hxxps://download[.]freeroms[.]com/emulator/Project64_1[.]6[.]zip

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2023, 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.freeroms.com/emulator/Project64_1.6.zip

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e588c0e.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007ec2211f72b7cbde0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007ec2211f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809007ec2211f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809197ec2211f000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007ec2211f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4328	msedge.exe
4328	msedge.exe
1448	msedge.exe
1448	msedge.exe
1960	identity_helper.exe
1960	identity_helper.exe
2296	msedge.exe
2296	msedge.exe
3044	msiexec.exe
3044	msiexec.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe
4408	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1188	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1188	MSIEXEC.EXE
Token: SeSecurityPrivilege	3044	msiexec.exe
Token: SeCreateTokenPrivilege	1188	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	1188	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	1188	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1188	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	1188	MSIEXEC.EXE
Token: SeTcbPrivilege	1188	MSIEXEC.EXE
Token: SeSecurityPrivilege	1188	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	1188	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	1188	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	1188	MSIEXEC.EXE
Token: SeSystemtimePrivilege	1188	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	1188	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	1188	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	1188	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	1188	MSIEXEC.EXE
Token: SeBackupPrivilege	1188	MSIEXEC.EXE
Token: SeRestorePrivilege	1188	MSIEXEC.EXE
Token: SeShutdownPrivilege	1188	MSIEXEC.EXE
Token: SeDebugPrivilege	1188	MSIEXEC.EXE
Token: SeAuditPrivilege	1188	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	1188	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	1188	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	1188	MSIEXEC.EXE
Token: SeUndockPrivilege	1188	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	1188	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	1188	MSIEXEC.EXE
Token: SeManageVolumePrivilege	1188	MSIEXEC.EXE
Token: SeImpersonatePrivilege	1188	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	1188	MSIEXEC.EXE
Token: SeBackupPrivilege	2716	vssvc.exe
Token: SeRestorePrivilege	2716	vssvc.exe
Token: SeAuditPrivilege	2716	vssvc.exe
Token: SeBackupPrivilege	3044	msiexec.exe
Token: SeRestorePrivilege	3044	msiexec.exe
Token: SeBackupPrivilege	4824	srtasks.exe
Token: SeRestorePrivilege	4824	srtasks.exe
Token: SeSecurityPrivilege	4824	srtasks.exe
Token: SeTakeOwnershipPrivilege	4824	srtasks.exe
Token: SeBackupPrivilege	4824	srtasks.exe
Token: SeRestorePrivilege	4824	srtasks.exe
Token: SeSecurityPrivilege	4824	srtasks.exe
Token: SeTakeOwnershipPrivilege	4824	srtasks.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1188	MSIEXEC.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 5092	1448	msedge.exe	85
PID 1448 wrote to memory of 5092	1448	msedge.exe	85
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 2300	1448	msedge.exe	86
PID 1448 wrote to memory of 4328	1448	msedge.exe	87
PID 1448 wrote to memory of 4328	1448	msedge.exe	87
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88
PID 1448 wrote to memory of 1388	1448	msedge.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://download.freeroms.com/emulator/Project64_1.6.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7fff377e46f8,0x7fff377e4708,0x7fff377e4718
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13850981833669084082,5032835099172185892,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3032 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:32

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\Temp1_Project64_1.6.zip\Project64_1.6.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Project64_1.6.zip\Project64_1.6.exe"
1⤵
PID:4516
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\_isE688\Project64 1.6.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\Temp1_Project64_1.6.zip"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1188

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4824

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5f5369274e3bfbc449588bbb57bd383

SHA1
58bb46d57bd70c1c0bcbad619353cbe185f34c3b

SHA256
4190bd2ec2c0c65a2b8b97782cd3ae1d6cead80242f3595f06ebc6648c3e3464

SHA512
04a3816af6c5a335cde99d97019a3f68ade65eba70e4667c4d7dd78f78910481549f1dad23a46ccf9efa2e25c6e7a7c78c592b6ace951e1aab106ba06a10fcd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
189B

MD5
0b12879b71ee2f8087c3fbce3c75c247

SHA1
4608d3b2174079b9a75a77b336bab91ba9a11271

SHA256
950e6985dcc48ef75d5f19fccfb3fd7c11d5684831b1c894c7b65f58407167ee

SHA512
3e6f222191a25877e0040740ea94a039171c312a5c10dd50dd73cc465bd220a27fe8cf4d8a020eedb91c541d614638511d09acff7a91af9224aab6645bf812f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
76168e1f566acfb7e48ab9cfa5cce374

SHA1
aa0c1c8d585fd2b2b0c0ff651d88b5b64923d032

SHA256
c3e34e7bde570fecdef4815ab69efd013e1f3d4271a6818098f5b382c2481a34

SHA512
fdde161fc0d2868251042d1176f8c58289a3be91285e6b33c1457e63f5e9712c4365ea39280a50504fcaaee2f2cb7f6b2b95233ac64752b33c9e18701f12797e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e16b19cbc527452a762e55d9b8d4ce4a

SHA1
ead8f84f634926fe183ada2491d7a0c533726d2a

SHA256
3bc2d5a7254ffe26b9c0853e1552694ef658ba9af19fc72a969b8de1a27784be

SHA512
500ed2fbcda2df4fba896c27fcd181b439e294a08d173286d901c68a5590debba87fec918cea21460c02a5be980d5f42daca460084428ddf365d9cc85cc18352

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
29213338df67d29d6454ee5d61ad3970

SHA1
8c69ca76a2e639060d5ce835a9600e6ea3764a83

SHA256
d29fc0d97fa74d382d0f557ecea4e42b7d50dbce43915bfc0c114c16e532aa51

SHA512
14db25eba8a863d390b97fce4315402ed7c249598ff6c31d5a191b0f71c274eead42ba0658403e744110de072e6ff1cac3bccee1e48875bde6b1fe39a60d2407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8e08d6cdfab767144e8254ff71273246

SHA1
7d3ab30fc5907fc087c41cda86878b2f530dd067

SHA256
d6b06b431f425c12739cdefd42cad758cfa11b61c8903f158d6083bdff0ff3d6

SHA512
e48a00af698420e2dfca1f53853618f0222f9671155140316266ebc8b1f6f9248436f756421dd9bed8597415419813147590b3cf3dd06c50ff1dd7f9dfa83042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
648b91d080eb932ec60b85449dbfb8f7

SHA1
7ce5772d8a3628e4014876714bd2eb991f9f1884

SHA256
858647fe7d2524d98bd35ee69787d8af77e30e9c7472d019766c8c6b30f78090

SHA512
061c33b25fdf422dd26b2ce112c05ad1364ce5572d70691f64bfc2bb2fcd7d10e9fa3e2c6f3e30b441f84e7c78548b5f76d58cd7d9a11c08c9be37f95b51121a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isE688\0x0409.ini

Filesize
4KB

MD5
7a858ca524beb223533a2ac6138c4b73

SHA1
aa7a7e8e7c6c2324d2906a78c243b187a072aa59

SHA256
97eca8e6d33a2761f94831f3f82e030a8e79b5cbc12dcbed4eb1de9c4edf4d1a

SHA512
d3861daf5e0754388f1719450cbfebe629090e41249ef2a206a86dc3fc5f68b3a98c29ddc159d44348080e48bc84a8e0815aa39d535187eb4737cdf4d486bf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isE688\Project64 1.6.msi

Filesize
1.8MB

MD5
3bb7516962c50f2bbd6c922c8e397561

SHA1
37495a93ef0190993cd74a1c4d277dab2e37e3b7

SHA256
359e0e05c52f5c62680064e8716c95889dafe8f23972162feb6d6148d2ff9ada

SHA512
919ff915f3c2799585f5795bef27fa062100cc86bd913df45e1275703feda1c584643cf2c763579b1a5d86229cd87d5aa089bb5a1b09ff8770bb0bff9b7215e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isE688\Setup.INI

Filesize
1KB

MD5
c934d4a9b6c5ae1f8c10799550221822

SHA1
8830c679268d64d988a8b2db796a6f6b5336a434

SHA256
e4f25bb1e03c2aad04443898baa4c4b0df800d4b6779ff20e2b912a60cb2338c

SHA512
2afc23f666cb65fa0e293680a88f77fd57d824ed4d316724be3ed9a436cbf17a893c37887b13565e595f944a7c26e62b53e89db4f4718cfcbb073ba556d99baa

Download Submit
C:\Users\Admin\Downloads\Project64_1.6.zip

Filesize
1.8MB

MD5
d068eee7cc2c922e540c0fecd9a9cc2f

SHA1
f9dcae73db7254e51810913fdcd35b2f5f3b587f

SHA256
1f4bbfc2485281828d48eb42c45eefa74029a3a7fb4728024aef3e0e7c59d62b

SHA512
1ba08b06518180250cb8dea337b7a534c418e732bc8dd8f920ad8e1fb5ac2f5a331865c16d1bcabff1e5361d042fedac33667421324c8fc574f35b943f4c243c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
d6e200c2fdd9dbea4e1d41410cc6b4c9

SHA1
f036688a9a7b22f62f0e62a3a6f5a0a8f3826a6d

SHA256
f57637d4769eecc4ee4d269641d4bc98486a4fa4ec11d1cd3c3fbafa612b1418

SHA512
a66572ffeeb9d2d226788ce8987c295847167fa356be7955fee7e3d9d44a5964ced3ef19ea567c6ea2386ab4f5cc1f4367e6e8794f2957c52805a434e3938de8

Download Submit
\??\Volume{1f21c27e-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a4739c28-833b-4a86-9582-f5156eeb1136}_OnDiskSnapshotProp

Filesize
5KB

MD5
e7822a5408605b7e0b31e9dcf2b0554e

SHA1
c18d56d66dd6d149e338bc0eeb3156ef19ab17f9

SHA256
e7d77e9b2f28c5e1c75112c19cbc35b34d61889bdb17ea53cae1508d928964ac

SHA512
21870005fb21e729424a6a3ad6e11a03a0ce82ae051558cc13e2ef67cfe23e48c5c56cc04556bd41a0bdf903b915c229307367a10d3d1986f38d4d1bbc835ea1

Download Submit