phemedrone | hxxps://mega[.]nz/file/5b1iVaZT#rbLX2xFGDfc1aQGgEhKBFkGt3wEtagSZBNVq0_7tXb0

Analysis

max time kernel
300s
max time network
302s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-12-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/5b1iVaZT#rbLX2xFGDfc1aQGgEhKBFkGt3wEtagSZBNVq0_7tXb0

Score

10^/10

phemedrone credential_access defense_evasion discovery stealer

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7668501460:AAH2A5oRhWUqF_EWSrJaaRppA9RgQdU2iUc/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone

Executes dropped EXE 2 IoCs

pid	Process
1064	Bootstrapper.exe
5824	cfg.exe

Loads dropped DLL 1 IoCs

pid	Process
5824	cfg.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
4	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5824 set thread context of 4440	5824	cfg.exe	103

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Bootstrapper.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6096	1064	WerFault.exe	98

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 799488.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bootstrapper.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
772	msedge.exe
772	msedge.exe
5568	msedge.exe
5568	msedge.exe
3872	identity_helper.exe
3872	identity_helper.exe
5336	msedge.exe
5336	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
2016	msedge.exe
2016	msedge.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe
4440	vbc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	6068	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6068	AUDIODG.EXE
Token: SeDebugPrivilege	1064	Bootstrapper.exe
Token: SeDebugPrivilege	4440	vbc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5568 wrote to memory of 5452	5568	msedge.exe	77
PID 5568 wrote to memory of 5452	5568	msedge.exe	77
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 6024	5568	msedge.exe	78
PID 5568 wrote to memory of 772	5568	msedge.exe	79
PID 5568 wrote to memory of 772	5568	msedge.exe	79
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80
PID 5568 wrote to memory of 5716	5568	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/5b1iVaZT#rbLX2xFGDfc1aQGgEhKBFkGt3wEtagSZBNVq0_7tXb0
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa95903cb8,0x7ffa95903cc8,0x7ffa95903cd8
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5240 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6476 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1840,314427652081784274,824438116699591170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- C:\Users\Admin\Downloads\Bootstrapper.exe
  "C:\Users\Admin\Downloads\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\cfg.exe
    "C:\Users\Admin\AppData\Local\Temp\cfg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5824
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 2892
    3⤵
    - Program crash
    PID:6096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1064 -ip 1064
1⤵
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
d59d8ac55bad2a7399a98bcbffa1b30d

SHA1
36293cae4179ad6e5221371c1ab270b4cd40b747

SHA256
6ef490aca5a63d70d781b21ac0f6a32eb5ae28515cfba8b77540594ed8cfad22

SHA512
ed449a9a48f3e0c1ffb7f7cc9f852cbaf93f31657c7c3e0850268020603585641191192ebec22b051736a5bd7631fe1b0756bafeeb204b022e42187ce1f07d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0639e541b5cb6aa51b3916bd3322353d

SHA1
2feabd9b28c2518901a50d1fc7624c1fd22b85f5

SHA256
6993e28a07777795b7f94519c32ad74ae131640f0e996d38d70f813519120393

SHA512
2be7a6449aa89f0c49f6aa04245f09128a3b7e6126d77fb393d510e2d0ffcdaa4993f10ae775b019cacefcb39921502ece7f07630a84e34881078698d2dd3a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
48d0ff1ec00394fc14464c16e425abe2

SHA1
005fa180aa9f9a6de2362fcda26a62c20e2b5e06

SHA256
c08d06a0ac5f8c70d7eed329c2bb137a9a61174ca3af13db11a3aa0f6a1a7b82

SHA512
65c601fbbaa0d9c5fd71f1004e50d438ecbfce0d903e30b8006c78f39708522dcf90c950ff91fb814c82039170482513ae403ced9e4c0c6fcba8b26b57b71119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4bfa7f0498002677103a8634a202862d

SHA1
0178dc3b16658d1bbd903de820cdf62d2ae91b7d

SHA256
5e0176d32618851090bc33bd2816e2f153565d7d099ca963934825c1db83dab3

SHA512
2fcf48804a1b7c4f455f4c6db20dfdbd63b325cd5cfa6d32b94d844c717a4d2a44999b1566b19ce44efb479a6ced39fe281758d83dda21d1540a6bf2e4d3b3f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
248e4c1b1f97f015ff8b5262da58f1d0

SHA1
dac97ec23609f667a21e7d58c6474320df478b4a

SHA256
efaa9161384daf829970f0031c76a0de2d25853db40058fa10272fba577244c1

SHA512
05a20baa4be792f058bbb75db8cb74020080389274781fd307c6e2cc9462bc8b10943b768097e3ee04411b203478d78bcfbe320fdaf5e3ec6414feaed668560f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ec35.TMP

Filesize
48B

MD5
db75a53634ffd8bdafb0c3172f2e7cea

SHA1
52df8fc5ce4b8fae870a05a917c6d2205f1a38e5

SHA256
83c1b1c395d75bd818bb92869a2565228ff864238f2a3518e102ece325624f14

SHA512
c3c3e6aa5aa12b5e567dc1320325cac5122c734f555e2fb772fc2a9e7351186fcc70eba5d6717c17aeb54a5b669ddd0b5a8589942d9b205a39b01d9d9e444922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
0514cce0767b9f10b6f685c242067720

SHA1
f62b32e1f6f82c17c288024be7c5e5665b026491

SHA256
b6bb75169fbf6c60f090c4355a89238ce09884de4766d72f0d3b288772242ac1

SHA512
6b22a6ff9bd2a61927321bd0132a93eabbd3bace4247a5097fc94c168ab58304ed797f16eaa5cd08c2204e631176cc416486a723ca59f516fbf2db34805d82db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
9538843d65c2aaa32c15dbf6f3b66773

SHA1
41c5aefc3f8cd86fb09acde5f1d2883b8d7d415e

SHA256
f36b5d460097655c037fef84b86b1cf95ba80923e47d9b9deb1294411897e100

SHA512
ab06afb076ffa9bd29f14d9c2c39de8f9025507110225965498fc3c3158259e0d51aff5e8a2ff776c86cc7ccda969701cec1d4794c1b0fb65d41e24195014f07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
0a2460e9f339e308513cfb3ddfed53a9

SHA1
4f682dd08e21e62101cebd683c42fd776e324110

SHA256
5aae3b730c4a8b298aeac78fff6193b565144713c44f97a315d00c5d7c0a0ed9

SHA512
cc253c0ab4167de9e224681804a4a6e4010bad1aefa8ac9dc5c740e98c170d48b4c1f28a27a9d313501edf96826bf44c3c27dc8071e174711c359b90fb1ce11d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
40aa3e42b1edb0fc59355160dd631b14

SHA1
b36d5a63bd86ea01e3e97e56cc018dc4701283aa

SHA256
3cdc59f62bf6c4a690c54d9be8b3647c34780af927a5f2fa445a4f657a8e9d9b

SHA512
cc629fdc98da168970453181318f27229c5e1cb957ce7324bef640b9d922b4d77b9394f22fd9da6c30e97ece7cc7c43983a52ba8528c2a2be253c97cc168e7e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3fd5698907a25ad5d380b176953abc02

SHA1
c1989ea16a51697088ae1c76651aefd9bed2076a

SHA256
1e16a1e2b608b1fa15d6d8a75cb5962c275aeaf52f17c0691837f50dcbab5026

SHA512
f4cc4b46279256f5e80a3c75d2737b125f945a496624c6e5193e13b68725027cabd79d9951344378d8a372d0cc0279960bc0501eb671f3acc72831ad0480007d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
42acfe2b05d75d29480964c8ae22ff76

SHA1
e4afffb82d19e02d1f7de5f485723b206ad0e987

SHA256
dac37cf2fa3f0324b6e55d37e72d515970dade3c3689f3ceb2b3b89528420e4d

SHA512
ba667acceb34de659276b42d07f3fcdbe104968d58c2b938656808da0a76393a4594bbdb176c469525a7bd7f26d9be5cc5f76e68346f03c5dbceeecef0bc540b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfg.exe

Filesize
320KB

MD5
4f0990ea72c03f3911be671cbceb7fda

SHA1
d07332f930099c4af178e4c4adcdf166decdce91

SHA256
b9e894c975b74265c0c359706931d61227c1ab7074cdf981d2d4a5ceacda9290

SHA512
903b441d433b39fb8b2d3cfd658261ad2c62d51e5171b0d1cfc37d058a27c946209b2fc1d9ca4ab3ef369753339a6c6d3845e95249d3b77a08caa2099c40e63a

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
308KB

MD5
0120de6a2b5003af22160995d1abafd4

SHA1
18e60d75526bc9edce26479d1f46fdf8c2e2a353

SHA256
f2ccaa6bcffb8c63d0455c9511225b6c5e8c55c1d8076e42f115b553bdf2479d

SHA512
967b3a6d884c1839e6ed7ac4e31b0842b89026bf53b315f4233277996e5de97d5813e7deb409eb19bf19fb99df7695c3573eb89301aed7314f8acd43b5dcd27a

Download Submit
C:\Users\Admin\Downloads\Bootstrapper.exe

Filesize
208KB

MD5
a528edc512d8a5359d4f3729df3da2aa

SHA1
1453b1b879429c8e17f795ed7f7d181658fc883c

SHA256
636e06dee0e3ba0c630b5dbe5d8c3ec1839f067098aaf9a3c083a2123c425099

SHA512
009dff6f5c19cd73b313d77bf770efebf8d69d8c85c17fb4b4556d80f70d04727719687e1c808c7d127a8f5a2d9debaa88ea5e9a4bf768033cb60af81b1b933e

Download Submit
C:\Users\Admin\Downloads\Bootstrapper.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1064-270-0x0000000009E70000-0x0000000009E7E000-memory.dmp

Filesize
56KB

Download
memory/1064-269-0x0000000009EA0000-0x0000000009ED8000-memory.dmp

Filesize
224KB

Download
memory/1064-268-0x0000000009E20000-0x0000000009E28000-memory.dmp

Filesize
32KB

Download
memory/1064-267-0x0000000000360000-0x000000000039A000-memory.dmp

Filesize
232KB

Download
memory/4440-291-0x0000000000B70000-0x0000000000B98000-memory.dmp

Filesize
160KB

Download
memory/4440-289-0x0000000000B70000-0x0000000000BA8000-memory.dmp

Filesize
224KB

Download
memory/4440-543-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/4440-544-0x00000000066B0000-0x0000000006742000-memory.dmp

Filesize
584KB

Download
memory/4440-545-0x0000000007460000-0x0000000007A06000-memory.dmp

Filesize
5.6MB

Download
memory/5824-282-0x0000000000790000-0x00000000007E6000-memory.dmp

Filesize
344KB

Download