764a39a5533d4d34656154c80fc20a2bcab3e93901d00f158db335f30f5d0239

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764a39a5533d4d34656154c80fc20a2bcab3e93901d00f158db335f30f5d0239.dll
Size

4.2MB
MD5

73ec39ec810c866be4f7393b751df61f
SHA1

5b7851beeafabb79d4bac78b02e6ab9447193bcb
SHA256

764a39a5533d4d34656154c80fc20a2bcab3e93901d00f158db335f30f5d0239
SHA512

b99d86e9ebad49cbf13e29f3a6cef0e5366bfb4658246282c50a78cbc79e4d00bd63d57044f922ddf6eb80fdf8b6593336572c8036977bbd6a17468ae9b28b7f
SSDEEP

98304:Bsaj8qr2b4ETnwhvGPS2tDQOiFLe+ft7n27D24dW2H6911CPwDv3uFfJ8k:Bsag284uwFQjtUO6S+4rH6D1CPwDv3un

Score

7^/10

discovery motw phishing

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
556	MsiExec.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2844	ICACLS.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
58	https://try.abtasty.com/cross-domain-iframe.html

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI883B.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\e578405.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e578405.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{63D25ADE-6CEB-4025-9901-B274C0478848}	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1372	msiexec.exe
1372	msiexec.exe
2664	msedge.exe
2664	msedge.exe
1092	msedge.exe
1092	msedge.exe
5204	identity_helper.exe
5204	identity_helper.exe
6012	msedge.exe
6012	msedge.exe
6012	msedge.exe
6012	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4984	msiexec.exe
Token: SeSecurityPrivilege	1372	msiexec.exe
Token: SeCreateTokenPrivilege	4984	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4984	msiexec.exe
Token: SeLockMemoryPrivilege	4984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4984	msiexec.exe
Token: SeMachineAccountPrivilege	4984	msiexec.exe
Token: SeTcbPrivilege	4984	msiexec.exe
Token: SeSecurityPrivilege	4984	msiexec.exe
Token: SeTakeOwnershipPrivilege	4984	msiexec.exe
Token: SeLoadDriverPrivilege	4984	msiexec.exe
Token: SeSystemProfilePrivilege	4984	msiexec.exe
Token: SeSystemtimePrivilege	4984	msiexec.exe
Token: SeProfSingleProcessPrivilege	4984	msiexec.exe
Token: SeIncBasePriorityPrivilege	4984	msiexec.exe
Token: SeCreatePagefilePrivilege	4984	msiexec.exe
Token: SeCreatePermanentPrivilege	4984	msiexec.exe
Token: SeBackupPrivilege	4984	msiexec.exe
Token: SeRestorePrivilege	4984	msiexec.exe
Token: SeShutdownPrivilege	4984	msiexec.exe
Token: SeDebugPrivilege	4984	msiexec.exe
Token: SeAuditPrivilege	4984	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4984	msiexec.exe
Token: SeChangeNotifyPrivilege	4984	msiexec.exe
Token: SeRemoteShutdownPrivilege	4984	msiexec.exe
Token: SeUndockPrivilege	4984	msiexec.exe
Token: SeSyncAgentPrivilege	4984	msiexec.exe
Token: SeEnableDelegationPrivilege	4984	msiexec.exe
Token: SeManageVolumePrivilege	4984	msiexec.exe
Token: SeImpersonatePrivilege	4984	msiexec.exe
Token: SeCreateGlobalPrivilege	4984	msiexec.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeTakeOwnershipPrivilege	1372	msiexec.exe
Token: SeRestorePrivilege	1372	msiexec.exe
Token: SeTakeOwnershipPrivilege	1372	msiexec.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe
1092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4984	4220	rundll32.exe	90
PID 4220 wrote to memory of 4984	4220	rundll32.exe	90
PID 1372 wrote to memory of 556	1372	msiexec.exe	95
PID 1372 wrote to memory of 556	1372	msiexec.exe	95
PID 1372 wrote to memory of 556	1372	msiexec.exe	95
PID 556 wrote to memory of 2844	556	MsiExec.exe	99
PID 556 wrote to memory of 2844	556	MsiExec.exe	99
PID 556 wrote to memory of 2844	556	MsiExec.exe	99
PID 556 wrote to memory of 4736	556	MsiExec.exe	101
PID 556 wrote to memory of 4736	556	MsiExec.exe	101
PID 556 wrote to memory of 4736	556	MsiExec.exe	101
PID 556 wrote to memory of 1092	556	MsiExec.exe	106
PID 556 wrote to memory of 1092	556	MsiExec.exe	106
PID 1092 wrote to memory of 2668	1092	msedge.exe	107
PID 1092 wrote to memory of 2668	1092	msedge.exe	107
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 4824	1092	msedge.exe	109
PID 1092 wrote to memory of 2664	1092	msedge.exe	110
PID 1092 wrote to memory of 2664	1092	msedge.exe	110
PID 1092 wrote to memory of 1208	1092	msedge.exe	111
PID 1092 wrote to memory of 1208	1092	msedge.exe	111
PID 1092 wrote to memory of 1208	1092	msedge.exe	111
PID 1092 wrote to memory of 1208	1092	msedge.exe	111
PID 1092 wrote to memory of 1208	1092	msedge.exe	111
PID 1092 wrote to memory of 1208	1092	msedge.exe	111
PID 1092 wrote to memory of 1208	1092	msedge.exe	111

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\764a39a5533d4d34656154c80fc20a2bcab3e93901d00f158db335f30f5d0239.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\system32\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi" /Qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1DB7BE90F42618CA6D879E695AABF091
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-6e2012f4-4202-4895-9570-7452a0c09909\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2844
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://openvpn.net/community-downloads/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffeec446f8,0x7fffeec44708,0x7fffeec44718
      4⤵
      PID:2668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
      4⤵
      PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
      4⤵
      PID:1208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
      4⤵
      PID:4016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
      4⤵
      PID:1048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
      4⤵
      PID:1972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
      4⤵
      PID:3212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
      4⤵
      PID:1988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
      4⤵
      PID:1504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
      4⤵
      PID:3212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
      4⤵
      PID:5172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
      4⤵
      PID:5288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
      4⤵
      PID:5296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15113983020444977656,7862721934529206830,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4796 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
8e17b465cafce11d625c6a277411a530

SHA1
60c0b19e90cefbec91567cd130bfb8c1201c5553

SHA256
db8a48803eb8bd451dc9c6d80a69e3ea258a31f5f511cec7166af8398f17bfe3

SHA512
7a2d9708cebb8852c6ee1b5d5a5911bf006b84989bf129e71425b739ed2b9d6f2b9fd5279b77d64a2cad3470edf974265d9263865824bd93457fce759116f428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
8fc2cde832e2575db8c87e31dd83fea5

SHA1
f51a423f5ed2fa531d84200402238d8fedc6675d

SHA256
e23cf83569dbb2b6727dcc37414b6ac1e519acf0cca3bf413797ee9dc6dbe566

SHA512
5999ee6f1b5a2522f5727fc0cc8ff948259abfce79b8bc7441dd7ed20fc8b8a9611de7e492e734f61dc633cf377ba6e33df0d81ad2d70b09e4b01b7eb569d1de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3d0d2128959c56064aa6de51ef4c475

SHA1
d61aeaf693cce0c55e03a91a73efc08aef9fc7c6

SHA256
524ff79391a25fe43c90bc1de70db656a164a501578cf0c6cb4b41ed4c8d6c2c

SHA512
e2b8d458160d550cb919dca84244862197a839ec80178bd46451752035af6b54ff2f47a5b5324a387eac512c56d0d0d4d0c773771b9dab5ba9debf2dc716405a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f36482d8b39adf737241b4c77d6a096f

SHA1
76eba7220399859b4d94da0832f64138617c1201

SHA256
88386ece11c435e296094a8e0f809e6f66a6872316ec344ca8ad3eeb2dade90d

SHA512
30a479324688dc173172e86e6324a95496fe09280501e18bbe8cbc0c161271645fbaca5a9cafc93eee571cbe65ef6363fa46d5b66b68ef42fddcce95bfa1b4ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c873a2463adba20c0ca18252925970bdb41c9325\00b6820a-f978-46b1-a606-3be04c95d31e\index-dir\the-real-index

Filesize
120B

MD5
2a1a984d3b569b9ae5a5fc34b5a23748

SHA1
3876fd8394c56644f6f4f8118a9dddb15c6771f3

SHA256
84167c69d8d1d5d13270b561faed5e60df350bdaa020f09ad76c439326dac9da

SHA512
b021f28dcb01fba1412b8a371897e6e8b9585dee6fa200654ea8594163f5e25caede749b9037fa9e077ac7f3876de625a1c1323c6729ef088653c42ad8447780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c873a2463adba20c0ca18252925970bdb41c9325\00b6820a-f978-46b1-a606-3be04c95d31e\index-dir\the-real-index~RFe5830df.TMP

Filesize
48B

MD5
207e987f3ead08650a4e7c07b00259e5

SHA1
e17839f8aed242182bde3ce61755e35c81fe966f

SHA256
61a16d106cc14da79d81845df0daf9c864f0d925f4e032acd5dc4beda9cf1482

SHA512
8b6271c7fca518deef2246b2347167c6d75609f02d630f5053a2f618ef544534b863be195974beefc159825dfe2ab8282b9f94b1738ae83c1f7c608260b5043a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c873a2463adba20c0ca18252925970bdb41c9325\index.txt

Filesize
94B

MD5
996be0a7a8469b10f2ce2e1517721f02

SHA1
6dda0c169d84ccfcac2b89743455d57fa4d4f82c

SHA256
bc1dda585fbff29d12ca41fb07ca5de0009998cb580605bffc4756f1b2ebaee0

SHA512
8f6d2343e67dadd18c66ef91aee6cbb0734158cc3bb92027c42cf990d23405c7052c6276d1d8c65969502aa47af0e44b410acb56285a6724eeedb58958fb9fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c873a2463adba20c0ca18252925970bdb41c9325\index.txt

Filesize
88B

MD5
7d7f30c56329d34cb398de754b2d4711

SHA1
9a147f94ce6b215860d278016e02b8497034a9d3

SHA256
004b971554042e18a122240968f9ffb5bee55f2d0a902a827ad9d44cd396c4eb

SHA512
af0aa54097d0e3fd6964506cfaf2005b789a7c5eb32e6da1d1f2876f888be32cff0225e0241164f3be67cb22997b5b388070a760b3d2727cfa7ed7f19c51d9a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b2987932a01f58b4f104c2fbfe4bd53f

SHA1
39b9e471069e15eb2b211b6ebf8ec82e04cdc025

SHA256
f3e5b64be9b1a5ba4fc84f9fb94ea41aa954e7f7f02588381a602d9bec2d00a5

SHA512
8bea960c428bc56600a45c60d5e49118f28414a1b344c0998a698ca958e90f1f32b75ed68cd6fc4c2e965abf9078531727a422b54298448b4410b74ab52eb737

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
53019595a6bf4a76f88cfa14c2f9ee52

SHA1
0e3176d996f388d0d6357310a98a76d8f299ef29

SHA256
c500ed6cb8fc1c2d898d534943f803cc1fcb29d47fc0a4de8a5f738afaef9d65

SHA512
7e415906a838f837ae1ccbdebb5c02898361aac1fee195752d03d29a28635b3c1ff1b8b0656e7367fee17bc621514a6714ca5d3f568e64b93d86b6a12ff1dd3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi

Filesize
3.6MB

MD5
76f095fbde00c4670ffaa0f965137eae

SHA1
7854356fa5bb104b6b367a419126c81a6ecf0f8c

SHA256
80c70a114ef2803dc481ef9256a5ec5b84c94a43ff7e10dcdfb4c76c5b3101ce

SHA512
90c6a58b1020389db81728ecdd8fa1076d11c74337b047084fbb52ca8bceaa0f3eeda73a08e97d4215f010028110e0b7be5d6ff4418022fbcbc9c48bcf8d6e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-6e2012f4-4202-4895-9570-7452a0c09909\files.cab

Filesize
3.4MB

MD5
df91fe6813482df4f2917fd2204a337c

SHA1
9c5cfffc167b3f534096913f5342310733bc022e

SHA256
cc94fcf8314a032740dbe86185374256cb787557f3685de55a01ed68fb8ceb60

SHA512
d96fe09fa5d2ec08cfe31dbd69a7ce83d82d7131c797b794abdac423cca0823d6551a0f24dac869df6d74cbee6bb1f70ace5287745e663019fd74383166376ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-6e2012f4-4202-4895-9570-7452a0c09909\msiwrapper.ini

Filesize
1KB

MD5
deb68a9c64688c0a221a2ef41920ad14

SHA1
38ac9ea34676f5414be3658edb62c7506108c3bb

SHA256
a8dc8695937d074ed7846e2517cf8786a584250756edf31a53aceba13d48c8d8

SHA512
442ef249e795db8f6ec0170d85fd40e415ad8b4b2512c7dcf9697d35d134f1db5df2d5b82b17c9dd24e086056aef08e7b67843be0e954ff97c49fd9e02e2a29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-6e2012f4-4202-4895-9570-7452a0c09909\msiwrapper.ini

Filesize
1KB

MD5
f611f743de7a4d858ff0726b560b6f4a

SHA1
283fcc88878c1fd48bee238bb7a5394f3488f801

SHA256
dd577a9fe6345d36b8c6ddb9c76326253bdd0beded0462c1b2460d93a441a3ec

SHA512
7c212e209e2756e6b795aeb64802a56a17ff17bf63a0d94ffa3aa0e9e76db6dee027b557ee0aa0cb8e5f31cab1c91eb4c5266f4e8e8151fa90ed2b340824d40e

Download Submit
C:\Windows\Installer\MSI883B.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit