764a39a5533d4d34656154c80fc20a2bcab3e93901d00f158db335f30f5d0239

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

764a39a5533d4d34656154c80fc20a2bcab3e93901d00f158db335f30f5d0239.dll
Size

4.2MB
MD5

73ec39ec810c866be4f7393b751df61f
SHA1

5b7851beeafabb79d4bac78b02e6ab9447193bcb
SHA256

764a39a5533d4d34656154c80fc20a2bcab3e93901d00f158db335f30f5d0239
SHA512

b99d86e9ebad49cbf13e29f3a6cef0e5366bfb4658246282c50a78cbc79e4d00bd63d57044f922ddf6eb80fdf8b6593336572c8036977bbd6a17468ae9b28b7f
SSDEEP

98304:Bsaj8qr2b4ETnwhvGPS2tDQOiFLe+ft7n27D24dW2H6911CPwDv3uFfJ8k:Bsag284uwFQjtUO6S+4rH6D1CPwDv3un

Score

7^/10

discovery motw phishing

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3132	MsiExec.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4588	ICACLS.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
34	https://try.abtasty.com/cross-domain-iframe.html

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\Installer\SourceHash{63D25ADE-6CEB-4025-9901-B274C0478848}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI759D.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\e577271.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e577271.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3312	msiexec.exe
3312	msiexec.exe
2460	msedge.exe
2460	msedge.exe
4256	msedge.exe
4256	msedge.exe
2956	identity_helper.exe
2956	identity_helper.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe
3800	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4492	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4492	msiexec.exe
Token: SeSecurityPrivilege	3312	msiexec.exe
Token: SeCreateTokenPrivilege	4492	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4492	msiexec.exe
Token: SeLockMemoryPrivilege	4492	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4492	msiexec.exe
Token: SeMachineAccountPrivilege	4492	msiexec.exe
Token: SeTcbPrivilege	4492	msiexec.exe
Token: SeSecurityPrivilege	4492	msiexec.exe
Token: SeTakeOwnershipPrivilege	4492	msiexec.exe
Token: SeLoadDriverPrivilege	4492	msiexec.exe
Token: SeSystemProfilePrivilege	4492	msiexec.exe
Token: SeSystemtimePrivilege	4492	msiexec.exe
Token: SeProfSingleProcessPrivilege	4492	msiexec.exe
Token: SeIncBasePriorityPrivilege	4492	msiexec.exe
Token: SeCreatePagefilePrivilege	4492	msiexec.exe
Token: SeCreatePermanentPrivilege	4492	msiexec.exe
Token: SeBackupPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	4492	msiexec.exe
Token: SeShutdownPrivilege	4492	msiexec.exe
Token: SeDebugPrivilege	4492	msiexec.exe
Token: SeAuditPrivilege	4492	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4492	msiexec.exe
Token: SeChangeNotifyPrivilege	4492	msiexec.exe
Token: SeRemoteShutdownPrivilege	4492	msiexec.exe
Token: SeUndockPrivilege	4492	msiexec.exe
Token: SeSyncAgentPrivilege	4492	msiexec.exe
Token: SeEnableDelegationPrivilege	4492	msiexec.exe
Token: SeManageVolumePrivilege	4492	msiexec.exe
Token: SeImpersonatePrivilege	4492	msiexec.exe
Token: SeCreateGlobalPrivilege	4492	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe
Token: SeRestorePrivilege	3312	msiexec.exe
Token: SeTakeOwnershipPrivilege	3312	msiexec.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe
4256	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 4492	208	rundll32.exe	88
PID 208 wrote to memory of 4492	208	rundll32.exe	88
PID 3312 wrote to memory of 3132	3312	msiexec.exe	93
PID 3312 wrote to memory of 3132	3312	msiexec.exe	93
PID 3312 wrote to memory of 3132	3312	msiexec.exe	93
PID 3132 wrote to memory of 4588	3132	MsiExec.exe	96
PID 3132 wrote to memory of 4588	3132	MsiExec.exe	96
PID 3132 wrote to memory of 4588	3132	MsiExec.exe	96
PID 3132 wrote to memory of 3704	3132	MsiExec.exe	98
PID 3132 wrote to memory of 3704	3132	MsiExec.exe	98
PID 3132 wrote to memory of 3704	3132	MsiExec.exe	98
PID 3132 wrote to memory of 4256	3132	MsiExec.exe	101
PID 3132 wrote to memory of 4256	3132	MsiExec.exe	101
PID 4256 wrote to memory of 4812	4256	msedge.exe	102
PID 4256 wrote to memory of 4812	4256	msedge.exe	102
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2188	4256	msedge.exe	103
PID 4256 wrote to memory of 2460	4256	msedge.exe	104
PID 4256 wrote to memory of 2460	4256	msedge.exe	104
PID 4256 wrote to memory of 4824	4256	msedge.exe	105
PID 4256 wrote to memory of 4824	4256	msedge.exe	105
PID 4256 wrote to memory of 4824	4256	msedge.exe	105
PID 4256 wrote to memory of 4824	4256	msedge.exe	105
PID 4256 wrote to memory of 4824	4256	msedge.exe	105
PID 4256 wrote to memory of 4824	4256	msedge.exe	105
PID 4256 wrote to memory of 4824	4256	msedge.exe	105

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\764a39a5533d4d34656154c80fc20a2bcab3e93901d00f158db335f30f5d0239.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:208
- C:\Windows\system32\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi" /Qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4492

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5726F56571FECAE3FB60B12EFB864903
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3132
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a70097e4-ca27-4892-9ede-1fd7fe4a01ea\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4588
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://openvpn.net/community-downloads/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe84ed46f8,0x7ffe84ed4708,0x7ffe84ed4718
      4⤵
      PID:4812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      PID:2188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
      4⤵
      PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
      4⤵
      PID:5060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
      4⤵
      PID:456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 /prefetch:8
      4⤵
      PID:1596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
      4⤵
      PID:1080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
      4⤵
      PID:3704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
      4⤵
      PID:4872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
      4⤵
      PID:2160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
      4⤵
      PID:1848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
      4⤵
      PID:556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
      4⤵
      PID:1308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,647266145250515029,8842324785523493518,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4700 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36bb45cb1262fcfcab1e3e7960784eaa

SHA1
ab0e15841b027632c9e1b0a47d3dec42162fc637

SHA256
7c6b0de6f9b4c3ca1f5d6af23c3380f849825af00b58420b76c72b62cfae44ae

SHA512
02c54c919f8cf3fc28f5f965fe1755955636d7d89b5f0504a02fcd9d94de8c50e046c7c2d6cf349fabde03b0fbbcc61df6e9968f2af237106bf7edd697e07456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
936B

MD5
caeed106bf745eba7411ebe3fbf57054

SHA1
0406c649ac0c07fcaaa2387f3bbd18182b24bc31

SHA256
db1fdac324f984fbc32211f939a8c34c8ea8c71817da280bbc28938afd7fe6af

SHA512
19782c367bf7e92de82a5898c41eeaa55c748171e77070431138aef54263606594da819461c5dec732355379ee686d933e5e049c5f1f5ce6b73947a46457a0b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
dbe14198f371c12f5e2b389d4aca61de

SHA1
18265b585698e9a658054d3d2aa784391304ee62

SHA256
3c3fb623bb52b352601f364853cd0bbc10e5183190837c9714ac2a4d9afea39e

SHA512
90700ae93246ca02cd815b102df76f905d29aa6649a1b4b695fd87b58590f35989ff948fa951582116a68c5ca0c33a97cbab1b0b818bc9dd94989f48d21ee837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3b8285f370f8f67dd69ee0bc2a7ad701

SHA1
7c6d8a23eece5ebbf07a229c1d4e459cd35fc245

SHA256
437124a21a6d56f4e1c899f5eae5829379c7e5ea22c53bc14f65010c20400a14

SHA512
cc3395a405fef2553b6a94f7750dc18aa90110fa7e9b5d404319a03c7f1f40c7c1a1d8434543a762f9c5f20b6db73193d0712a431b69b27eeea9a131426e8a89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
26fc195ee84e9fd1b883134be129e65d

SHA1
c2f5709038e65c46dcc50d5695bbe905cf6c2cdf

SHA256
28cbd24c201fe569826123753f5ec876b0a9aeb4083d454685e971344e335c42

SHA512
452598d8cfadf7e13c5841c93ec365ff7766546092eaa6828fda2eec18ca31153f29400f667bc3f6d2ba1825248e01d4e4a468f1213b4dd71a1df4b7c1f9105b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5a49f0d9c4735e6a9d47ab64b6082553

SHA1
968751a9197a704868f5ac3d77f97513d6e3d3d2

SHA256
397d382b6e669cfabfe992933510860f72e9f9f04412a72f8a77fb672f599d13

SHA512
85a13dddb4970f836b26cc595a686fbf9438e97ca27a9eba0fe6030f00eef2224147f1ea327fc6ed3766abdd93690d7298cac8e7e9207920a78d740e1af0b57d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c873a2463adba20c0ca18252925970bdb41c9325\91b9a754-9af4-431c-98dc-7e40af970654\index-dir\the-real-index

Filesize
120B

MD5
d1186093fa56629ce3121017481815ac

SHA1
f7d0c6264e65c0fec4531d2dcb7daf998182b7f4

SHA256
9e2f96155d413249a59a2953406bf0c585d23225389006e1c9928872ca084bfc

SHA512
a9c4be26698204fdf08d5fb3c59df4d78e68dc3a530fbe6208bb4238067369e979a2ba51f529cacb609543a533a8de2744b6b5c644b0855c931248958bb5fd83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c873a2463adba20c0ca18252925970bdb41c9325\91b9a754-9af4-431c-98dc-7e40af970654\index-dir\the-real-index~RFe58119f.TMP

Filesize
48B

MD5
2fa40fce25f018418cb71b83c5068667

SHA1
cf3be2b2fdaffa16bd8eaf8266d28084244c5468

SHA256
2a31fba183e17cbf936b90f2d7cff6c0a27b7757496477675e8c382418850431

SHA512
8b8f2a84aa074793d1f1a09f8137a45ad610a254afdca7b70650e5b91132e49f11b1ce8b376db5c2ff085d29673bc7e865c275350e2b0afceec41f968c5ad0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c873a2463adba20c0ca18252925970bdb41c9325\index.txt

Filesize
88B

MD5
877e2c8f960dd337e161425b11202c66

SHA1
79650fb3db73ab1319e4cada9edaef268123d2bb

SHA256
1fcc000514ea495c8fb144c7aa4baa5bc5c9d190a5ee46e4d3fbfc258b487c82

SHA512
0449af6a05c77cad19a4d4e8391c4b2b491c71e43b63939684c97eae55a47a33ac60c773d0d2c21281b17a95ab848a12310ce09754b77452925085c6bf52a00f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\c873a2463adba20c0ca18252925970bdb41c9325\index.txt

Filesize
94B

MD5
0c4a9b5c40eba641d646a5d0f05cd0ce

SHA1
07d3e60c227ccbfc21a62ffe663ef2003b990430

SHA256
bbf0f0a0579d6262b89a323a7efb9ffc317d2038b4c7a7606c60acc1c929c95e

SHA512
dabf5a6336200720fabae10ba5fc535416ddfc25ff5284018776df5ff0c07e7adc36a5fd383022762b773f12e87bd3c0966f5f167e92bf158fbdbe3ed37f14be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
49fb0c70e6d3a86db57f6bc3a64ff823

SHA1
39d37180a7200da76770d75b055ab44b10d2b0cd

SHA256
723d543cef6699d3be79c645df9de0bac1eea3ddb6aa63e7beda5a67e449902e

SHA512
6c26e26202231ff8f02aa6c22b90ab8ae74e084bd9c6e7914640f489e39d36c6d2c83811a9aa30bdcf013d9ab99b05c1a8441444dd7c91c7f4c5c12e6cc651c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580923.TMP

Filesize
1KB

MD5
27767bc5b0269028278bcd69796fd8d4

SHA1
ea28864cfaae5fc303cc047856ac39a959ef5568

SHA256
e14b93f1d54fc6aaff8adb02cf8ca37baf60d074c621c3ed2a97978d17d92701

SHA512
bdeb2b641fb0d3945e02f74fd468d9cb3a4650a17eb53ec624674c287c27bb942ebece369b53ecda04e27c62f323eae1b750fad2cf3ac31089d71a536a2b8da8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9e3a795ba23035db1caa63cb611905d3

SHA1
1d2e4cf168e796c99ed5e2330860725362cde4d7

SHA256
7e557dac81f563a0227226c31383ed3dcd2a06b407f8c2d7e7a2bab4a2da970a

SHA512
b82b75d6f59d572d45f7cc07507808bc98853060ceb79069114876183cfa62531869eabe00b76fcef7d282bd58922b6638602bfa36c423e6fa8f0931dca7268a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a5d8268102dd945cfa1ada2a8627f736

SHA1
9e52c9b2115196d47dae8a645266376ec8ed8883

SHA256
d4d99180a293bc5cc7e99fa8e108b77b1b438b39102af662eab0d13ccea8bef4

SHA512
844a1e3b5cd1ee522e1867ce544261835bf006fede06a2e90b5923b4c1c28ea9ab326d94917fe6192ff1248fc228243ea73f597f75d55bd47755c0b8ec493e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi

Filesize
3.6MB

MD5
76f095fbde00c4670ffaa0f965137eae

SHA1
7854356fa5bb104b6b367a419126c81a6ecf0f8c

SHA256
80c70a114ef2803dc481ef9256a5ec5b84c94a43ff7e10dcdfb4c76c5b3101ce

SHA512
90c6a58b1020389db81728ecdd8fa1076d11c74337b047084fbb52ca8bceaa0f3eeda73a08e97d4215f010028110e0b7be5d6ff4418022fbcbc9c48bcf8d6e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a70097e4-ca27-4892-9ede-1fd7fe4a01ea\files.cab

Filesize
2.9MB

MD5
8cad4ef757ecc4e96cab3894b6b6dcec

SHA1
e296611144ac2dd10082c9019a859be96039098d

SHA256
6bf8253411aa6dc014eb6f56e0c4aeab375a31116e8b1d7e6c06cc1a37e2ed53

SHA512
524e1a4c3625880f740ca35a74fb115c74d469ac5b256adf02f00fb8b0ee3cd15aa30dcb0eea08cf8cbcbff954c551e7bac2465ab7431bec3ad595e591d4dd86

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a70097e4-ca27-4892-9ede-1fd7fe4a01ea\msiwrapper.ini

Filesize
380B

MD5
9c1626976e416369223c7a31bc8e2243

SHA1
6e88283a972c424458aa8b679407cfc7b4e2225d

SHA256
e769e1c0c9d021e47f6b50be43b8f4e769f6394bc40bddd84b55f2e719bb3316

SHA512
dcadc9d8b8c93b58b7e09631d65428fb6608bc0005d56f9ef088fe4b64d1f9d7a83d1923bee87734957e8c92db04b7cb85226322b4eacac20c2cc25d1b4e49c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a70097e4-ca27-4892-9ede-1fd7fe4a01ea\msiwrapper.ini

Filesize
1KB

MD5
b313947d051a33ea264793716f10f287

SHA1
20b0c3206c4f52dd37300a7ca7e0ce0243453adc

SHA256
72487d30e65fc7864cadbfbda7c29b852f5e890457470aae793a566ffec07ad4

SHA512
f351e3ce0faeb7c75c4741cbc388f9346a091f612634a1c3b62767e1c413c0d8d5a4bfe77e43f603f1ab4fca50a27665184d88fe4f9fe3bad6ce42b0cad6fc68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a70097e4-ca27-4892-9ede-1fd7fe4a01ea\msiwrapper.ini

Filesize
1KB

MD5
54d6a9b6cf686359acb1228615b31b60

SHA1
8726ce1b70dc5846e37a64cb2f9df581375c5fa7

SHA256
9abcba12bcdd926f377bbacc103df71194e06f8dcd36401926bab7cd2d1b0d08

SHA512
7ac1ab3c5c563b06027838f113c55cb7b1f56217dae9e66558692a5c6ed3fd7d20c3ff4556ea4363e38ac1f52d6d7807c0f2a47004c5901eb0f12e55ff781e54

Download Submit
C:\Windows\Installer\MSI759D.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit