10af3efd0851093bbfc56aa03ba7d2bc28c500f2ebdea01292d591d377c459de

Analysis

max time kernel
136s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
24-05-2024 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HomeDesk.msi
Size

19.5MB
MD5

a6c23b2846b76a423eef4a5cf25e834f
SHA1

bef30ddb5e74e5078847b1f9dfef573f82f63c26
SHA256

d3416342f6a3b32604b783995845df8e24e3e98cffaac755d2292d20504a839f
SHA512

d648fad3216f1b1ba2d9b9124054a4766e48cd3c0e57252af11f679eebe1f308b86e7558b5f82c48b0287d5049515504fe379b242d540d835a6f8d080f2556cf
SSDEEP

393216:dvEwpJKaB9QEyLiZWGGpNmOQ+Ji5FEFhJfnRx96dOuMNIKMgTl:doR5+ZlxODJiONncg6KMgJ

Score

10^/10

banker persistence

Malware Config

Signatures

Detects common strings, DLL and API in Banker_BR 1 IoCs

Hunting by known PDB files - Trojan Banker LATAM.

banker

Processes:

resource	yara_rule
C:\Windows\Installer\e58c474.msi	Detect_MSI_LATAM_Banker_From_LatAm

Hunting by known EXPORT - Trojan Banker LATAM. 1 IoCs

Hunting by known EXPORT - Trojan Banker LATAM.

banker

Processes:

resource	yara_rule
C:\Users\Admin\HomeDesk\AGLoader.dll	Detect_Suspicious_Export_PE_Banker

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LKdayanJELT9QDD900055.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Financeiro = "C:\\Users\\Admin\\HomeDesk\\LKdayanJELT9QDD900055.exe"	LKdayanJELT9QDD900055.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC87B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e58c474.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58c474.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID609.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID85D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA90.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID83C.tmp	msiexec.exe
File created	C:\Windows\Installer\e58c478.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1E9BF671-B749-45DC-A228-4E1C413B0C7C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE00F.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

LKdayanJELT9QDD900055.exe

pid process

4484 LKdayanJELT9QDD900055.exe
Loads dropped DLL 6 IoCs

Processes:

MsiExec.exeLKdayanJELT9QDD900055.exe

pid process

4388 MsiExec.exe
4388 MsiExec.exe
4388 MsiExec.exe
4388 MsiExec.exe
4388 MsiExec.exe
4484 LKdayanJELT9QDD900055.exe

pid	process
4484	LKdayanJELT9QDD900055.exe

pid	process
4388	MsiExec.exe
4388	MsiExec.exe
4388	MsiExec.exe
4388	MsiExec.exe
4388	MsiExec.exe
4484	LKdayanJELT9QDD900055.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{9C86F06E-936A-4DCB-8FB8-80F5010CBC85}	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msiexec.exeLKdayanJELT9QDD900055.exemsedge.exe

pid process

2204 msiexec.exe
2204 msiexec.exe
4484 LKdayanJELT9QDD900055.exe
4484 LKdayanJELT9QDD900055.exe
2452 msedge.exe
2452 msedge.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

LKdayanJELT9QDD900055.exe

pid process

4484 LKdayanJELT9QDD900055.exe

pid	process
2204	msiexec.exe
2204	msiexec.exe
4484	LKdayanJELT9QDD900055.exe
4484	LKdayanJELT9QDD900055.exe
2452	msedge.exe
2452	msedge.exe

pid	process
4484	LKdayanJELT9QDD900055.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2008	msiexec.exe
Token: SeSecurityPrivilege	2204	msiexec.exe
Token: SeCreateTokenPrivilege	2008	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2008	msiexec.exe
Token: SeLockMemoryPrivilege	2008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2008	msiexec.exe
Token: SeMachineAccountPrivilege	2008	msiexec.exe
Token: SeTcbPrivilege	2008	msiexec.exe
Token: SeSecurityPrivilege	2008	msiexec.exe
Token: SeTakeOwnershipPrivilege	2008	msiexec.exe
Token: SeLoadDriverPrivilege	2008	msiexec.exe
Token: SeSystemProfilePrivilege	2008	msiexec.exe
Token: SeSystemtimePrivilege	2008	msiexec.exe
Token: SeProfSingleProcessPrivilege	2008	msiexec.exe
Token: SeIncBasePriorityPrivilege	2008	msiexec.exe
Token: SeCreatePagefilePrivilege	2008	msiexec.exe
Token: SeCreatePermanentPrivilege	2008	msiexec.exe
Token: SeBackupPrivilege	2008	msiexec.exe
Token: SeRestorePrivilege	2008	msiexec.exe
Token: SeShutdownPrivilege	2008	msiexec.exe
Token: SeDebugPrivilege	2008	msiexec.exe
Token: SeAuditPrivilege	2008	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2008	msiexec.exe
Token: SeChangeNotifyPrivilege	2008	msiexec.exe
Token: SeRemoteShutdownPrivilege	2008	msiexec.exe
Token: SeUndockPrivilege	2008	msiexec.exe
Token: SeSyncAgentPrivilege	2008	msiexec.exe
Token: SeEnableDelegationPrivilege	2008	msiexec.exe
Token: SeManageVolumePrivilege	2008	msiexec.exe
Token: SeImpersonatePrivilege	2008	msiexec.exe
Token: SeCreateGlobalPrivilege	2008	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2008 msiexec.exe
2008 msiexec.exe

pid	process
2008	msiexec.exe
2008	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exemsedge.exe

description	pid	process	target process
PID 2204 wrote to memory of 4388	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 4388	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 4388	2204	msiexec.exe	MsiExec.exe
PID 2204 wrote to memory of 4484	2204	msiexec.exe	LKdayanJELT9QDD900055.exe
PID 2204 wrote to memory of 4484	2204	msiexec.exe	LKdayanJELT9QDD900055.exe
PID 2204 wrote to memory of 4484	2204	msiexec.exe	LKdayanJELT9QDD900055.exe
PID 2452 wrote to memory of 228	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 228	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 5072	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 4048	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 4048	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 3048	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 3048	2452	msedge.exe	msedge.exe
PID 2452 wrote to memory of 3048	2452	msedge.exe	msedge.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\HomeDesk.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 03697149EB8FB6283CC5175759AF07BB
2⤵
- Loads dropped DLL
PID:4388

C:\Users\Admin\HomeDesk\LKdayanJELT9QDD900055.exe
"C:\Users\Admin\HomeDesk\LKdayanJELT9QDD900055.exe"
2⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b0,0x7ffa1f2d2e98,0x7ffa1f2d2ea4,0x7ffa1f2d2eb0
2⤵
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2132 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:2
2⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2252 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:3
2⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=es --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3156 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:8
2⤵
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4428 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:8
2⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4428 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:8
2⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4444 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:8
2⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=es --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3892 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:8
2⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=es --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4672 --field-trial-handle=2136,i,3478656936979438375,1840317767451596378,262144 --variations-seed-version /prefetch:8
2⤵
PID:3432

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58c477.rbs
Filesize
15KB

MD5
9c60804e8261b74628b0ccef0f7ebc7c

SHA1
95e9fb6207267065ab8116d44082e9ffeccc521c

SHA256
51e1f8bcbeaf45ba80fb0842c553794efe488212d1e8f4827080af789868342f

SHA512
19761b82c55dbc347c3ec4bdba0d1d200682a07148126a2ecb6439d3c18c79cc149803ab229eaa84d291c319a6f81a6c82b2f41c390725ed76728c473d412314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
4c07962c1ad5a7b1e2b079594e6367f8

SHA1
b98bb2abad60387232002476205b4c30ce3bd160

SHA256
69b564f95f428e132134fa472e3bc17fdf3a526370653d9d2e59a91c730e4c45

SHA512
bf34124e0890a977c6e61cda5f2199dcb0e3f62fda916dc9af7039f18fcd1857e89208f88ae505691c1836af37c09b105fc14b6f18dfdd9db69c6152ae62e4b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
01a879f7707d8d530634d8541fdd87d8

SHA1
0f05dc9a95e20f2564766a9f3d8d4e73e09f9369

SHA256
4916e46a351b70bfcb3e22486f2451c164a0a94a34ee14e66ef78edbdb820a79

SHA512
c4d6be9fb38926aefd704b10a57a0f4832db840ea7390f684b059281bce970d1ed7e0748dd813c0096f6af33af9c809a85c5076a1c4d112bb1a8997f2305d1b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
c937cd963168a933a0ccc278473dc49d

SHA1
1786b8bb8bb1caf62ee1b925227f20933937405e

SHA256
4e33b3c810b3d44850026d321e222567babbd97d2b725d2aa1303464e584d5cc

SHA512
3ef157ef40a5ec6ca180e3068948d503d02a92ef7853b451871b603b83596066d58fca99dfce67e7cd7c9137072cde9b1c97175e14ddae4c04af52006a08dc01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
30KB

MD5
188e67fdf4b209ec386d99e5284f75e0

SHA1
8f2256d9926dfb1c37e07b24b9584d79354d65d0

SHA256
aba7ded950dc834a0968ed29c736775e1c3ea07ca073888b61ed906ab8f363f7

SHA512
dffd68e586581a993c3761431acebac1d1bb4d28c39581c18087262195f8dddc213c870bf9f6fa6be57fe1bf94a0b260ca47d8408bb6ef32fed1e698c33547bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
33KB

MD5
5952eafeb3ea51d37384631522af489a

SHA1
aeb03376e7a31d38f22945e5f3be60064280498a

SHA256
84a3c1c7d8e76959a0a203a4ee8164a6560460d4d8489d70dc354f7072954ecc

SHA512
da1e59ce2719ae7ef0e377ba9241545536fc7f7ebb1ee37dd6b2223a4acbe68b6a26458e8865138ad0de32efb8afe1b3a4e0c09eb2a1222b7b9e5ec73a83bb9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
43KB

MD5
4ea6f12fd136a34d02c141666b6be16f

SHA1
6486cc88566ee5d3fc635fccc984e82c0ad537a1

SHA256
8330a3b9210376d637868ff676859bdf39cdb9681147b90b3cd2db6065a33eb0

SHA512
3da4578f3052c688dbe110e7c0911580face04975bea956fcebd7ed0944b2dfd72d8f056c77dde3b53a4ae51e09c70c28e14d16872e90e64012d66c9733e1fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize
2KB

MD5
13e71e1398c1011daa65d4c86d1ef60d

SHA1
b5671318410ce5cc80cd15917dfabccd31cf1792

SHA256
a3cf6aeb6e24eb6ec656cd5a99fdfa8138940ee018748da69417aaba0b602175

SHA512
98b4813edf665ae12d8eb7ce6904a25d19569e848c6f7ff9665f762c51244539afb35eaca7b9cd2ab4d8eec5c980daf3e911de977e71d0c6e11790372c7cf792

Download Submit
C:\Users\Admin\HomeDesk\AGLoader.dll
Filesize
7.4MB

MD5
2921523030345673a00953df828679e0

SHA1
bc6e603a9b3acb91f4a0c0ce3a6d032785c2e2ea

SHA256
120facb1726fcffeeb2de1d2be98a421823b0d06baec1763cb6c33cffa79b001

SHA512
0612580d856fbeb41c81dbcb08aef1f5fe3bf0744ef0f2f8ee6423fe4cc9f5e25852eb8150dcc439bd74d8e5a73f17f6e7a9f67cade691d57056c0e25c55f888

Download Submit
C:\Users\Admin\HomeDesk\LKdayanJELT9QDD900055.exe
Filesize
289KB

MD5
eb67273c54e78db4faffab9001148753

SHA1
0e6cab2fdf666e53c994718477068e51b656e078

SHA256
7fa7499c7a72041d7d0fb1e4659466ad8d428080a176fa16276fd60adc9da0fd

SHA512
8fcae871423c03850787cdc62f9e2555b054a8480772003fbfa5799ae7359c438d9f64c95592d265328909863fd000d6cdb4b34a6a8810045bc4029f23f6bd07

Download Submit
C:\Users\Admin\HomeDesk\volume.dat
Filesize
3.7MB

MD5
77de03a0a71f4bad680c0442086fcc3e

SHA1
f3732edd5d446d89a99f17f81be1736bc9ece856

SHA256
259b7777d4455bc558eb1c89ad0a69151de670a5d19ffa25f972c090bc3136eb

SHA512
398ec355492ec5f94aa81476bd32b75f7df944e07b9e9cd7d92feb6b94deb89dcc9f2f8c7d3f80efe1d8d7157d0d735cfa3bda246d9bb7138b746c93ac2e08f0

Download Submit
C:\Windows\Installer\MSIC87B.tmp
Filesize
738KB

MD5
ee45c6dffaf86ed2a76d8f969c390c08

SHA1
ff5b2942ffa7d28ed3f72208e8e76391b2991b5a

SHA256
118a551eef23bf842ed470316aa1a50bf17b6d656652879802d4acc0184608ca

SHA512
a92bc7aff5da3dc33263ea3d43cf617d47a2a6c589118f7ee3c5f293d63171778a7a37815ec23cb426558546cf0a1e694c67c7cbc36cca92677de566d1d71664

Download Submit
C:\Windows\Installer\e58c474.msi
Filesize
19.5MB

MD5
a6c23b2846b76a423eef4a5cf25e834f

SHA1
bef30ddb5e74e5078847b1f9dfef573f82f63c26

SHA256
d3416342f6a3b32604b783995845df8e24e3e98cffaac755d2292d20504a839f

SHA512
d648fad3216f1b1ba2d9b9124054a4766e48cd3c0e57252af11f679eebe1f308b86e7558b5f82c48b0287d5049515504fe379b242d540d835a6f8d080f2556cf

Download Submit
\??\pipe\crashpad_2452_IUFWHYBWARROKIXB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4484-160-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/4484-166-0x0000000072700000-0x000000007338F000-memory.dmp

Filesize
12.6MB

Download
memory/4484-165-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/4484-164-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/4484-163-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/4484-162-0x0000000001310000-0x0000000001311000-memory.dmp

Filesize
4KB

Download
memory/4484-161-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/4484-159-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download