hxxps://github[.]com/AyuGram/AyuGramDesktop

Analysis

max time kernel
110s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2024, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/AyuGram/AyuGramDesktop

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
5108	AyuGram.exe
5048	AyuGram.exe
4956	AyuGram.exe
3908	AyuGram.exe
4456	AyuGram.exe
2204	AyuGram.exe
376	AyuGram.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	AyuGram.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
30	raw.githubusercontent.com
32	raw.githubusercontent.com
33	raw.githubusercontent.com
34	raw.githubusercontent.com
35	raw.githubusercontent.com
36	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AyuGram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	AyuGram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	AyuGram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	AyuGram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	AyuGram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AyuGram.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tonsite\shell	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tonsite\shell\open	AyuGram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\AyuGram.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\AyuGram.exe,1\""	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\AyuGram.tg\shell\open	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tg	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tdesktop.tonsite\shell	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tonsite	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tdesktop.tonsite\shell\open	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tdesktop.tonsite\shell\open\command	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tonsite\shell\open\command	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\AyuGram.tg	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tg\shell\open\command	AyuGram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tonsite\URL Protocol	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tonsite\DefaultIcon	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\AyuGram.tg\shell\open\command	AyuGram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tg\ = "URL:Telegram Link"	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tg\shell\open	AyuGram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\AyuGram.exe,1\""	AyuGram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\AyuGram.exe\" -- \"%1\""	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tdesktop.tonsite\DefaultIcon	AyuGram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tonsite\ = "URL:TonSite Link"	AyuGram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\AyuGram.exe\" -- \"%1\""	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\AyuGram.tg\DefaultIcon	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\AyuGram.tg\shell	AyuGram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\AyuGram.tg\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\AyuGram.exe\" -- \"%1\""	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tg\DefaultIcon	AyuGram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\AyuGram.exe,1\""	AyuGram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tg\URL Protocol	AyuGram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tdesktop.tonsite\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\AyuGram.exe,1\""	AyuGram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tdesktop.tonsite\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\AyuGram.exe\" -- \"%1\""	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tg\shell	AyuGram.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\tdesktop.tonsite	AyuGram.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 107779.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 7 IoCs

pid	Process
5108	AyuGram.exe
5048	AyuGram.exe
4956	AyuGram.exe
3908	AyuGram.exe
4456	AyuGram.exe
2204	AyuGram.exe
376	AyuGram.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3128	msedge.exe
3128	msedge.exe
3388	msedge.exe
3388	msedge.exe
1372	identity_helper.exe
1372	identity_helper.exe
400	msedge.exe
400	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
5108	AyuGram.exe
5108	AyuGram.exe
5108	AyuGram.exe
5108	AyuGram.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5108	AyuGram.exe
5108	AyuGram.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 5080	3388	msedge.exe	82
PID 3388 wrote to memory of 5080	3388	msedge.exe	82
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3496	3388	msedge.exe	83
PID 3388 wrote to memory of 3128	3388	msedge.exe	84
PID 3388 wrote to memory of 3128	3388	msedge.exe	84
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85
PID 3388 wrote to memory of 2268	3388	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/AyuGram/AyuGramDesktop
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9264246f8,0x7ff926424708,0x7ff926424718
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3828 /prefetch:8
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,6001258568610052769,2667266998755652246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:400
- C:\Users\Admin\Downloads\AyuGram.exe
  "C:\Users\Admin\Downloads\AyuGram.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5108
- C:\Users\Admin\Downloads\AyuGram.exe
  "C:\Users\Admin\Downloads\AyuGram.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:4956
- C:\Users\Admin\Downloads\AyuGram.exe
  "C:\Users\Admin\Downloads\AyuGram.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:5048
- C:\Users\Admin\Downloads\AyuGram.exe
  "C:\Users\Admin\Downloads\AyuGram.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:3908
- C:\Users\Admin\Downloads\AyuGram.exe
  "C:\Users\Admin\Downloads\AyuGram.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:4456
- C:\Users\Admin\Downloads\AyuGram.exe
  "C:\Users\Admin\Downloads\AyuGram.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:2204
- C:\Users\Admin\Downloads\AyuGram.exe
  "C:\Users\Admin\Downloads\AyuGram.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4a57cfc02af1f175e66ef104849a1701

SHA1
4e8cb99b4bc552f5d191f73b9bf88622730da1bc

SHA256
9999d354d71b5816fe244063ce3251a912566ea93c0043130d89d7872aaf68f2

SHA512
37eed976b8c17fd27b8791a17da3a9e43c69e32acdd32a07ce957072fd59ba6146242b33f59bfa5aeb694ba162f49b06c05e23cbf5d28b1d0c0b2d5d8c52ab60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
fc8f18eb5a0ff1a0ece771a977e7b648

SHA1
3943c8476db5dc01d66b9ef0e66baa2e31cd5019

SHA256
ce34bb347ba803e839beeccb091268c67db08bd1cdfc442803502cf0f2903b69

SHA512
24631f70dcdc57ba14d1ffd98fe860f5f0877b4aa95292e03baa088fdbfdc4fd6e87ab09eb82b605d69d5fb063cf11566ee950edcaa15e56219e0de5b66c75da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
15a20a2b578c5da53505c8230d8204fe

SHA1
2c260cb6c4555b91d3bfb84b6314cd71309aa3fc

SHA256
359f1a5865853943faa648f6807cc49b89666a60fb2bb2d1f18773ac4128c4dd

SHA512
bcd18314c90b7ca4c837307d87fac4fdfa60033bbb95a86891ec5978d3497375d4b692255b8b896338b62ce2a6c2e48924ebe6bd82e86e671f770a4084bf3baf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9361f35a88fe3f61daba1b872f982196

SHA1
f28cb3b856e1ab408c6cd858cb7eceed8d785a12

SHA256
8702af3913471d69e4c3b8eff3531b2da1d75f4d8dac8978fdfb32606903f6cf

SHA512
3495896ec018879e2e463c9171fae9d4f79ba3a98f343b159d9fc4e87db389484ae7012ce29f161a886f36fd1dd6e3d32f2961b4030a184c4f7ef7b1fd4a35eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f51e49503b72df8c2517e486f468644a

SHA1
c8fd78af2c024faf889f310996fb45f30e78b84a

SHA256
14df82cc2d2703e38e19913bbf70a14bcbdaeb0ee69b6ec8818c742e489d363e

SHA512
74d973316b4950be9109e5d819401c7b7287f8f867d2841aaf6582a16df41cd5c6e369b87f75c7147ea6783a82784cf143a587ab38ee9d4ac1163953765b4f83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
af549e1155257fbc567b1876f5584371

SHA1
337513e445ab0e5b37bced7869f7a04f20c2e422

SHA256
e89c4608af376628a208f51672c81960b8bf68cd3235ae29f1c66075533d89cd

SHA512
15517d1d9c438564177d9017dfc8c4be10e9dddf46685b2db22d8903bfe045f063ed5fff2dbe21652577364cc7cb2e5d618ebbc8499cb8a49b1bda256f86e24d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5828ef.TMP

Filesize
1KB

MD5
cf04f30c0f01146c751679d3bed8c468

SHA1
c232c6cdd393a80a10aef4d176dd0316c893de76

SHA256
9beeeaf2b4f64c6f502c550c772c74d33f43403af31093377b2e9a6d3dadbedc

SHA512
0d84ad742400633ca6981096534561e2e0508facd41824b1b1ab6226488aaae1e886d0f81479ac64b7d29644743f1064365f1ec67c5580dd386c0800d419add5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2230229090130e6d4fd88276ab3aa41d

SHA1
d3266e9cae0c1404680020cfbcc6160062b9215b

SHA256
17c52295eb4f34268f9d54a86b3f64411378212d6c97631748e7d8df8f2013f5

SHA512
a09b31be38e34a697cda069567bcb9a6732d0d00bdaf87ecc1e39c77ac36a4a50a16ccfadb25c6aff92ee832719f0bc518feacc94f541ba32b95340dc6441c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
453e846e8109e20226e4a19836ecab6a

SHA1
7ff636e6051999439ab241ce74df06f22f333d9b

SHA256
2621b0c616c2f942125ee8e565ea10cb532ece25ad02c05028b9797f6f15c98b

SHA512
f5efefba41bf637fa447b3237eabe81c6eeab5a6e38c645361a883dd5f9a086fd6ca13490f25017acf59bc8ddeaab4b1ef5b5b052842567d1a9a7d93a97d1f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\10bd948f498e5339faf5fcfd26bc6852-{87A94AB0-E370-4cde-98D3-ACC110C59666}

Filesize
60B

MD5
ee4c8275c5f3677444635d00e398a7f3

SHA1
da4ad4eef2c0e90ac20262530386ff395a7f1065

SHA256
dfc471ec638b74fbba92bbeaea76673af0da1a7125d6f3b99d0a9eb85801b8a9

SHA512
9c7f6d34c69c404cb262c13e83403ba0d9ecf87af8c87229869463ca1b967790c2cae781d3769e3004c4482da7e7c60fe22d9eb46a66812a361ea62026cdcad3

Download Submit
C:\Users\Admin\Downloads\tdata\ayu_settings.json

Filesize
1KB

MD5
1fcbb597d29a1adc2746c584f3be8976

SHA1
9f9703a7d7ddf3bc31f6aa0a55086fdb718ccd5a

SHA256
0fe5342e2112bfc794cf248502c5e513e1a8b198fa60b7ec9d562d8ee47098cf

SHA512
75b69eca44a5e879171ac1f0f565dbfec807180173f7643c535a01f5983246fdfb48c948715e421412e74f263711fbd7e4d816c17731ff75bdaa55dd78f13563

Download Submit
C:\Users\Admin\Downloads\tdata\usertag

Filesize
8B

MD5
b9809ff7db2a08783197fc663a02df20

SHA1
eb6cfdb316c1ad2322e84fe1b5318e56d236727e

SHA256
a8011b0cbff8c6e0e795424729ffae21dcb95dc66ff5066cc07d1b7e4405e27f

SHA512
2b7c344ae6a5b227a24ab668b2fca987756b3527b8605a78c93e75edc2aa9e9890a7b0c93982c0d01775beefb4e38d5724b52857f2f51fb18392dd8abee527cc

Download Submit