hxxps://mlsendfi[.]com/

Analysis

max time kernel
144s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mlsendfi.com/

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-877519540-908060166-1852957295-1000_UserData.bin	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	svchost.exe
File created	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{2fec1223-1ef3-415f-9401-d4ec9600e6c4}\snapshot.etl	svchost.exe
File created	C:\Windows\system32\NDF\{DBA3B473-82CA-4C77-83D1-20A7A7AEF6E0}-temp-04302024-1733.etl	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{DBA3B473-82CA-4C77-83D1-20A7A7AEF6E0}-temp-04302024-1733.etl	svchost.exe
File opened for modification	C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{2fec1223-1ef3-415f-9401-d4ec9600e6c4}\snapshot.etl	svchost.exe
File opened for modification	C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin	svchost.exe
File created	C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-877519540-908060166-1852957295-1000_StartupInfo3.xml	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1452	ipconfig.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
3264	msedge.exe
3264	msedge.exe
4880	identity_helper.exe
4880	identity_helper.exe
4448	sdiagnhost.exe
4448	sdiagnhost.exe
5124	svchost.exe
5124	svchost.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
2628	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3264 wrote to memory of 5020	3264	msedge.exe	83
PID 3264 wrote to memory of 5020	3264	msedge.exe	83
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4200	3264	msedge.exe	84
PID 3264 wrote to memory of 4612	3264	msedge.exe	85
PID 3264 wrote to memory of 4612	3264	msedge.exe	85
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86
PID 3264 wrote to memory of 3836	3264	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mlsendfi.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdb7046f8,0x7fffdb704708,0x7fffdb704718
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:1804
- C:\Windows\system32\msdt.exe
  -modal "262682" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF85AB.tmp" -ep "NetworkDiagnosticsWeb"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5856 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,2375612857435030663,3007761763188960131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:5288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4204

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:3680
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
  2⤵
  PID:5340
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:1452
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:5632
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5152
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
  2⤵
  PID:6040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:5180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024043017.000\NetworkDiagnostics.debugreport.xml

Filesize
210KB

MD5
cda7fc7c599dab950d8bd7bbde58f428

SHA1
240e0c9d64fa0fd6949b9360f21e73b41be1298b

SHA256
992bc99a7a69ec3bfbbfdbcbdfb885747f5c8dfbc98a99ccf5b3080c81a5e618

SHA512
452541e3493979b5c5220f6f3249d8797a521601cb63a3868468d3540a6a8fcc07e013d2858b657b33fd05adf6088c2a9688ee4d2f987119ecde1e781e321929

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024043017.000\ResultReport.xml

Filesize
38KB

MD5
e904d9b1bf92ce2b39bae96e146ef176

SHA1
8281775f8810c1e4838d5d57067bb970018b6afe

SHA256
36507596c3b8797e35ba7424db57ad4d004e910e40e2cedc7c44a25cce95f60e

SHA512
fcb01fe4598a6bf941a804f06fb5c6b25d62bb396252757ab07f0119e0c1b0d61541945dc2baef13f721c7382e8046e6518c8fe2ad84d4f09dfe0e74ee18815a

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024043017.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
62c02dda2bf22d702a9b3a1c547c5f6a

SHA1
8f42966df96bd2e8c1f6b31b37c9a19beb6394d6

SHA256
cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b

SHA512
a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
850f27f857369bf7fe83c613d2ec35cb

SHA1
7677a061c6fd2a030b44841bfb32da0abc1dbefb

SHA256
a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a

SHA512
7b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c635465fd211e4d6e8d3e2ec0746761

SHA1
1eabd8d6590397980d015607323a69943ef328ea

SHA256
76eddb3a612211c7838664c144197eb06a47e513071b39e8cff68b55ebee0a21

SHA512
95f0bdc06f9781a8ff34be70eb0e6152c2cceac162f2185c6757c8abe1069d7e51924225efedf84377e9a9c124983f8bf84576ac907bd0f879a95dc5b2ef6d43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
900371caa1bd6ccea262c0b0d5a5de76

SHA1
50fee0450bb739ee13dc5bef5d3e0cc7c2f90662

SHA256
6d9b1fce3182edd0b6ae4496ac8735a9db8e3fb4fb1df294bcd16be171938a1e

SHA512
45392113a6ce11ab46c131b447d19e633bd0c29f4b386b805e38c3f78b8e1f69f46c02fea997b54e081bd6d94b68cf805d895c326ab462f74e4bb14df73e4ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9bbf6334e72ccff3d42df46c9061ceb9

SHA1
c3892b81d6bf1d3950f2356875620071b180f141

SHA256
802e4576cc058eedd44dae2873cce991a83614168ccedad0586c55313281506f

SHA512
3a48b23b12b33420b8274f892cfe7217ffac9d87e431753a7b6c678db84d8864f6dc51a3634ec1e56d1cbb9d89861de2b9ebaabc05853e5036a37242e2cc36ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4231cdbb038ef50fbe046efcae4a090b

SHA1
c20f1b8c577698cbbcde2ce088baa0e07043531a

SHA256
170d3ed7a1af8676b0d3c4a3ff84ce77a5f4ac7cd374a0cb59fc30ae7c7924d8

SHA512
a9179c5268c71f520aeaded18e4edf723189b1e6f72aa789aa505eabaa705a56ee36b4378f2eb02ecd2876d976749697dcb2948648fcd8f51fa8c918fb31a48a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\NetTraces\NdfSession-04302024-1733.etl

Filesize
192KB

MD5
b957bd0351335e21a21442f7d6747ae7

SHA1
f4b026910541c473382527c39100a1e07af2bba0

SHA256
c62539f6fcd788f84c1dc2da159b89072d2b09a66e67e88cbb4cedbe790e41ae

SHA512
74ecc78167895a011449fcfcb0c8ae5941a05232bd0ee703d2622ec377e14ae6b98011c77d73235a898e3340c6005bca4efa68b49378efe6e419d6d1b785b8b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF85AB.tmp

Filesize
3KB

MD5
1e4aeed16b58d7f5b68077a6ff08495b

SHA1
c07398433d7c101d7fafcaa6ab912443d5f22228

SHA256
18e2aecdb7998133de161a699043c3f5bdfc89b7ed7df24557f409a345f0102a

SHA512
8809a08f08bd280eb433592f610bcb0d3887c6c29c3b59aef3b46c0a858dabec08ee8b17e3e1c0d41804b6a384a10179ff56aefcfdf38504349e3c4a7f73e076

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fvg4b1o0.qcp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp\NetworkConfiguration.cab

Filesize
1KB

MD5
33ef3fec724efa9f57c72415d9f5aead

SHA1
328d792d3cb07c0f0d65cf17c5b8e9bea583ba31

SHA256
47c3e128eb44fd368ae6307f5efda9b345b70e81c2c7292cdd1224ab4871177e

SHA512
e74eec156fafcab9c96f2c9b978fd57f4f8165dc5cf1a5d041e9a1640f9601c15815a3db5d8a8588303824222b96fdd6a96a8a48c53abc91f978fa8e44677e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp\NetworkConfiguration.ddf

Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp\ipconfig.all.txt

Filesize
1KB

MD5
2c1e7e6356f29f9ba06cd0dd570795a1

SHA1
a276e1e3e365065efc02330138f223625972a60d

SHA256
13f31ccc1a64a00bd5f66547fce903ef467d13d2a64233e4b55e932ed67f09b6

SHA512
37130e599fe12a8024beff82523f3d7936a404a0bacb9b71dbf3899570c30c2b7b53456a9bcf1b4c371e2593001afc625216b63a60be3d1c87ef99ac0b9260b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp\route.print.txt

Filesize
4KB

MD5
c85a2d17dccde0e73f70bc9caf679c23

SHA1
0e4c9fcd19428c834b53b4e0862ad6d9232f23c8

SHA256
7ce9a245b6780842a83abec5fea522f1889749a697b97be13c70d8297f26e563

SHA512
327b323fc688fc45f0c883c026aeb965908f24ee8f516a766c4ec594d46bb1ad42b7f460f91ee40335817d6f4fbf9643075c63b6bc5a197c184bd7031d78b87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp\setup.inf

Filesize
978B

MD5
b54c726f10f813188953aa79b7bb7998

SHA1
00d96f679af01e9430a7120a701c5d2aa4d2347e

SHA256
833f0701f761707e33744827446733a4a10dd80706618b0be251ebec36b00a57

SHA512
9a6a5c2537130c42411d1556bab153ebf03dabaa7f7772583114d45b0fb4de41419c5feced46251ba6184d7054c219171d0bb289f510542aeaf7f748df9e56d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4E5A.tmp\setup.rpt

Filesize
283B

MD5
cfdb1c89d10025ee3a81e17076ed76e6

SHA1
448e8ffccf455a3fa529ac8158fa8379ecdc883d

SHA256
f67495abad5b2379399163846d84ad64f472e28d531483562d3ea4213e42e3d1

SHA512
de90da5673aee79f12d61ff208f50e552582b27e9fb0d350291e46e5033d84af3771509c1628ed7643f8b6c31ed77015c1d775d718d7682a670e0f3259f233af

Download Submit
C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\NetworkDiagnosticsResolve.ps1

Filesize
11KB

MD5
d213491a2d74b38a9535d616b9161217

SHA1
bde94742d1e769638e2de84dfb099f797adcc217

SHA256
4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211

SHA512
5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

Download Submit
C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\NetworkDiagnosticsVerify.ps1

Filesize
10KB

MD5
9b222d8ec4b20860f10ebf303035b984

SHA1
b30eea35c2516afcab2c49ef6531af94efaf7e1a

SHA256
a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

SHA512
8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

Download Submit
C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_334fab5b-6c2a-43f9-be2e-6af3a196aba1\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
memory/4448-425-0x00000187EFAA0000-0x00000187EFAC2000-memory.dmp

Filesize
136KB

Download
memory/5124-448-0x0000025D32380000-0x0000025D32381000-memory.dmp

Filesize
4KB

Download
memory/5124-444-0x0000025D2C7C0000-0x0000025D2C7D0000-memory.dmp

Filesize
64KB

Download
memory/5124-440-0x0000025D2C780000-0x0000025D2C790000-memory.dmp

Filesize
64KB

Download
memory/5124-621-0x0000025D324A0000-0x0000025D324A1000-memory.dmp

Filesize
4KB

Download
memory/5124-622-0x0000025D32490000-0x0000025D32491000-memory.dmp

Filesize
4KB

Download
memory/5124-624-0x0000025D32390000-0x0000025D32391000-memory.dmp

Filesize
4KB

Download
memory/5124-625-0x0000025D32380000-0x0000025D32381000-memory.dmp

Filesize
4KB

Download
memory/5124-627-0x0000025D32380000-0x0000025D32381000-memory.dmp

Filesize
4KB

Download
memory/5124-630-0x0000025D2CF90000-0x0000025D2CF91000-memory.dmp

Filesize
4KB

Download