Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13/05/2024, 10:43
Static task
static1
Behavioral task
behavioral1
Sample
setup.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
setup.msi
Resource
win10v2004-20240508-en
General
-
Target
setup.msi
-
Size
3.9MB
-
MD5
3f1c43e9532f6ed643db669dc8823aaa
-
SHA1
c17ddd335dae27c8f8d6bb2da88953a6676a6ffa
-
SHA256
90516b6e70cf233597cf2b54b5908f374797f6391a3d1a9e429f8b414a139301
-
SHA512
b3d4f89437082c6ac2415a02ee9a012676cede2fd2dd056be78c8b27ad3fb18528bcf888697b7c3620039dff03cad8077f85bf7a5e9d854584ae04ae6eb0b970
-
SSDEEP
49152:dJQOc/f9r84jEHYDgS5u7v+ycFTzn795k0zjjZdlPjgzixI+vGYRnAWNCWw50Qbj:9VHYDgrKyclt0iuWYyGI4
Malware Config
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 2 4780 msiexec.exe 4 4780 msiexec.exe 6 4780 msiexec.exe 10 4780 msiexec.exe 25 1444 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation MSI5BAA.tmp -
Drops file in Windows directory 22 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI5D03.tmp msiexec.exe File created C:\Windows\Installer\e575728.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI58A2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A5D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI58B3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5912.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A8D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5AFD.tmp msiexec.exe File opened for modification C:\Windows\Installer\e575728.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI57B5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5892.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5AAE.tmp msiexec.exe File created C:\Windows\Installer\e57572c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5BAA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5871.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A1C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A2D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A9D.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{64E53455-B2F4-42AD-AD37-2E4F9125F937} msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 772 MSI5BAA.tmp -
Loads dropped DLL 13 IoCs
pid Process 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe 1444 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\55435E464F2BDA24DA73E2F419529F73 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0AD881C19F612E04DAD74EFBEB5A28A0\55435E464F2BDA24DA73E2F419529F73 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\55435E464F2BDA24DA73E2F419529F73\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\SourceList\PackageName = "setup.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\ProductName = "Apps" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\PackageCode = "FE5E588C7A5F4984ABC63A7C48A961C9" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\Version = "16777216" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0AD881C19F612E04DAD74EFBEB5A28A0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\55435E464F2BDA24DA73E2F419529F73\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1444 MsiExec.exe 1444 MsiExec.exe 4616 msiexec.exe 4616 msiexec.exe 2204 msedge.exe 2204 msedge.exe 3064 msedge.exe 3064 msedge.exe 1316 identity_helper.exe 1316 identity_helper.exe 1084 msedge.exe 1084 msedge.exe 1084 msedge.exe 1084 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4780 msiexec.exe Token: SeIncreaseQuotaPrivilege 4780 msiexec.exe Token: SeSecurityPrivilege 4616 msiexec.exe Token: SeCreateTokenPrivilege 4780 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4780 msiexec.exe Token: SeLockMemoryPrivilege 4780 msiexec.exe Token: SeIncreaseQuotaPrivilege 4780 msiexec.exe Token: SeMachineAccountPrivilege 4780 msiexec.exe Token: SeTcbPrivilege 4780 msiexec.exe Token: SeSecurityPrivilege 4780 msiexec.exe Token: SeTakeOwnershipPrivilege 4780 msiexec.exe Token: SeLoadDriverPrivilege 4780 msiexec.exe Token: SeSystemProfilePrivilege 4780 msiexec.exe Token: SeSystemtimePrivilege 4780 msiexec.exe Token: SeProfSingleProcessPrivilege 4780 msiexec.exe Token: SeIncBasePriorityPrivilege 4780 msiexec.exe Token: SeCreatePagefilePrivilege 4780 msiexec.exe Token: SeCreatePermanentPrivilege 4780 msiexec.exe Token: SeBackupPrivilege 4780 msiexec.exe Token: SeRestorePrivilege 4780 msiexec.exe Token: SeShutdownPrivilege 4780 msiexec.exe Token: SeDebugPrivilege 4780 msiexec.exe Token: SeAuditPrivilege 4780 msiexec.exe Token: SeSystemEnvironmentPrivilege 4780 msiexec.exe Token: SeChangeNotifyPrivilege 4780 msiexec.exe Token: SeRemoteShutdownPrivilege 4780 msiexec.exe Token: SeUndockPrivilege 4780 msiexec.exe Token: SeSyncAgentPrivilege 4780 msiexec.exe Token: SeEnableDelegationPrivilege 4780 msiexec.exe Token: SeManageVolumePrivilege 4780 msiexec.exe Token: SeImpersonatePrivilege 4780 msiexec.exe Token: SeCreateGlobalPrivilege 4780 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe Token: SeRestorePrivilege 4616 msiexec.exe Token: SeTakeOwnershipPrivilege 4616 msiexec.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 4780 msiexec.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 4780 msiexec.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe 3064 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4616 wrote to memory of 1444 4616 msiexec.exe 87 PID 4616 wrote to memory of 1444 4616 msiexec.exe 87 PID 4616 wrote to memory of 1444 4616 msiexec.exe 87 PID 4616 wrote to memory of 772 4616 msiexec.exe 89 PID 4616 wrote to memory of 772 4616 msiexec.exe 89 PID 4616 wrote to memory of 772 4616 msiexec.exe 89 PID 772 wrote to memory of 3064 772 MSI5BAA.tmp 90 PID 772 wrote to memory of 3064 772 MSI5BAA.tmp 90 PID 3064 wrote to memory of 3360 3064 msedge.exe 91 PID 3064 wrote to memory of 3360 3064 msedge.exe 91 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 4244 3064 msedge.exe 92 PID 3064 wrote to memory of 2204 3064 msedge.exe 93 PID 3064 wrote to memory of 2204 3064 msedge.exe 93 PID 3064 wrote to memory of 4964 3064 msedge.exe 94 PID 3064 wrote to memory of 4964 3064 msedge.exe 94 PID 3064 wrote to memory of 4964 3064 msedge.exe 94 PID 3064 wrote to memory of 4964 3064 msedge.exe 94 PID 3064 wrote to memory of 4964 3064 msedge.exe 94 PID 3064 wrote to memory of 4964 3064 msedge.exe 94 PID 3064 wrote to memory of 4964 3064 msedge.exe 94 PID 3064 wrote to memory of 4964 3064 msedge.exe 94 PID 3064 wrote to memory of 4964 3064 msedge.exe 94 PID 3064 wrote to memory of 4964 3064 msedge.exe 94 PID 3064 wrote to memory of 4964 3064 msedge.exe 94 PID 3064 wrote to memory of 4964 3064 msedge.exe 94
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4780
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F907A93CE5D46F08D8F93A2960B0432D2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1444
-
-
C:\Windows\Installer\MSI5BAA.tmp"C:\Windows\Installer\MSI5BAA.tmp" https://telixsearch.com/tyy2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://telixsearch.com/tyy3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc6f446f8,0x7fffc6f44708,0x7fffc6f447184⤵PID:3360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,12035437910317040963,18397864508698346390,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:24⤵PID:4244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,12035437910317040963,18397864508698346390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1964,12035437910317040963,18397864508698346390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:84⤵PID:4964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,12035437910317040963,18397864508698346390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:14⤵PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,12035437910317040963,18397864508698346390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:14⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,12035437910317040963,18397864508698346390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:84⤵PID:3476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1964,12035437910317040963,18397864508698346390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,12035437910317040963,18397864508698346390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:14⤵PID:2656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,12035437910317040963,18397864508698346390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:14⤵PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,12035437910317040963,18397864508698346390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:14⤵PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,12035437910317040963,18397864508698346390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:14⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,12035437910317040963,18397864508698346390,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1264 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:1084
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5024
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD519eb4e52327750689a35ca27d424d3bc
SHA1fdeb1d3e3ea57799118e0b50378acc67bfa88d0f
SHA25680f43b4b4f38e5a0e37eeeab8941c44c8d573b447f72a96eabd06f5d0d973ff1
SHA512df5fc6e779b714b5e085f6086c3ebcda065dc099999d8d03fe6328301ddca52307b9af18ab57d190dd1606bfeb0a6f9a80740e9937f33e9531c7671f657a59ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5
Filesize1KB
MD5a4f39284533c46a364a36dd9237e098e
SHA1bc4ccf4f86591cc3d251494a08c24c17b6044311
SHA256b128bb4da80daf1eb6ea1c5e8d56ba4db0943bd60ae46dbc1b0a7b80744dff8a
SHA512ec16585e55ec508cc47a2d4d81ba6bdf9961e46fc830b4ebf282cdf107527e38d6a3dc26cb675a468143940685a486c61d683df7c52f6d1b328587c7555b943f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B03113490075047F519A3F760F0FF379_95980E5E8BBE730A69D3C1EABF291983
Filesize2KB
MD5beb64c647ba62e122d0160e858cd75da
SHA1c7e6647d993cda8675ae413f14ec180e89cf2e3f
SHA256a049638a056e864e35622bc606153277ca3aba90f30e3a462112485c5e103646
SHA512566319109481b876cdb36d4a86977c6381619460337298587d1cf2b2d33740b49f4883e3cb5cc18d375aebf7d099b8e4faa95854ac7244d4e1edef44b3f7252c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5
Filesize412B
MD57c743119d2b568232cffa98482a5cf9e
SHA1f9a5f04c04e72ff6e27b90e834ecf0a0d90c6acd
SHA2569e246184034f544f4e01f435e1a11a0a6b7976f7d2cfa1c9f50186e96e0eb6ea
SHA512d892a274564c454397b11c3bf621e5232c7582384842743c4cd5e4d040ef162f2141e33149ec5c1084907b039ab9ffc60750dd03b5033b576291c9490609ab83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B03113490075047F519A3F760F0FF379_95980E5E8BBE730A69D3C1EABF291983
Filesize428B
MD5789241abb383a9f91658584f49e6dfc8
SHA118dd6865fecd2ea2783d48ac936c024d4b1023a3
SHA256eb5770e213f188c0775231868cafa8badfdf8c2e5ae6f37faf6a69e9f94be12a
SHA5127441105729d42019bf7d58b37e74beeb6246cb43d85a5a7a95d982c84f33c68528b63d35959781885779d78b52675ca3b0412c070fa1b123163a0b0b8c5c394e
-
Filesize
84B
MD52dc610de5887959335b536b2ac3810a5
SHA1fb464f512723f464aa44d114634a287a5c27f538
SHA2562e7b74480ce973498b6c6a0c142c3e1342d013cd367428ff546e42664ca1779e
SHA51232ad3ab9aaf4963b7b5005f550f9a896c425cdaca5e6fc78661aef8382f36a74f08dba544708c5807d50f1e1d6f9bf1f1bd0f6721407023dba0c591b20e3554d
-
Filesize
84B
MD5f9d1a00b254c7b3c65b145cacf98f699
SHA11febf82d0b474b6c9263dba731fceddeada28827
SHA256b68a4da32ea48c3b4a6b9e753ae0e69dbd34636b80bb08391dc61413a826094b
SHA512213378302725085caf78e3c6c1a3254f37d94b529d51d4c2a9de24f9118395a175accf48e2d8ba04a930b22034f5d819d3b07d876fed06d3d810298d82063f80
-
C:\Users\Admin\AppData\Local\AdvinstAnalytics\65b2e2115bc9fc7472607c90\1.0.0\{484B9251-CFBA-4DF2-A8D8-489850D2AB16}.session
Filesize34KB
MD594589de8cb4f4653149f86b816ab4df5
SHA11085b0d8ee685fea268a397e63391429292624d6
SHA256a764aded548c12e5100bc1691d6f35e78525ec31885187c22d7ee3e43e2beecd
SHA512a0b988f0af5e02992d4597acf4d0db35246a5c44e50c9001d33c76bf23b9485dd4a70e82a7123f56b0e0f9768664256e75cfe5cc1feddda4656c7915513517ed
-
Filesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
Filesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\20f91a83-c687-4631-8b21-8e8a379fb8ed.tmp
Filesize617B
MD59246ce6f589f5748eca97e5b6b397f9c
SHA17e60809f8ad7748d7ad859c8d8a1b48a6616b1dc
SHA2563a18b486570a7213581cc22af2bfb68e2300dafe42bed6a38733cef4c27161f1
SHA5128f9680f9760ec0dafc1528f01172632b4d3a8fae7772757b33c9dc7a0debe4c2de7d8412f3634ec98ef3a3a010dbfde5f486f902bba71922192afd831b62357e
-
Filesize
6KB
MD5ae820ff6acaa447d3d961e6986fd4d76
SHA12a6a11654d038e31e8bac0da579b3144d16e00f2
SHA256aaeb71fbfbca6f998e07740a4aa5141f4d67cff7a98b37e7b6a15ea003c07509
SHA5123877b899d2fcd5df7cc24209fc0e2ca3d9943eedd063428a90aed9f98164b1f4b6e64ca1b93253b3a4dad17dd3c2e793c905723bc02cc2aa51e248d36bd15642
-
Filesize
6KB
MD51f979dbadffa9824ddb847a012f71b6b
SHA1e6e0d4ad88be7acf82ecffcb939117e407c6aa99
SHA256e802acee5a2a1bd510040051df50a3e27d0107189a49f3d92c0c0a4c9e34d94a
SHA512072a575c8c9f22d7e38a202285bb554a0260a68017f839e971c37850ef819a8331244e6ed6ecedcaad24041e84d865f4da2e446a07ad529cbbfcd90c91997677
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD55020de2cd655e4b16bf44e66a39d9b53
SHA191e96cfb376d59e0d2d7546de8b56915612fad4c
SHA256e0b0f9453edfc62db8c7f953b9fdc45869266b8b82109b919a961ee4ea8cac4d
SHA5126d433ce57af5580baa35a884bb8fcd50ae37840e1bbbc2b020f3393d766db377316bbbcd59d3e62e3d3acd01458371ec9f37a3ed7659152b4d30f29ebd4d35c7
-
Filesize
1.1MB
MD5c6b7f525bebdce408cae137e6c82fa4c
SHA16b13d7b7e66c2c32815b98e33c95937f559e2cac
SHA256e0ea63e00f640c74ddd0b51a46d4d0601acdebdc8b97957fed727f332a96dc90
SHA512f1e330aad8bc2de79fbe7e7452148714d3f823450c5de039ccbc3690f523c55b240dca4e8d9a9ac83e7afcea6462950b4bc2cbcf52b4c959b9047660a6872a4f
-
Filesize
738KB
MD58d84543f774c6b280b32b24265e272e8
SHA1cd3a0dbc06b9b4945f3a5d3b40972a0b5f66044b
SHA25632b60176177d943df28f931828717f4b52b1434b8c0cd3ca8cc8a424b016b092
SHA512247c5c3c4765e61b4d4b7514886e9eccb45746593b21a8dc8f718a224a1a0bc813fe227030738c3035cb9a9017ba53d7feff07cccb11407e9b22678af0c42056
-
Filesize
1.1MB
MD59ac5da40be505273f6f1b48ce6d159be
SHA147d3fbb35dd5df773bb9cb523eaf063c40f52241
SHA2566547bac5e0f08595325b769a6605a6c27b1eb2620a31dc9ecc4185b64882e837
SHA5128826dc286b48b4008eff8e38f3ffe4519601f702bd9a6b71731e2ce929789f9ec92f4997fcd28930b91132df5053ffa4f276b5dcb2f8589b93befb805b4bad3b
-
Filesize
416KB
MD5e014e0a640cefb49b2a301ff7d00e6c0
SHA1986ebc61f6fc8a5b967208d950cc6ac9e4d5c3f0
SHA256edb6a8e18a441e20127545d0663905f051ad4891566049e60d8263d6052e2be3
SHA51239fd9de58525cdb7f5874841d1a66d6d53cb61378fd4dfd7b13e6a99b2e7b01a3be76f62bc7768b498c9d71fd75c214d9ded52ee458374a2374af3bd09e6d4a9