54da67354ca45596f98a3cea115bf32a8d2c252a0473080f25fe1d7bd9bfa153

Resubmissions

16-06-2024 18:03

240616-wm1tnavejl 6

16-06-2024 18:01

240616-wlx2da1cqd 6

Analysis

max time kernel
146s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
16-06-2024 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unknown.msi
Size

1.6MB
MD5

28d28b44624c4e00fb5d3e96c9637c3d
SHA1

806c432fc90b27fa99844747a8259e81fac68543
SHA256

54da67354ca45596f98a3cea115bf32a8d2c252a0473080f25fe1d7bd9bfa153
SHA512

08cbbcbb11dbf3aa663c1614f13ac2cfd846aaecd7a31c977a6f538efbaa4bec3e3d20383af68d723f81c892d6156ff91115d82b3e1d962af3767e6b9a0b9771
SSDEEP

49152:CfeRc/f9r84jEHYDgS5u7v+ycFTzn795k0zjjZ:7VHYDgrSycl

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC8B4.tmp	msiexec.exe
File created	C:\Windows\Installer\e57c6de.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD3EED9DD9AC92037.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD2D5426ED7E5CF89.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2625FF4E61F315AB.TMP	msiexec.exe
File created	C:\Windows\Installer\e57c6da.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8D051B69-E258-4E03-813B-5BB4627D724B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC872.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC873.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC894.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5B5E82F65441C8D8.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC8E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC942.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57c6da.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC852.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1532	MSIC942.tmp

Loads dropped DLL 6 IoCs

pid	Process
4188	MsiExec.exe
4188	MsiExec.exe
4188	MsiExec.exe
4188	MsiExec.exe
4188	MsiExec.exe
4188	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE315C105C859B54A8A9FB99D8F5C90C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\PackageCode = "2088ACF133F0AF54BBD3C7A4AF2F2121"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE315C105C859B54A8A9FB99D8F5C90C\96B150D8852E30E418B3B54B26D727B4	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96B150D8852E30E418B3B54B26D727B4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\ProductName = "Guard"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96B150D8852E30E418B3B54B26D727B4\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\PackageName = "Unknown.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\InstanceType = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2012	msiexec.exe
2012	msiexec.exe
2552	msedge.exe
2552	msedge.exe
3592	msedge.exe
3592	msedge.exe
1072	identity_helper.exe
1072	identity_helper.exe
4416	msedge.exe
4416	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe
4336	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3664	msiexec.exe
Token: SeSecurityPrivilege	2012	msiexec.exe
Token: SeCreateTokenPrivilege	3664	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3664	msiexec.exe
Token: SeLockMemoryPrivilege	3664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3664	msiexec.exe
Token: SeMachineAccountPrivilege	3664	msiexec.exe
Token: SeTcbPrivilege	3664	msiexec.exe
Token: SeSecurityPrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeLoadDriverPrivilege	3664	msiexec.exe
Token: SeSystemProfilePrivilege	3664	msiexec.exe
Token: SeSystemtimePrivilege	3664	msiexec.exe
Token: SeProfSingleProcessPrivilege	3664	msiexec.exe
Token: SeIncBasePriorityPrivilege	3664	msiexec.exe
Token: SeCreatePagefilePrivilege	3664	msiexec.exe
Token: SeCreatePermanentPrivilege	3664	msiexec.exe
Token: SeBackupPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeShutdownPrivilege	3664	msiexec.exe
Token: SeDebugPrivilege	3664	msiexec.exe
Token: SeAuditPrivilege	3664	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3664	msiexec.exe
Token: SeChangeNotifyPrivilege	3664	msiexec.exe
Token: SeRemoteShutdownPrivilege	3664	msiexec.exe
Token: SeUndockPrivilege	3664	msiexec.exe
Token: SeSyncAgentPrivilege	3664	msiexec.exe
Token: SeEnableDelegationPrivilege	3664	msiexec.exe
Token: SeManageVolumePrivilege	3664	msiexec.exe
Token: SeImpersonatePrivilege	3664	msiexec.exe
Token: SeCreateGlobalPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe
Token: SeRestorePrivilege	2012	msiexec.exe
Token: SeTakeOwnershipPrivilege	2012	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3664	msiexec.exe
3664	msiexec.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 4188	2012	msiexec.exe	81
PID 2012 wrote to memory of 4188	2012	msiexec.exe	81
PID 2012 wrote to memory of 4188	2012	msiexec.exe	81
PID 2012 wrote to memory of 1532	2012	msiexec.exe	82
PID 2012 wrote to memory of 1532	2012	msiexec.exe	82
PID 2012 wrote to memory of 1532	2012	msiexec.exe	82
PID 1532 wrote to memory of 3592	1532	MSIC942.tmp	83
PID 1532 wrote to memory of 3592	1532	MSIC942.tmp	83
PID 3592 wrote to memory of 4092	3592	msedge.exe	84
PID 3592 wrote to memory of 4092	3592	msedge.exe	84
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2444	3592	msedge.exe	85
PID 3592 wrote to memory of 2552	3592	msedge.exe	86
PID 3592 wrote to memory of 2552	3592	msedge.exe	86
PID 3592 wrote to memory of 2880	3592	msedge.exe	87
PID 3592 wrote to memory of 2880	3592	msedge.exe	87
PID 3592 wrote to memory of 2880	3592	msedge.exe	87
PID 3592 wrote to memory of 2880	3592	msedge.exe	87
PID 3592 wrote to memory of 2880	3592	msedge.exe	87
PID 3592 wrote to memory of 2880	3592	msedge.exe	87
PID 3592 wrote to memory of 2880	3592	msedge.exe	87
PID 3592 wrote to memory of 2880	3592	msedge.exe	87
PID 3592 wrote to memory of 2880	3592	msedge.exe	87
PID 3592 wrote to memory of 2880	3592	msedge.exe	87
PID 3592 wrote to memory of 2880	3592	msedge.exe	87
PID 3592 wrote to memory of 2880	3592	msedge.exe	87

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Unknown.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3664

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 949BC0E5CFA473F956278DB7831F8E47
  2⤵
  - Loads dropped DLL
  PID:4188
- C:\Windows\Installer\MSIC942.tmp
  "C:\Windows\Installer\MSIC942.tmp" https://telixsearch.com/tyy
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://telixsearch.com/tyy
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffc62bf3cb8,0x7ffc62bf3cc8,0x7ffc62bf3cd8
      4⤵
      PID:4092
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
      4⤵
      PID:2444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2428 /prefetch:8
      4⤵
      PID:2880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
      4⤵
      PID:4480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
      4⤵
      PID:3560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:4948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
      4⤵
      PID:2308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
      4⤵
      PID:2408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
      4⤵
      PID:3564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
      4⤵
      PID:3032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
      4⤵
      PID:1732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,17982886143387948595,14657184573600701113,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3904 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57c6dd.rbs

Filesize
12KB

MD5
36c669ffa05dc752fe8c5b833a2b6ba1

SHA1
d1d33b27f9da3b5bc56f008bf725b35767ec09da

SHA256
534589abfbfc087bd85087d8c039aab36cfae43b2113761e6a3def1e6a969ea8

SHA512
280dedb11aa9d78a96154ade7803c2321eeabc8df8876d38ae4187a915c266b9b4186ba6b28a5fd30d1cfed4870a61ac35f14f207abb182a0a0678d21f85eee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
60f148fe2d8a9cbc341b9113828bf862

SHA1
5c28d33d3058b8701c5f3b131fd23d3a01605076

SHA256
d7fb55b68ea88d638d445dfee13fe59f1f477a570e602cf448ec610114b8f694

SHA512
fa13c0ed137ca4b87323f6c6fe307b88675e54a5790dd433ed5cd45b124ff5f5f351d7e0d337c6f9d034978cb3bd04bfc65709705d05188f9a2d100c19611cb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5a330af89d1206a37af9ba424ddb0162

SHA1
0d9b8f4f5745910de43436588d2390ca4a4d7046

SHA256
05d546c90e6d2dbc532864f22bee6b4c4275e2028c9963917d49c7b485fbc3f2

SHA512
21191be852ff0900256f0ed2050d705162a189eadaacc07aa453f64071f6632f3bb17bfc361fdf58ae8f54f5d37114ae706a55264edde3175dc8f0d817750ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f0683938a43b10f926330c0c55b4b11f

SHA1
5973d080333ea91a9364c45925a3ad18ad01b4ca

SHA256
f0efac8f3709a861b9b4594e7f68a258c3388ad73ee409d3613d6f0a2874bc3f

SHA512
a8a6f91bd66bdb28d10b4568ecfabf7e394331b0e2c3c318a93f1d2814f8fd7a38f43227f9702305d5e0478f57101d1717420ecdaedffd4868610bd01de9b5db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b9e86ac1033948ae8b37901768354766

SHA1
3691da606d1bd8f263574ed9a130b75652228370

SHA256
3c827e45af95a3f1f5343a577ca5e36b76d28b148f46dc6999ad5e5b900e2f70

SHA512
68c91e1388569b0f7ef23bcbad932a19f770fddacd25981601b5fed9fdbce0c8982151ecfb9b9a9c691a0fe3c96de26976a7adf27276077aa8184d9888a965b3

Download Submit
C:\Windows\Installer\MSIC7F3.tmp

Filesize
738KB

MD5
8d84543f774c6b280b32b24265e272e8

SHA1
cd3a0dbc06b9b4945f3a5d3b40972a0b5f66044b

SHA256
32b60176177d943df28f931828717f4b52b1434b8c0cd3ca8cc8a424b016b092

SHA512
247c5c3c4765e61b4d4b7514886e9eccb45746593b21a8dc8f718a224a1a0bc813fe227030738c3035cb9a9017ba53d7feff07cccb11407e9b22678af0c42056

Download Submit
C:\Windows\Installer\MSIC942.tmp

Filesize
416KB

MD5
4f5c40ec5d343ed9f185fbd1d6123d0b

SHA1
3b7569cbe35834c21493385329e43a73ef66413f

SHA256
0272659c6402b95da6c59cbfe4e3e60a361c50bebf536dd0b4c7b914e05cf175

SHA512
64d5476938997a4478744c1185e73391047a1f198d57dc91cc49b9229f144086cae831af828600d979f02c1739065e252fc54e1491354438d875785ba9d8efac

Download Submit