hxxps://www[.]dropbox[.]com/scl/fi/sqhk1xnf29oimukit5wle/Truliant4[.]0-4[.]4[.]2[.]06U[.]zip?dl=0&rlkey=x8cwugwgbe2jrt0xh0zb6f67v

Analysis

max time kernel
121s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2023, 15:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.dropbox.com/scl/fi/sqhk1xnf29oimukit5wle/Truliant4.0-4.4.2.06U.zip?dl=0&rlkey=x8cwugwgbe2jrt0xh0zb6f67v

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1420546310-613437930-2990200354-1000\{372B58F9-B541-4095-8F30-39FDDC0781E4}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1712	msedge.exe
1712	msedge.exe
4524	msedge.exe
4524	msedge.exe
2840	msedge.exe
2840	msedge.exe
3792	msedge.exe
1452	identity_helper.exe
1452	identity_helper.exe
3544	msedge.exe
3544	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe
3912	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 464	4524	msedge.exe	43
PID 4524 wrote to memory of 464	4524	msedge.exe	43
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 5048	4524	msedge.exe	86
PID 4524 wrote to memory of 1712	4524	msedge.exe	85
PID 4524 wrote to memory of 1712	4524	msedge.exe	85
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87
PID 4524 wrote to memory of 4664	4524	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.dropbox.com/scl/fi/sqhk1xnf29oimukit5wle/Truliant4.0-4.4.2.06U.zip?dl=0&rlkey=x8cwugwgbe2jrt0xh0zb6f67v
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd125a46f8,0x7ffd125a4708,0x7ffd125a4718
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12349461756425114026,15727898866476644154,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4736

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc99b0086d7714fd471ed4acc862ccc0

SHA1
39a3c43c97f778d67413a023d66e8e930d0e2314

SHA256
45ef01f81605bfd96126d5520c5aa0304c7fa7d5fdb3e4d5b2dd2bf84e2afd96

SHA512
c308fa3eda9235d67a506a5f058fefb9a769ec01d7b0d4f5a2397892cc4f8155301c55c1fac23bebacdd087ab3f47f1eacc9ff88eff4115a7d67aa7b1d6581a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2d02b415c6d23bbb9f8120d02205a665

SHA1
3ef201fc53268351b323661b22d1fa07530082e1

SHA256
deaccbddd7c9ba854d59dd252257ab99c66a42887a9acf37b25fe89270224112

SHA512
b5754223dd3ad85bc7139a63c45ca4cc30db1374740ee90fb93a0653fce8ea7b6caab9ff1a27adbc81ce8cd0b7d9a58a0f40d252673d5993738add4f05bf73c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4b530ff987a87ead02f1dca40073b343

SHA1
da25e130f8df09525aa86d63afe9aedc86bb3a0b

SHA256
4dd6b2a3f5179951ef7eadfe64acaccca675e92517797a83b6ed692a5edce262

SHA512
b80f8587bc54be4016d6ce27bf95d695b15e6be14af59d9ec4884e7d3b45256aea2e44ef5fbdb2e3a413767922a545c185136fe2cc926d99e53ac1cda60d951f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a1d1304be8785897da947c6c4b77f01d

SHA1
f56c495235f310a2726ffc32f6f78d7601259982

SHA256
7d102a359ee3918fa740165d2019ac87e07977c540761323a2deef7be652fa61

SHA512
8e7b09b0e15cfd6a09146b4225dafc2a9cec67b4aa25204f977af536f1305c3c776f7c80cd82c82a2c4accfe0de6446d1948a048c4a252b2a077e3666af20fdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
07280d0d0b0cc77e068309c000c83890

SHA1
42cd473266f23138f6c2c7ef43fcd50c868c2310

SHA256
1f555b807100974ccd5c22b054658838191433a447afc6c7ae0cebdf0b20bb88

SHA512
b6e88d0d7d8eb818042f7d8fa049a9e9e031dff9a515d8b932742a73ac566f68df0189b2e4d71b7116c35eedda18564d4f5d323a4229e8bea9907391eaaedb8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d05229a0030b2b3980ce0d466f8c218

SHA1
cf7a32e5f54fda01a6c2002be0f8b2ae744fb989

SHA256
8160ebd765f9c77b0677c782356d3b08475f5d2d9c57569bf90e3abb8b97e366

SHA512
4f98d928e76918827c9d0aab58fbf1d5d088e77711f9611c28f32e8095453adce61633f2b02ebbfed3aa42816bcbd96cdbae98142ab1fbaff05b2fa9aeb01ab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
96f00bbd6a174879c58220f95f0115f5

SHA1
d3d7f82b0bf27daf1b3903bfe050c2d05422050f

SHA256
644442e740a8c0bb20f712f6f84f5bf4a81bb29d4e9446b2832ca65618961107

SHA512
e7c5e90eb85aee7b81b9c163f618ad3789a48b256040f6f00eee7fce52c60e1ff491bf0538b9c846fb115b73163710e46a45ce056e3b41ca59d88c421502ccea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
867B

MD5
af9d0e4ffd082b0d0abd2a4af121005a

SHA1
0575c4b670e8e168bd4d28a1863a7687be8dd5d5

SHA256
319285de3b04d4e073d95024576d4be9f2f9e292b2177bcf11e0d63ecb3c88f4

SHA512
71d0b8f357030afc7567bc5abf1c09016fe459b234bf9a352abaa236a0412061871890689b46ec3007c2e8b341093724cf1dc867aa66378c95e53c66ca762fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
867B

MD5
107b0981fc4f5f2bcb4248ce02d6e3a1

SHA1
0ef842c77959909a289d6a50ecc7deb2e25170a0

SHA256
1e048c05d212e9e8b867e9c1c5ad0f36ba0ec4352917a7f2001fc48138b5bbc2

SHA512
fbbcfc883d3464532eb166f22ba3314ffbdf98d3f2794fb60928932507a067ee37dcb10930a12323142b9066fed6c007936f7d1c59d574a405fbe483cf7bd603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
867B

MD5
af5f6b167d8707da086d7c4b3d2add4a

SHA1
b3eac554ec388448dec20fc510eefbfc7f82f180

SHA256
a077a6923126bd397c44f9bc86b9f5899717eb5ce2338d3bfc13a7118d354f83

SHA512
ee6b2828923ad2c4959df64e873e75f1e7e2cf0245487ca93ef18e7dfc60eca84cd7ca989f0e1f5707de9a00d57ad9de44b4a16963f602b6f85e9d0198db371d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
869B

MD5
6ddebab53ddf0e6c5e80e65e7461ab0e

SHA1
9e337971398fa704812ce0c5e179591675114b2e

SHA256
eda72c7fb4de464ef137aa76dd262c519e5e723f5d12f3a7a8b7b01ab072449e

SHA512
cfd07d89d6cecd7f54362cf47428c0ea60a8b69b25b4e66bf5ebfa7cf6cf372aac97523ee58343e7116fb2a8434ef44936d7ce0a976860be8989eefac6247926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
867B

MD5
914c6be9fd4c34cf8dfe9c28fb714821

SHA1
45b6e438fa5f03bb6f5d932834b531f7b63622d8

SHA256
e7af9feb3954fad5ba544c95ca98ce5563539447c3b7158d9ff74687fdb16e95

SHA512
050d4a4b447cb6c51938bb3a70ed65f187187a1f938324ebdfd3b89fef2a830f8f5894a6418d618df280e4d47f112b34edacfbd8c5b35d0dffd70fd13c1e10e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
867B

MD5
6ddd222fa02973afee52f418da89c7ed

SHA1
3b9dcc8c4d2ff98e53d3ae032d90b650c3aac857

SHA256
2aa52ffb395d2cdda1995e5d46ede4f1cac4798e47b26a0414ce843d09571a87

SHA512
3b7df92e8801a76eca4876515f866d26acd67f981935d4b703cc94911f574d8432086c7278376b6720d0a376d3a9635c2c1783b204792f50c88356977de8ea25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c1c9.TMP

Filesize
702B

MD5
076cd0775d92df1977f9fe671de86aac

SHA1
5d2b51978851e346d8a1e7bd2c52aca71a2b6c6b

SHA256
f3a27a4634c2d025824832e3537c73d057555d2853176aeb293086b54a78fd52

SHA512
e16f075ecb47ee7c42d489f618b051c0bc59d84b99d6256a0beb8a492124efdee947a384b3000edc433d21dd270914b84fd7e37aa483ccd894b2054639dc0754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b54045ee232c3ce27981a0fad560da87

SHA1
b8ca81855a7ab63ab01b5fb474dae85a0b07f097

SHA256
34573fb31e11a7a6f4644867dcc0f3408b3a59413009330b84377b3f9bcfceb7

SHA512
06ed6c0b45eaf7f1dcae1b320165dc3438a83b493bd47259e0ed920f6c82f25af684f05607d053590502652878a8de35fe6c121492d160dc38089b4f0277a4f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
74c7f8640d938d2971c138193f539802

SHA1
d96f51a5bdf409bacc767b938666d94109da9f00

SHA256
4a1d256e15bc50c3bf0f13c3b56a29cf5365adb244e8b612004d19b227242304

SHA512
e4b379243b27633c5103ec783933a33d43f6ec7adb12d4f3ae62499e3013643d342a5799b2c95e21a1562dae59b9bdfaae65c8457dfdc9bf18e6473acc44fbe8

Download Submit
C:\Users\Admin\Downloads\Truliant4.0-4.4.2.06U.zip

Filesize
108.3MB

MD5
6b9194c8ab2ba604c63516eb827a6294

SHA1
9a59423c08e688f92c235033e696fcb9a35750f5

SHA256
51f1b332d70accb7b046dd8d4f4e4acddc71625866c9baf689cc45ee61e6d406

SHA512
fb83abcf90a4d4de44749ce61456228b26e67320ca5ede6c2e43ffab1cf555725adab0c55ffcc6483e2f106f95e2baf1b04d238cefb1b9689396ca4a4999ec01

Download Submit