c1cb8740e27287680dc48fe05b24abccab80c18c34a442bc9dac0a0b7b700241

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-02-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adaf86a844ceb4e80e4ca98ccff75d13.msi
Size

265KB
MD5

adaf86a844ceb4e80e4ca98ccff75d13
SHA1

f87f0382283517ea2a4df566e6d1106034ef4095
SHA256

c1cb8740e27287680dc48fe05b24abccab80c18c34a442bc9dac0a0b7b700241
SHA512

9b48d3b261c71d1dc40d6e4513cf93c6b04a38475b3a357194e1b869ee319a163f81089e4cf36fc497556a1e401c480d76b574786d696e384ea667bd770465d9
SSDEEP

3072:Gm2DqFSZ83w9J3DUY5AhU6ij4qpXqnnDibAJBVkcxz2L9rQn4J9+3Z5yOV2nxW:IqA8G3DUY5AhTqp4nwEfN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5758ce.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5758ce.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI592C.tmp	msiexec.exe

Loads dropped DLL 1 IoCs

pid	Process
2908	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4012	msedge.exe
4012	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
2136	identity_helper.exe
2136	identity_helper.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe
640	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4288	msiexec.exe
Token: SeSecurityPrivilege	4892	msiexec.exe
Token: SeCreateTokenPrivilege	4288	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4288	msiexec.exe
Token: SeLockMemoryPrivilege	4288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4288	msiexec.exe
Token: SeMachineAccountPrivilege	4288	msiexec.exe
Token: SeTcbPrivilege	4288	msiexec.exe
Token: SeSecurityPrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeLoadDriverPrivilege	4288	msiexec.exe
Token: SeSystemProfilePrivilege	4288	msiexec.exe
Token: SeSystemtimePrivilege	4288	msiexec.exe
Token: SeProfSingleProcessPrivilege	4288	msiexec.exe
Token: SeIncBasePriorityPrivilege	4288	msiexec.exe
Token: SeCreatePagefilePrivilege	4288	msiexec.exe
Token: SeCreatePermanentPrivilege	4288	msiexec.exe
Token: SeBackupPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeShutdownPrivilege	4288	msiexec.exe
Token: SeDebugPrivilege	4288	msiexec.exe
Token: SeAuditPrivilege	4288	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4288	msiexec.exe
Token: SeChangeNotifyPrivilege	4288	msiexec.exe
Token: SeRemoteShutdownPrivilege	4288	msiexec.exe
Token: SeUndockPrivilege	4288	msiexec.exe
Token: SeSyncAgentPrivilege	4288	msiexec.exe
Token: SeEnableDelegationPrivilege	4288	msiexec.exe
Token: SeManageVolumePrivilege	4288	msiexec.exe
Token: SeImpersonatePrivilege	4288	msiexec.exe
Token: SeCreateGlobalPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4288	msiexec.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4288	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe
4708	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 2908	4892	msiexec.exe	90
PID 4892 wrote to memory of 2908	4892	msiexec.exe	90
PID 4892 wrote to memory of 2908	4892	msiexec.exe	90
PID 2908 wrote to memory of 2120	2908	MsiExec.exe	94
PID 2908 wrote to memory of 2120	2908	MsiExec.exe	94
PID 2908 wrote to memory of 2120	2908	MsiExec.exe	94
PID 2120 wrote to memory of 4708	2120	cmd.exe	96
PID 2120 wrote to memory of 4708	2120	cmd.exe	96
PID 4708 wrote to memory of 2228	4708	msedge.exe	97
PID 4708 wrote to memory of 2228	4708	msedge.exe	97
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 1600	4708	msedge.exe	101
PID 4708 wrote to memory of 4012	4708	msedge.exe	98
PID 4708 wrote to memory of 4012	4708	msedge.exe	98
PID 4708 wrote to memory of 1916	4708	msedge.exe	99
PID 4708 wrote to memory of 1916	4708	msedge.exe	99
PID 4708 wrote to memory of 1916	4708	msedge.exe	99
PID 4708 wrote to memory of 1916	4708	msedge.exe	99
PID 4708 wrote to memory of 1916	4708	msedge.exe	99
PID 4708 wrote to memory of 1916	4708	msedge.exe	99
PID 4708 wrote to memory of 1916	4708	msedge.exe	99
PID 4708 wrote to memory of 1916	4708	msedge.exe	99
PID 4708 wrote to memory of 1916	4708	msedge.exe	99
PID 4708 wrote to memory of 1916	4708	msedge.exe	99
PID 4708 wrote to memory of 1916	4708	msedge.exe	99
PID 4708 wrote to memory of 1916	4708	msedge.exe	99

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\adaf86a844ceb4e80e4ca98ccff75d13.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4288

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E5A13BF4BBE2F2D86C078AC7D4A3414C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C start /MIN https://bit.ly/3hXtxZbancs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bit.ly/3hXtxZbancs
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff942fb46f8,0x7ff942fb4708,0x7ff942fb4718
        5⤵
        
        PID:2228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
        5⤵
        
        PID:1916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
        5⤵
        
        PID:1732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
        5⤵
        
        PID:1600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
        5⤵
        
        PID:1832
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
        5⤵
        
        PID:1540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
        5⤵
        
        PID:4516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
        5⤵
        
        PID:876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
        5⤵
        
        PID:2880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
        5⤵
        
        PID:3604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
        5⤵
        
        PID:3952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
        5⤵
        
        PID:4052
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
        5⤵
        
        PID:4588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
        5⤵
        
        PID:1628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
        5⤵
        
        PID:1244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
        5⤵
        
        PID:2028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
        5⤵
        
        PID:2548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16745032221085790133,9129381101775030292,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5156 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
01b2988412608940700655b286ea9e17

SHA1
802423fef688a0d6b69ca664ff7dc903af5b0c07

SHA256
fa740ee71e75439d6039508896110a7fd9dfef95b994ed77bd3e6a67dd76d178

SHA512
18a4c424b1108097485e6a4e1095532ea8da8f7d2274693aac61e143cf6bf24e2f786f419f11797227f064d475d9124a8785a7bfe062d1ca7c8270b1aa13abb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ca3ae2563f8eefcdbc097f6d9d03d48e

SHA1
f6d6090d0bdb69348320e450577afcbdb83f19e7

SHA256
d3737e4049b84a0ccc9e8b71290beacc0d2c554c1336203676d80bda4d798996

SHA512
ea8411c7df6c091456b9403d69e1e5ac3b26a22859aa31cc09c32c1313d152fc499a996288a45253c64fd5fb9080657401229af8b9638edd440854685ff5b345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d60bc0cfaab300d732679ba31d01af4

SHA1
f10d1cf7f02aedaa622cc09c668ad08251798e2c

SHA256
be5991ee85ad442da0ad40c64e0acca754ee3ad1c20419b33012fbaac8909205

SHA512
0c77eb08bf40ecd7c9bb7770e10f67193b29ff490787a372820d3053e8f4e48af10ea9687a991cb6ca505f73702d54fcfaa544fb480651a4f6ae56e5c8d9369b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d9f11de28c888c4cc12243296ef44109

SHA1
2bacc6716d639b4577bda17fc7c8ccb3bfda1848

SHA256
2714b51474e325fd4781c4b1ead1cfcc6340c000bf73fc361e08aefd8a25ad7a

SHA512
f5a4edbe5886777919dc626a3a7df24fa869ab697bf2deb55237e6077b56b3f3584ba7862c640092f27376f70d8fc14848574d66c63b129f0bb0bce616cb0231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a1ee94e68fde12c8ce9568ae9ac8a013

SHA1
edab208a7e7d27e9b7633f08ba764b8407c6cc43

SHA256
0e133412f3041fedc5434524b2963b7908b3afc9c64d4c146e5a015f8ac459b0

SHA512
30edfba4c21b8bbe836d2880718b4e3a25ba10c10b4b7d52b075dd70e2a6998d0c39e7fc09a0069e3d74e54f42686939c2495e2c0fd05ed8f97f44f44f8ab6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b48af5dfd9583aaba7e75611b2154641

SHA1
d8605cabafcd02cc634dd06bc75eb9916bc78127

SHA256
d4b9c8f93f412c0a471fe5a4daeb67d831a27e92806a0b3b5426b37811dac7e1

SHA512
eea89b29ebd4879d1fe32cf567e1c1a5a9e4cd4ed682ab45e3885d59bff295249592413b94cf3b380a1d58b99c547d9b3d43d1c43e201c6768f81585510a0621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c1e8.TMP

Filesize
1KB

MD5
c1b63d042a59fcff4dfeb942a8b99bf2

SHA1
73bc71fea9558d5ae3ab0a1da33fada29c81eaa1

SHA256
5483c9b1584a007b894f1d8fb088e0b61404321ca7559e819ee856e3812350f0

SHA512
13059a5e04164654a14c891bded856cf3124cb1ca5240d5a7d136e3f4aa59581f98b33831c75970d9735aa6d9da1414f69933aec5b91109d76eb3cf57afcde03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e57003af5f3b4cf6a8fe8d336d10715

SHA1
07716bd8130d7e2d399b1676d3e69b50f3e06841

SHA256
852901f5b556d028687e1e4e49deaa0bca96930965a79fed3db43c686404e6fd

SHA512
70f4da61e338119cc9ee4a90971e7d741bfc4a42f43320a278799d475970d0041de6ef5003d45910fcffef4934a4ba680455fcbbb0938f736f993035a4c937b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI75738.LOG

Filesize
21KB

MD5
a20aa9178eeb382adfa1babd6bc00e15

SHA1
dad59ede1ec354e871c44beae05be3059f2fb8ac

SHA256
fa411193fd7b53a2d6324b4899e1afec532795e51803da8142b01380c4a39ee4

SHA512
c76a2046fd48182ed1bace209707337bb9c867e08750d5a58756967ea2c74f0f5d396dd24cc23489d78841b73370297f84abaa1dba6c7ba9580bb442ecf7ea2f

Download Submit
C:\Windows\Installer\MSI592C.tmp

Filesize
91KB

MD5
5c5bef05b6f3806106f8f3ce13401cc1

SHA1
6005fbe17f6e917ac45317552409d7a60976db14

SHA256
f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437

SHA512
97933227b6002127385ace025f85a26358e47ee79c883f03180d474c15dbaf28a88492c8e53aefc0d305872edd27db0b4468da13e6f0337988f58d2ee35fd797

Download Submit