modiloader | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

12-01-2025 20:22

250112-y52j1szpfq 10

12-01-2025 20:20

250112-y4hqhsxpct 8

12-01-2025 20:14

250112-y1akqszmhr 1

12-01-2025 20:12

250112-yyweeszmep 9

Analysis

max time kernel
110s
max time network
110s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
12-01-2025 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

modiloader defense_evasion discovery trojan

Malware Config

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader First Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x000400000000f3dc-284.dat	modiloader_stage1
behavioral1/memory/2472-309-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2472	NetWire.exe
428	NetWire.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
35	drive.google.com
36	drive.google.com
12	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 48841.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1304	msedge.exe
1304	msedge.exe
2360	msedge.exe
2360	msedge.exe
2564	identity_helper.exe
2564	identity_helper.exe
2800	msedge.exe
2800	msedge.exe
1076	msedge.exe
1076	msedge.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	6112	taskmgr.exe
Token: SeSystemProfilePrivilege	6112	taskmgr.exe
Token: SeCreateGlobalPrivilege	6112	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
2360	msedge.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe
6112	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4260	2360	msedge.exe	77
PID 2360 wrote to memory of 4260	2360	msedge.exe	77
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1380	2360	msedge.exe	78
PID 2360 wrote to memory of 1304	2360	msedge.exe	79
PID 2360 wrote to memory of 1304	2360	msedge.exe	79
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80
PID 2360 wrote to memory of 3004	2360	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd97113cb8,0x7ffd97113cc8,0x7ffd97113cd8
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1076
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2472
- - C:\Users\Admin\Downloads\NetWire.exe
    "C:\Users\Admin\Downloads\NetWire.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1928,444836204606011264,13035184722524893967,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6604 /prefetch:8
  2⤵
  PID:5692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4160

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004CC
1⤵
PID:5584

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
94d5e3354b90bb89628ea710015feec4

SHA1
2f49eb07a1d862efab34f60496f68089cb83315e

SHA256
cf8cd8cb468d5cbd9fd257416408dcad68164d538508b220bfbe6f88667055c1

SHA512
cc83969f96316abc1f38935925bb4c27df041ec24733b80463a16aa82722d61c3ccd453ead6019f528c173d11c1893d0d61e75611422db799aa2466dad758204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
25f97146a3ace104df56d70155bddf61

SHA1
2d9af683cc883aadd2dc2f1cf211d610b1c8eadf

SHA256
7b70b84816baab85ced46459dd79057f42a41542b69cca7380e4831de8809543

SHA512
22007eb673895b9fc12287289d02d4cade732e43d94c67f8e59fe31bbcd04546626452a2135a4081fd51e3baf631203dfe1a063eb144bc4b12862e6c223dcb30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
53bff44b8559034d7f3aa67dd02f2246

SHA1
0cbf5b839494e2ce843703618a43bd2dcaf10ad8

SHA256
9477ad7776f9592f8b7d4ac97eaba358ddace444ea8a804dd158d8ebf7bfc01f

SHA512
cb322541567240c6a9d46a06a10ae4f8dc5929eb5ad89dcc344834ceb1b47e7d7eba5b538f835074b2e06d5d83c02a7e96cbe20b6849c21c7beea40e13cae24c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1d7fdbc566189c178434291fb1af1f63

SHA1
41125f70f5f5a861af403ac56cc1bc09273acd4b

SHA256
703ae4b7f1adeee81c9b1f7514b6e70fce026dd9d67297e5c4e6baa33899432f

SHA512
f4420f21a3c0603e39ab6fcade2dd4af5a52ee78c54755affda740bf97dcfd557938f556fb4493fd392a575e77aa72f2762a0c3c17f3a3a2586c9e5c387c1141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
322a0a1261c0130d5d7841008f3381f5

SHA1
b319ee13f251a7b55f1ece0b1a1591333e0a3599

SHA256
a9c29f06a24f5b9241c25c3f38e97179dd32a46234cb5514ab4ad6bd6c35c6cd

SHA512
6cfdb98dd25a2c2a49733b9832ab436187c933451e23e5ae47f863ac0d4b49dfb3202f1c878dd864da6d687a3b9519bf17f69835d01b5d6673ee198130c569dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c008f61a634b8c9cea5e181157c08e9f

SHA1
06dfe6f0eed51bb013b58052d64b7ff723b39d57

SHA256
b56829b2792c9f36199ea467bfcd001f6e9ae16c7b69c89b216c57411cbce659

SHA512
5c383795ceaa1be169c87648ed12d50b15c4451c41dbdcf9e0ea48a960c93d6314d86a8902377d22b48c96fcb130fb0db44c9387c0e2207fa35dcaa020853e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7e24cd4fb87d21d99ea92e215bd2811c

SHA1
7e9a7f65a91ba9766c21ead72b13c44a9a706ab0

SHA256
88fc0ed40bdad4b17d13bef6fbaad757ab563bf28531087ba599ffa72d015bd4

SHA512
82be501c056c81fdf7b5af2bccfc425d03d063527365c5078bc91282ea6e8e77b8cdf1e31586287730704a781ff5dbbd9ce8a659022fd1bec909b90bc11f5777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2ad583fa78e128dd1aec165f05f40da8

SHA1
dbf98d373664ece36dfa6d47fba6fa16a6305108

SHA256
e7751662c4f83dec837a015ae522aebf36e42e60b2a60960c447637348583eec

SHA512
87cb742cebeb1c09f3e3afc625ec5abcdbec89228012361ab5f4f0189e08350a7238c585b4c107997c7d83489d3e44e341a1b4973d9c2136c89c31c3236f0c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
3a092a1611b98121a2110b0e5234cc8d

SHA1
1b90bd5da655be1d85c94f417cd8e3670063acd2

SHA256
7d557a30592f1d898e37e23a16bf29218a556f8fc6df0189c103b8f66a4068a0

SHA512
5e1a5ae6613986e99feca937f898b9d033b209be4c3de80196d7456cd2fb709254586a0ffb5b208ec274d20da7c7095dbecee3cedcb7ca28baca74c2e270dc3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582390.TMP

Filesize
874B

MD5
52ebdd83c48c53a2159ccfbb857d3910

SHA1
0dd2561b418fa65b4767be0cd7a6161ad489346c

SHA256
d1ba49ce230e7d6ac117a792d94fc92e056f505c486665cfcce8d99bfcb63650

SHA512
00c6adb5ad3040c9ce99fd02471129e7d6fdcd66fbf31296a4e80e690c5b4e60f67c07244b584df4bd5df4f3576e63b2830157914700d5142800aebd3576bfbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
82f0771350b9e8233adb5bbdc32ce02f

SHA1
4ade03511314eadb5e03761bfd6d9fe420394396

SHA256
f8b7908e5d66bb60c3f0f502f1385252390585eacafd3750390d4c17e30692c0

SHA512
1deef76123819f3471f5afce43217c7f873ca5d937b209b721518e5c93bf0cd54348d5c4813af2dbbfdd12f06451f72ed7e77bf7651ab0610706f587c1bfe036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
68b4cdf2414b3d4cae299deb22eb93fd

SHA1
8c6361f03d38597fc6e19d089d0bd12d1242e415

SHA256
184587742bf0be9f1dbb6b25039f11d302809df84b660a0c9770cbb89f192641

SHA512
4b8f5a01d8cb0f6ad724942e10c5b42a673360b4a13ef52f5a2589a34ee7380ff6d554c99ab666a7b92196d13d5e0443c9cacce2e17d624a4bbcdc47131cf19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7f7acaa0db30dc28c8a491b1a15b20c1

SHA1
dfa11008b659b4172250ebf76c98861b18440a66

SHA256
fd011807432c3be1caa73db50774f99e7d252c45e671b72c535862eef51c074c

SHA512
d70562b2c52ce5afa1a8360d634d5485e856451c7bb3d89717b32f739a1628a47158378affb2f40e3a689f2f04e8ab6bb992e1af1e0cd37fca89d329f2074ecf

Download Submit
C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 48841.crdownload

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
memory/428-311-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/428-310-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2472-309-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download