a37a21f1edb30122af04a992ef12152
SHA1a7dbb7bd439e7c3c58cf9b80816f29f8bb1cdf36
SHA256d5dc5e32746287c0a9a281199aae7d7d7220b94c156d385d0e5e98552ce08f0a
SHA5125ec29fa2c10af2bd65be15c26c656e2b4cb2d6ba752230f1ae984bf33714752ef4419df873ef0954e4277d67833847e9150e9f17493eb40880d27f75f58a02f9
-
Filesize
10KB
MD50a2247b0ddf4cd48d5e9e9f8022fa191
SHA1290d9831611a1daa7202b87605ebedbf7cab7947
SHA2565a8bd70f8e69de3049e0df9bcb5d9e4f4cd64abd96a203c88fa32da0570bb2ac
SHA5122feddaf5e70bee95d7423ea0004b9d0390e3fb461b5a377e2c2866843e55ae84a22ffd42b3da92a6aed2303fee5abe3325871cdf79d3786fb8fc3c79d1e40645
-
Filesize
384KB
MD55d5bf49f79c7a5a76a96ffc78780c29f
SHA1ef50a89b4faf1e3531cefbb1636c7d6bcce45a3c
SHA256c9673815c2060c913ff355492659db832eac73722ee2cd2e715e7b91d93647bc
SHA5128c2ee4883e83543ecfe36ca2060424707036c92981c6e27478a9722deab1403b8c21957eea8e6128c46f1716a722ad63e3f19a09766542483a3aed3e01b7a3ef
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD567fbd3db9ff450197cf122eea31320a6
SHA1e7cc7083eceed88d5c1ab786f940c036e37d53be
SHA2566f8315729c45168d1868c79b6de81ea43272f4f5756ed8546d062e97445bb5fb
SHA5121b76d738e8b5fcd0b196dc10560673bdc40e6bb7533595f23c0b59abfec106a2dd836140b27ff1314a6f57d40af7fd8a82fd9bf54cd4a25eb04c7cf56f27b2f6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5f3135048f843cec72eaac3444a4da833
SHA1e4e94be5f6d737bab27aa8e345cfba7d2c0f5bd7
SHA256f00b4122426f3aa9695c5f09be39797cad4e8db58cec7a5cd1aa1ce0ebf56f51
SHA512b21b6ff170b4a45c1919583162d18ba6c4bfefd9da429194d66d910c08472ef1c0356e195115ed10ee40db1e417d8a753799006b6443ec056eab1cc21be27a02