55e5131f01e0b4db477326c27139ab59c61f33cceb5de503e874197d23d37ad0

Resubmissions

26-10-2023 21:19

231026-z592tsgc71 8

26-10-2023 21:13

231026-z27gjahh85 8

26-10-2023 21:05

231026-zxldhahh22 8

Analysis

max time kernel
185s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2023 21:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

setup.exe
Size

1006KB
MD5

f42a201044931eee29a309600b72d456
SHA1

a38c49acdb7c3e0775f2d6dc8b8ea8bd7f32f732
SHA256

55e5131f01e0b4db477326c27139ab59c61f33cceb5de503e874197d23d37ad0
SHA512

53114bf6f50d276b9cf20c67b7044321e64937af327ab67b87f97f10297996a2a4189b8a9c7215b42a4d01a8bbee211680ed111a9d8f12ced136dd774217b858
SSDEEP

12288:T8HjWTxA6M8erwyFeGA8HjWTxA6M8erwyFeGA8HjWTxA6M8erwyFeGA8HjWTxA6H:gK1D9Y7K1D9Y7K1D9Y7K1D9Yg

Score

8^/10

evasion

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

34 3896 powershell.exe
35 3896 powershell.exe
36 3896 powershell.exe
37 3896 powershell.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

1852 netsh.exe
1396 netsh.exe

flow	pid	process
34	3896	powershell.exe
35	3896	powershell.exe
36	3896	powershell.exe
37	3896	powershell.exe

pid	process
1852	netsh.exe
1396	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	setup.exe

Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 205.251.196.135
Destination IP 205.251.196.135
Destination IP 205.251.196.135
Destination IP 205.251.196.135
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc
Destination IP	205.251.196.135
Destination IP	205.251.196.135
Destination IP	205.251.196.135
Destination IP	205.251.196.135

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "228"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemsedge.exemsedge.exeidentity_helper.exetaskmgr.exe

pid	process
3896	powershell.exe
3896	powershell.exe
4288	msedge.exe
4288	msedge.exe
3764	msedge.exe
3764	msedge.exe
816	identity_helper.exe
816	identity_helper.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1824 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4288 msedge.exe
4288 msedge.exe
4288 msedge.exe
4288 msedge.exe
4288 msedge.exe
4288 msedge.exe
4288 msedge.exe

pid	process
1824	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powershell.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeIncreaseQuotaPrivilege	3896	powershell.exe
Token: SeSecurityPrivilege	3896	powershell.exe
Token: SeTakeOwnershipPrivilege	3896	powershell.exe
Token: SeLoadDriverPrivilege	3896	powershell.exe
Token: SeSystemProfilePrivilege	3896	powershell.exe
Token: SeSystemtimePrivilege	3896	powershell.exe
Token: SeProfSingleProcessPrivilege	3896	powershell.exe
Token: SeIncBasePriorityPrivilege	3896	powershell.exe
Token: SeCreatePagefilePrivilege	3896	powershell.exe
Token: SeBackupPrivilege	3896	powershell.exe
Token: SeRestorePrivilege	3896	powershell.exe
Token: SeShutdownPrivilege	3896	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeSystemEnvironmentPrivilege	3896	powershell.exe
Token: SeRemoteShutdownPrivilege	3896	powershell.exe
Token: SeUndockPrivilege	3896	powershell.exe
Token: SeManageVolumePrivilege	3896	powershell.exe
Token: 33	3896	powershell.exe
Token: 34	3896	powershell.exe
Token: 35	3896	powershell.exe
Token: 36	3896	powershell.exe
Token: SeDebugPrivilege	1824	taskmgr.exe
Token: SeSystemProfilePrivilege	1824	taskmgr.exe
Token: SeCreateGlobalPrivilege	1824	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
4288	msedge.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe
1824	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2252 LogonUI.exe

pid	process
2252	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exesetup.exepowershell.exemsedge.exe

description	pid	process	target process
PID 344 wrote to memory of 1276	344	setup.exe	setup.exe
PID 344 wrote to memory of 1276	344	setup.exe	setup.exe
PID 1276 wrote to memory of 3896	1276	setup.exe	powershell.exe
PID 1276 wrote to memory of 3896	1276	setup.exe	powershell.exe
PID 3896 wrote to memory of 1852	3896	powershell.exe	netsh.exe
PID 3896 wrote to memory of 1852	3896	powershell.exe	netsh.exe
PID 3896 wrote to memory of 1396	3896	powershell.exe	netsh.exe
PID 3896 wrote to memory of 1396	3896	powershell.exe	netsh.exe
PID 344 wrote to memory of 4632	344	setup.exe	cmd.exe
PID 344 wrote to memory of 4632	344	setup.exe	cmd.exe
PID 4288 wrote to memory of 620	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 620	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 1820	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 3764	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 3764	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 2000	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 2000	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 2000	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 2000	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 2000	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 2000	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 2000	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 2000	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 2000	4288	msedge.exe	msedge.exe
PID 4288 wrote to memory of 2000	4288	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:344

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe" -sfxwaitall:1 "powershell" -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adobe Temp\BlockIPs.ps1'"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy ByPass -command ". 'C:\Users\Admin\AppData\Local\Temp\Adobe Temp\BlockIPs.ps1'"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule "name=Adobe Unlicensed Pop-up" dir=out
4⤵
- Modifies Windows Firewall
PID:1852

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=Adobe Unlicensed Pop-up" dir=out action=block remoteip=107.22.247.231,18.207.85.246,23.22.254.206,34.193.227.236,52.202.204.11,52.5.13.197,54.144.73.197,54.227.187.23 enable=yes
4⤵
- Modifies Windows Firewall
PID:1396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c IF DEFINED InstChk ( START "" "C:\Users\Admin\AppData\Local\Temp\..\Set-up.exe" )
2⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe0d6d46f8,0x7ffe0d6d4708,0x7ffe0d6d4718
2⤵
PID:620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
2⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
2⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
2⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
2⤵
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
2⤵
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:8
2⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
2⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
2⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,2857436643251638911,16898383914100605847,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1880 /prefetch:2
2⤵
PID:4508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4632

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1824

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa397b855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2643ee8df77a4b345db1f039b0e91b16

SHA1
dc3d507e8b295b9c90d9dba2e998dc6cfe1e28eb

SHA256
8d2687e62679be899a50d65f6401c81989d3c4c43be9894ea67ec96ea1dc6a35

SHA512
e4bf8c89f7b82ffa55cf86353da3d741ab37521bf9b647e8e0095038ed5218cc12d8ca265c3c6ddfe20eaaeea57b0f87bf0924182852c16777f13ba6d23e094d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cc54c86e84158378e05af949e649ce90

SHA1
2216a0c6153c09befe13d9f1e37827c5f5842a80

SHA256
ce32fe76bbfc17848a5032483d0b6ceabfdb4489dadc8eddf50f059fd3f50f5a

SHA512
6a65d452b45a7e331ef2258feb65870f5b27a917a75d9acf48e4b230c1f21a5c90312376f207dc51a9d5562e100a866b558d8b33643a20262aabf1f8925c36b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c6a4c26313ee264653e273d37d0b2715

SHA1
fb0b6516a94ba92014b9be27de4f801fd72a0293

SHA256
80b131f10072859ab04444718ec777334ec0d9144bfeb333ba7c31342ff70ab6

SHA512
5eee5c8a8049932f51be7ac53a0f6f482566c1006798ec2d6afab911725fd88b7b502837218280ee00f29bb87c96d67b8c60064ff6868e549002425314d92412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
33cb587926ad1004070d6b806e4e56f7

SHA1
afb3aa7e002d59cce4e3f3d4b96c36bd901f7fc2

SHA256
5ca953f925e8daca74bcba3f6dd72fd25781ee4493637a88c3933f68ee3bb1e4

SHA512
12d74ada672f675c70251d9362e43d1e51105844bf07343913f7eadae35ac7d2dc4864ca3f208f3b9f163d461412db9d503932fb7dec1adc1619b70e02cd8bc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1a5591213fb3f6244b0594f0e40a7206

SHA1
f2bc0fb3ab55eca535ecafdf809cd44f624e1c10

SHA256
bf4f03abd74b6c947fb0feb88891becf52477c00507420e9cbcb196c48e85f98

SHA512
724d9bf76c2771f637f283337004a141bcfc104373afc2a88fe29bf0e574abb4f8ee7718d319987bf90500cf10c9fd42dfd9ce71a6d3dcdb5617f2390e3b952a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
868206ee5831e8f41f39d8aeb3a1473f

SHA1
d20eff857901b02e4b493a9f0a1e980ccb545a38

SHA256
e2a55a640483c0dca05dc255e0ef3174171670677992e1398254729b0c901786

SHA512
822188e405d3cae063ede5288e266448f33a2a44fd4a07a35209fd1811be597352fabce6664bcda08c6f20949c42f8b2456cc24270474286b637876978867048

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe Temp\BlockIPs.ps1

Filesize
820B

MD5
77a8d3ca91cdb8259c205891832d40af

SHA1
0635077ff4a866b672756b81a0835bf03d860775

SHA256
4954c3748da152bf700dda3606cfe618dfa3c2e6747be47f486a89336c3c6773

SHA512
5b9247422f563534baca73d967a461dff3292f17278020fdf94bea3bb683e16721d57784017aae09d0859816198c38ced5c0fe5e5b7c3db0c0ddf07ae26d1fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rwh0somd.wjt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_4288_IYYXIQXTKGHPKEQF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1824-106-0x0000013960830000-0x0000013960831000-memory.dmp

Filesize
4KB

Download
memory/1824-104-0x0000013960830000-0x0000013960831000-memory.dmp

Filesize
4KB

Download
memory/1824-101-0x0000013960830000-0x0000013960831000-memory.dmp

Filesize
4KB

Download
memory/1824-103-0x0000013960830000-0x0000013960831000-memory.dmp

Filesize
4KB

Download
memory/1824-105-0x0000013960830000-0x0000013960831000-memory.dmp

Filesize
4KB

Download
memory/1824-102-0x0000013960830000-0x0000013960831000-memory.dmp

Filesize
4KB

Download
memory/1824-93-0x0000013960830000-0x0000013960831000-memory.dmp

Filesize
4KB

Download
memory/1824-94-0x0000013960830000-0x0000013960831000-memory.dmp

Filesize
4KB

Download
memory/1824-95-0x0000013960830000-0x0000013960831000-memory.dmp

Filesize
4KB

Download
memory/1824-100-0x0000013960830000-0x0000013960831000-memory.dmp

Filesize
4KB

Download
memory/3896-15-0x000001ABED760000-0x000001ABED770000-memory.dmp

Filesize
64KB

Download
memory/3896-2-0x000001ABED9D0000-0x000001ABED9F2000-memory.dmp

Filesize
136KB

Download
memory/3896-17-0x000001ABED760000-0x000001ABED770000-memory.dmp

Filesize
64KB

Download
memory/3896-22-0x00007FFDFE360000-0x00007FFDFEE21000-memory.dmp

Filesize
10.8MB

Download
memory/3896-18-0x000001ABEDDB0000-0x000001ABEDDC0000-memory.dmp

Filesize
64KB

Download
memory/3896-19-0x000001ABEDEF0000-0x000001ABEDF0A000-memory.dmp

Filesize
104KB

Download
memory/3896-14-0x000001ABED760000-0x000001ABED770000-memory.dmp

Filesize
64KB

Download
memory/3896-13-0x000001ABED760000-0x000001ABED770000-memory.dmp

Filesize
64KB

Download
memory/3896-12-0x00007FFDFE360000-0x00007FFDFEE21000-memory.dmp

Filesize
10.8MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads