9f455db41c496ef13a6a3254fa07163399fe3de5856e2c985804e8a88b995620

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4mdm17e4-yc6x-rmh1.msi
Size

576KB
MD5

762a9122604efe12866415dd4a8c1d50
SHA1

0abf71df96f7fc03e51932fd0b8a51156482f8c4
SHA256

d92958f2ad51b7d36251e2183b372f2f86ae3146f7ff289285b1283a24b7ddbf
SHA512

130a0a877da93aaa92ffe0d328044002b85f4298e65e0f49315ec161f6a78c13e145e3046b9f6182fb1d66def35739fd7cfbd22b9eef70ebd3e7d65461ec1168
SSDEEP

12288:cMzFfY6owv43bqKlRH1Vq9iyXvAVSY7DvN:cWhY6owvitjVqoAvA

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI38E6.tmp	msiexec.exe
File created	C:\Windows\Installer\e57374c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI378B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3838.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3878.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{086CC072-17C2-4C18-BA08-5F05D6EC8CC0}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57374c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3818.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
3348	MsiExec.exe
3348	MsiExec.exe
3348	MsiExec.exe
3348	MsiExec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1736	msiexec.exe
1736	msiexec.exe
3304	msedge.exe
3304	msedge.exe
1584	msedge.exe
1584	msedge.exe
4056	identity_helper.exe
4056	identity_helper.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2060	msiexec.exe
Token: SeSecurityPrivilege	1736	msiexec.exe
Token: SeCreateTokenPrivilege	2060	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2060	msiexec.exe
Token: SeLockMemoryPrivilege	2060	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2060	msiexec.exe
Token: SeMachineAccountPrivilege	2060	msiexec.exe
Token: SeTcbPrivilege	2060	msiexec.exe
Token: SeSecurityPrivilege	2060	msiexec.exe
Token: SeTakeOwnershipPrivilege	2060	msiexec.exe
Token: SeLoadDriverPrivilege	2060	msiexec.exe
Token: SeSystemProfilePrivilege	2060	msiexec.exe
Token: SeSystemtimePrivilege	2060	msiexec.exe
Token: SeProfSingleProcessPrivilege	2060	msiexec.exe
Token: SeIncBasePriorityPrivilege	2060	msiexec.exe
Token: SeCreatePagefilePrivilege	2060	msiexec.exe
Token: SeCreatePermanentPrivilege	2060	msiexec.exe
Token: SeBackupPrivilege	2060	msiexec.exe
Token: SeRestorePrivilege	2060	msiexec.exe
Token: SeShutdownPrivilege	2060	msiexec.exe
Token: SeDebugPrivilege	2060	msiexec.exe
Token: SeAuditPrivilege	2060	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2060	msiexec.exe
Token: SeChangeNotifyPrivilege	2060	msiexec.exe
Token: SeRemoteShutdownPrivilege	2060	msiexec.exe
Token: SeUndockPrivilege	2060	msiexec.exe
Token: SeSyncAgentPrivilege	2060	msiexec.exe
Token: SeEnableDelegationPrivilege	2060	msiexec.exe
Token: SeManageVolumePrivilege	2060	msiexec.exe
Token: SeImpersonatePrivilege	2060	msiexec.exe
Token: SeCreateGlobalPrivilege	2060	msiexec.exe
Token: SeRestorePrivilege	1736	msiexec.exe
Token: SeTakeOwnershipPrivilege	1736	msiexec.exe
Token: SeRestorePrivilege	1736	msiexec.exe
Token: SeTakeOwnershipPrivilege	1736	msiexec.exe
Token: SeRestorePrivilege	1736	msiexec.exe
Token: SeTakeOwnershipPrivilege	1736	msiexec.exe
Token: SeRestorePrivilege	1736	msiexec.exe
Token: SeTakeOwnershipPrivilege	1736	msiexec.exe
Token: SeRestorePrivilege	1736	msiexec.exe
Token: SeTakeOwnershipPrivilege	1736	msiexec.exe
Token: SeRestorePrivilege	1736	msiexec.exe
Token: SeTakeOwnershipPrivilege	1736	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2060	msiexec.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
2060	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe
1584	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 3348	1736	msiexec.exe	84
PID 1736 wrote to memory of 3348	1736	msiexec.exe	84
PID 1736 wrote to memory of 3348	1736	msiexec.exe	84
PID 3348 wrote to memory of 1584	3348	MsiExec.exe	88
PID 3348 wrote to memory of 1584	3348	MsiExec.exe	88
PID 1584 wrote to memory of 5100	1584	msedge.exe	89
PID 1584 wrote to memory of 5100	1584	msedge.exe	89
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3124	1584	msedge.exe	90
PID 1584 wrote to memory of 3304	1584	msedge.exe	91
PID 1584 wrote to memory of 3304	1584	msedge.exe	91
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92
PID 1584 wrote to memory of 2156	1584	msedge.exe	92

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4mdm17e4-yc6x-rmh1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2060

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BB8D82BE21FA76599D685D6A12121654
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://registradores.onr.org.br/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff106246f8,0x7fff10624708,0x7fff10624718
      4⤵
      PID:5100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10581136500733002674,17635725723932083834,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:3124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10581136500733002674,17635725723932083834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,10581136500733002674,17635725723932083834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
      4⤵
      PID:2156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10581136500733002674,17635725723932083834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
      4⤵
      PID:4440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10581136500733002674,17635725723932083834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      PID:2632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10581136500733002674,17635725723932083834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
      4⤵
      PID:2848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10581136500733002674,17635725723932083834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10581136500733002674,17635725723932083834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
      4⤵
      PID:3608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10581136500733002674,17635725723932083834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
      4⤵
      PID:3344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10581136500733002674,17635725723932083834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
      4⤵
      PID:2728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10581136500733002674,17635725723932083834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
      4⤵
      PID:2848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10581136500733002674,17635725723932083834,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1480 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
404B

MD5
5586c674f8cb1ca262aeb53811dfd2ad

SHA1
28c10d475c2c7332f9ca236778c43c00bddfd9e1

SHA256
30994e0e668bdd380ee806663ceb8f2b59daab246c3551bf6cfaaaf77f58d05b

SHA512
4ad17a3833f0af36d48655d4ac01847d5dff32088dd44498b233600cfb604765f9436673fccbd075cf77723cd4f4799a7991602e1720878c7ffca4fdc9c26ac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d0fd1a7212add0f7a68a23a80d24bdba

SHA1
b10b47541dd633395b3f9786080d5505fe166e14

SHA256
7d06435ee46d6bb7828ff7b5a557dcb0066910feb58d1dd375c97a81544e1575

SHA512
3e4d75e236c17acf5f9ad81b1f777c54cdbd7781411b8072da0f3a5a54497fc05763342d5765980ff53fb2b2641ed41e97e0cbe844539d654ee16e8d1c71dac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c88b2b4a466c4bac10a29dc16dd6d403

SHA1
8569fbb4784856c5b9f3ce4d50d885ff6de2e09a

SHA256
e79e71f3bd5f771e7bf8796b64a9d1f0ae88c5305c5a75565a1fe64009adbbb4

SHA512
a7b47340bac9967447edd93d27d7b5239662cdcb24465f151be9ac0b545696f55101d03e0ed87b941160191dfecc2b33984cba1a5771dab24396ae04deeef2c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b5f27111d78dc5420228dbd306738822

SHA1
732c7021bc5fb850c9513f0722a2305734e26876

SHA256
9e07344d4697ac68b435c8f857a6a448ab1c3a443ebaa09e014be1919ad709d0

SHA512
f4817fbf60e91c491dced814070217c4ffd2d94ede2db8b1015bd9f29e4af883e91acfd889d9407e2a7c945ef36b8a5aaddfadcd912b55062be1ac8aa724c5a4

Download Submit
C:\Windows\Installer\MSI378B.tmp

Filesize
376KB

MD5
e12c5bcc254c953b1a46d1434804f4d2

SHA1
99f67acf34af1294f3c6e5eb521c862e1c772397

SHA256
5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b

SHA512
9a61aa00b651fc616cd09d28f4a6b872889a026c61d818595a82c58fdff187e3ad57916c2b8690d1e7016d73a05435e13a85758917cfb89029b34c4a1685aa0b

Download Submit