hxxps://getfilenow[.]com/lp?id=FFlag%20Pack_37124376

Analysis

max time kernel
1680s
max time network
1687s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://getfilenow.com/lp?id=FFlag%20Pack_37124376

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4456	FFlag Pack_37124376.exe
6124	setup37124376.exe

Loads dropped DLL 39 IoCs

pid	Process
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup37124376.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup37124376.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup37124376.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup37124376.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup37124376.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup37124376.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup37124376.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup37124376.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Opera GXStable	FFlag Pack_37124376.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	FFlag Pack_37124376.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup37124376.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup37124376.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup37124376.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 703233.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
1636	msedge.exe
1636	msedge.exe
364	identity_helper.exe
364	identity_helper.exe
5144	msedge.exe
5144	msedge.exe
5144	msedge.exe
5144	msedge.exe
440	msedge.exe
440	msedge.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe
6124	setup37124376.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	6124	setup37124376.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4456	FFlag Pack_37124376.exe
4456	FFlag Pack_37124376.exe
6124	setup37124376.exe
4456	FFlag Pack_37124376.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2512	1636	msedge.exe	91
PID 1636 wrote to memory of 2512	1636	msedge.exe	91
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 4712	1636	msedge.exe	94
PID 1636 wrote to memory of 2440	1636	msedge.exe	93
PID 1636 wrote to memory of 2440	1636	msedge.exe	93
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92
PID 1636 wrote to memory of 2528	1636	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://getfilenow.com/lp?id=FFlag%20Pack_37124376
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff968e446f8,0x7ff968e44708,0x7ff968e44718
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2328 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1924 /prefetch:8
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5512 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,18172693902739303947,13244136884107738830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:440
- C:\Users\Admin\Downloads\FFlag Pack_37124376.exe
  "C:\Users\Admin\Downloads\FFlag Pack_37124376.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4456
- - C:\Users\Admin\AppData\Local\setup37124376.exe
    C:\Users\Admin\AppData\Local\setup37124376.exe hhwnd=1114256 hreturntoinstaller hextras=id:ad413892c2b60f5-RO-Qm6P3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f246cc2c0e84109806d24fcf52bd0672

SHA1
8725d2b2477efe4f66c60e0f2028bf79d8b88e4e

SHA256
0c1014ae07c2077dd55d7386cc9cf9e0551be1d67fe05a6006957427ae09fec5

SHA512
dcf31357eb39a05213550a879941e2c039ec0ba41e4867d5d630807420f070289552d56d9f16c6d11edcdb0f9448bf51e7d2e460e88aa9c55a5bfe5d8d331640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
471B

MD5
2a76b50113d5e895dd828ae1ac6cde08

SHA1
33024161e1645b8a346bb826a09919b68952a528

SHA256
8fe43ae912ccf5eb9d4c3954cab5b5a3f95e701b8d07b883a335818c6f7ff700

SHA512
96bcc186f861dc82fe4cea9b154130049e7f68633bfa59c73b4b583f62c570da4c26deabf3e9c06e1e3617c3fea37858ada23a6179013c98afbe9ac3da5f12df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2020d12546868b458bf63a71e970d97

SHA1
263befd902cafe31fd0cb3e698ffe68f21a1a547

SHA256
63964ae0429f329ebc7560f483ec16bfe7cb3b654a84e7273d321bf6608f20b3

SHA512
c81018c85bbe89b3b3a6a43de772099c3c873e5e29dd53ffdbf9b614c8c203ec164ef2828117048cb9dc6a8b8f2a631d88cdd96f1c0f94ad3f04104c00b91946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
575456c01c34346e95d446fb2e0fb006

SHA1
3762936b745c20e282e58297797eec9b55bfa5ac

SHA256
7c49570c90fa38215b5cf35b22991c55cff4ac19c5b771dd1224053fd4361a9a

SHA512
a9acc7f68b758a3f7a7def3cf94c1b402e49ef11526aa0291c6c01b3b16a617f96969fc26a6ac1950ef96767da463ce3e03da8d84dc74ceee9088301ea726d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42ff660cf5bca1a79c9e1843e0405dbd

SHA1
a7d4969a94f68b8f22410133f1a739e13b830f6b

SHA256
9f6c3b00c9dc516fe599a4a084a9959dbe743fc443caa96c5a07fa27a6cb4833

SHA512
cc54c9edea7eaf087c69146312212ab7f89f4fb46dcde17cf8f8af9a084065770bd4fae884f3009777f614d14c4538db784439146a711dad097fde9dfd06d310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5e62a6848f50c5ca5f19380c1ea38156

SHA1
1f5e7db8c292a93ae4a94a912dd93fe899f1ea6a

SHA256
23b683118f90c909ce86f9be9123ff6ac1355adb098ffbb09b9e5ec18fc2b488

SHA512
ce00590890ed908c18c3ec56df5f79c6c800e3bea2ad4629b9788b19bd1d9e94215fb991275e6ec5a58ac31b193e1c0b9cbaa52ff534319a5e76ec4fc8d3ba54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3e585ba869b3a14b70e0fdfddce7e5f9

SHA1
de654177fefea96ae33570162393f5d01473c7d0

SHA256
05c50f6bc39d237156cdbf7b6c9556ee24b47b3a7a6b1972f6ba63c23e538e90

SHA512
c307c0db5316eb560c347c2106bc6f98db7c6f97b2443c71c287f7d7bb246d318ac317f2d1047fae9d14c88672417f9278408fad081dafafda67102e30e01d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
36b5ca5da8b935dae8cdd29a047539e9

SHA1
1aa17b2e579f1ec9a840aab845d752e0b8989bdc

SHA256
e9812b0ecafbdf7fedefe318a3fcfc4a92dfd958f79481176a2baa906121215b

SHA512
f16b1259c6fd14d8bb2a0d67b503aad46be16ec7e6d8515adce337815f58776c5407e1762166e8d5425edc63dc7b5fc3c645b28bb962ba5a51b6c227fd936168

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html

Filesize
1KB

MD5
9ba0a91b564e22c876e58a8a5921b528

SHA1
8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

SHA256
2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

SHA512
38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\setup37124376.exe

Filesize
1.9MB

MD5
3e0fe50e5394c810988cdca1cfd15106

SHA1
be7eec7e05dcde5316b835aa967f5d9be517355d

SHA256
aa3e4b8f69db6c966b47dcdd0609a05ed38cd42807fbd242a339db17cb821f73

SHA512
d5117566da47207daa78500e212546475fe2a10be86b820a209e86cdfd765d9c8177e25e05f56deb6b804dad7c1809ce41c48a837a086c02300c82cd453342d2

Download Submit
C:\Users\Admin\AppData\Local\setup37124376.exe

Filesize
1.1MB

MD5
b3da124affff05d54b63d70fdd329f8c

SHA1
4e740345dfa54b9708273f4494e022e424882009

SHA256
84b463df703eb3df9726842cb4ca1c20d2c3ef62b6ac83ebfe30765db9ca2128

SHA512
f53af0e8f31e0d2d79c58b5fa86f37986aafeb4c53da6c5ff7b69cae90e43f5022fe5716a85f420655a301aeb6f4b4d34ba70a2734d19c5b970f39a063133c1b

Download Submit
C:\Users\Admin\Downloads\FFlag Pack_37124376.exe

Filesize
2.0MB

MD5
5fc163d5a41ca63b69574ee352d1aff6

SHA1
8e6c88a6b5d355852ec94c067782292c9e62baa4

SHA256
408982f5b4755c797539f7e56301c833e1c94bff60b34aded993224f77d9f78d

SHA512
1a32a84bba977940edd4c0e7ca6683a63d01b949d1b9a043e901c8cf0b44fe4bfc64ad32107a554c9fc3b71a68cfb672391da9d4aff0bc34ebfb0751293662f0

Download Submit
C:\Users\Admin\Downloads\FFlag Pack_37124376.exe

Filesize
58KB

MD5
d62cbddb694f5db4b7eb6e30a78545c2

SHA1
f64cdb628e02237097ad1b3c5dc7da97503c7e7f

SHA256
8d78322f6403598df7c13bf3da7a27125b3a1867d8ce5eada28d74edb7f1ad96

SHA512
40a50c49984d87ac4e845223f502899eaea166da3bf237fc7cf243699c8fbe905afa4e4f8fc2ca5705e6e4840f020f1f1229b5cf1455271debbe8431fb2eef09

Download Submit
C:\Users\Admin\Downloads\FFlag Pack_37124376.exe

Filesize
1.1MB

MD5
4187c279037b085bffcc98f07a9ad9d4

SHA1
72b29b4b0e36d45a517dea97328a683a245ff101

SHA256
dde7c6696e5adcb2f701851d478b93264d481ead84d4672e2d290b602a20a0a2

SHA512
be3bff7647496ff8ca466cbc50a28a8dd4a98edc5431fca06f65b6b685f7cee6d936add8f09c6fbb330a26a16a648989014f75a45087d399e2352c35f3125f14

Download Submit
memory/6124-356-0x00000000063A0000-0x00000000063C2000-memory.dmp

Filesize
136KB

Download
memory/6124-274-0x0000000005470000-0x000000000548A000-memory.dmp

Filesize
104KB

Download
memory/6124-306-0x00000000055A0000-0x00000000055CC000-memory.dmp

Filesize
176KB

Download
memory/6124-357-0x00000000063D0000-0x0000000006724000-memory.dmp

Filesize
3.3MB

Download
memory/6124-350-0x0000000006310000-0x000000000639C000-memory.dmp

Filesize
560KB

Download
memory/6124-363-0x00000000068A0000-0x00000000068AC000-memory.dmp

Filesize
48KB

Download
memory/6124-366-0x0000000006E80000-0x0000000007424000-memory.dmp

Filesize
5.6MB

Download
memory/6124-387-0x0000000006B00000-0x0000000006B92000-memory.dmp

Filesize
584KB

Download
memory/6124-372-0x00000000079F0000-0x0000000007FA4000-memory.dmp

Filesize
5.7MB

Download
memory/6124-298-0x0000000005550000-0x0000000005558000-memory.dmp

Filesize
32KB

Download
memory/6124-401-0x0000000009330000-0x000000000935E000-memory.dmp

Filesize
184KB

Download
memory/6124-290-0x0000000005430000-0x000000000543A000-memory.dmp

Filesize
40KB

Download
memory/6124-282-0x0000000005520000-0x0000000005544000-memory.dmp

Filesize
144KB

Download
memory/6124-355-0x0000000006290000-0x000000000629A000-memory.dmp

Filesize
40KB

Download
memory/6124-266-0x00000000054B0000-0x00000000054E2000-memory.dmp

Filesize
200KB

Download
memory/6124-258-0x0000000005440000-0x0000000005468000-memory.dmp

Filesize
160KB

Download
memory/6124-250-0x00000000053E0000-0x000000000540E000-memory.dmp

Filesize
184KB

Download
memory/6124-242-0x0000000005380000-0x00000000053A8000-memory.dmp

Filesize
160KB

Download
memory/6124-234-0x0000000005350000-0x0000000005374000-memory.dmp

Filesize
144KB

Download
memory/6124-226-0x0000000005300000-0x0000000005314000-memory.dmp

Filesize
80KB

Download
memory/6124-333-0x0000000005C10000-0x0000000005C22000-memory.dmp

Filesize
72KB

Download
memory/6124-316-0x0000000005500000-0x000000000551D000-memory.dmp

Filesize
116KB

Download
memory/6124-203-0x0000000071590000-0x0000000071D40000-memory.dmp

Filesize
7.7MB

Download
memory/6124-204-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/6124-456-0x0000000071590000-0x0000000071D40000-memory.dmp

Filesize
7.7MB

Download
memory/6124-202-0x0000000000580000-0x0000000000958000-memory.dmp

Filesize
3.8MB

Download