54da67354ca45596f98a3cea115bf32a8d2c252a0473080f25fe1d7bd9bfa153

Resubmissions

16-06-2024 18:03

240616-wm1tnavejl 6

16-06-2024 18:01

240616-wlx2da1cqd 6

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unknown.msi
Size

1.6MB
MD5

28d28b44624c4e00fb5d3e96c9637c3d
SHA1

806c432fc90b27fa99844747a8259e81fac68543
SHA256

54da67354ca45596f98a3cea115bf32a8d2c252a0473080f25fe1d7bd9bfa153
SHA512

08cbbcbb11dbf3aa663c1614f13ac2cfd846aaecd7a31c977a6f538efbaa4bec3e3d20383af68d723f81c892d6156ff91115d82b3e1d962af3767e6b9a0b9771
SSDEEP

49152:CfeRc/f9r84jEHYDgS5u7v+ycFTzn795k0zjjZ:7VHYDgrSycl

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	3796	msiexec.exe
4	3796	msiexec.exe
6	3796	msiexec.exe
8	3796	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	MSI45CA.tmp

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI424A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI44B0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI42C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI45CA.tmp	msiexec.exe
File created	C:\Windows\Installer\e57414f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI41CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4336.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4413.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8D051B69-E258-4E03-813B-5BB4627D724B}	msiexec.exe
File created	C:\Windows\Installer\e574153.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57414f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43B4.tmp	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4992	MSI45CA.tmp

Loads dropped DLL 6 IoCs

pid	Process
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe
4728	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE315C105C859B54A8A9FB99D8F5C90C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\CE315C105C859B54A8A9FB99D8F5C90C\96B150D8852E30E418B3B54B26D727B4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96B150D8852E30E418B3B54B26D727B4	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96B150D8852E30E418B3B54B26D727B4\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\ProductName = "Guard"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\PackageCode = "2088ACF133F0AF54BBD3C7A4AF2F2121"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\SourceList\PackageName = "Unknown.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96B150D8852E30E418B3B54B26D727B4\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1580	msiexec.exe
1580	msiexec.exe
2620	msedge.exe
2620	msedge.exe
2728	msedge.exe
2728	msedge.exe
1444	identity_helper.exe
1444	identity_helper.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe
2740	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3796	msiexec.exe
Token: SeSecurityPrivilege	1580	msiexec.exe
Token: SeCreateTokenPrivilege	3796	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3796	msiexec.exe
Token: SeLockMemoryPrivilege	3796	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3796	msiexec.exe
Token: SeMachineAccountPrivilege	3796	msiexec.exe
Token: SeTcbPrivilege	3796	msiexec.exe
Token: SeSecurityPrivilege	3796	msiexec.exe
Token: SeTakeOwnershipPrivilege	3796	msiexec.exe
Token: SeLoadDriverPrivilege	3796	msiexec.exe
Token: SeSystemProfilePrivilege	3796	msiexec.exe
Token: SeSystemtimePrivilege	3796	msiexec.exe
Token: SeProfSingleProcessPrivilege	3796	msiexec.exe
Token: SeIncBasePriorityPrivilege	3796	msiexec.exe
Token: SeCreatePagefilePrivilege	3796	msiexec.exe
Token: SeCreatePermanentPrivilege	3796	msiexec.exe
Token: SeBackupPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	3796	msiexec.exe
Token: SeShutdownPrivilege	3796	msiexec.exe
Token: SeDebugPrivilege	3796	msiexec.exe
Token: SeAuditPrivilege	3796	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3796	msiexec.exe
Token: SeChangeNotifyPrivilege	3796	msiexec.exe
Token: SeRemoteShutdownPrivilege	3796	msiexec.exe
Token: SeUndockPrivilege	3796	msiexec.exe
Token: SeSyncAgentPrivilege	3796	msiexec.exe
Token: SeEnableDelegationPrivilege	3796	msiexec.exe
Token: SeManageVolumePrivilege	3796	msiexec.exe
Token: SeImpersonatePrivilege	3796	msiexec.exe
Token: SeCreateGlobalPrivilege	3796	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe
Token: SeRestorePrivilege	1580	msiexec.exe
Token: SeTakeOwnershipPrivilege	1580	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3796	msiexec.exe
3796	msiexec.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 4728	1580	msiexec.exe	87
PID 1580 wrote to memory of 4728	1580	msiexec.exe	87
PID 1580 wrote to memory of 4728	1580	msiexec.exe	87
PID 1580 wrote to memory of 4992	1580	msiexec.exe	88
PID 1580 wrote to memory of 4992	1580	msiexec.exe	88
PID 1580 wrote to memory of 4992	1580	msiexec.exe	88
PID 4992 wrote to memory of 2728	4992	MSI45CA.tmp	89
PID 4992 wrote to memory of 2728	4992	MSI45CA.tmp	89
PID 2728 wrote to memory of 1620	2728	msedge.exe	90
PID 2728 wrote to memory of 1620	2728	msedge.exe	90
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 4828	2728	msedge.exe	91
PID 2728 wrote to memory of 2620	2728	msedge.exe	92
PID 2728 wrote to memory of 2620	2728	msedge.exe	92
PID 2728 wrote to memory of 4104	2728	msedge.exe	93
PID 2728 wrote to memory of 4104	2728	msedge.exe	93
PID 2728 wrote to memory of 4104	2728	msedge.exe	93
PID 2728 wrote to memory of 4104	2728	msedge.exe	93
PID 2728 wrote to memory of 4104	2728	msedge.exe	93
PID 2728 wrote to memory of 4104	2728	msedge.exe	93
PID 2728 wrote to memory of 4104	2728	msedge.exe	93
PID 2728 wrote to memory of 4104	2728	msedge.exe	93
PID 2728 wrote to memory of 4104	2728	msedge.exe	93
PID 2728 wrote to memory of 4104	2728	msedge.exe	93
PID 2728 wrote to memory of 4104	2728	msedge.exe	93
PID 2728 wrote to memory of 4104	2728	msedge.exe	93

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Unknown.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3796

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7E6538D75F217032C3E251BBD9E65B3F
  2⤵
  - Loads dropped DLL
  PID:4728
- C:\Windows\Installer\MSI45CA.tmp
  "C:\Windows\Installer\MSI45CA.tmp" https://telixsearch.com/tyy
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://telixsearch.com/tyy
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5acd46f8,0x7ffa5acd4708,0x7ffa5acd4718
      4⤵
      PID:1620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8117309381112471189,18314698812405555738,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 /prefetch:2
      4⤵
      PID:4828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8117309381112471189,18314698812405555738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,8117309381112471189,18314698812405555738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
      4⤵
      PID:4104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8117309381112471189,18314698812405555738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      PID:3448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8117309381112471189,18314698812405555738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:2828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8117309381112471189,18314698812405555738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
      4⤵
      PID:3524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8117309381112471189,18314698812405555738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8117309381112471189,18314698812405555738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
      4⤵
      PID:2068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8117309381112471189,18314698812405555738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
      4⤵
      PID:1376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8117309381112471189,18314698812405555738,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:2724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8117309381112471189,18314698812405555738,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
      4⤵
      PID:4380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8117309381112471189,18314698812405555738,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1284 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e574152.rbs

Filesize
11KB

MD5
54532cf8d2493e756441ed3211e1b64f

SHA1
ad6f009c8efbb9c72b2a99974be8b210ac59aad8

SHA256
11d9dd2867fdbc5b4e5e72d5a5b392908cfaad71aa2dc34854883432129296e1

SHA512
f26752af19378ee210fbba2c97a7623eabb8c8308ce2c367a32c56316ccc770ae4fc5d386616d718fe04520bcd93bd877fb6087b58000a0c406a094d181d6afd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5

Filesize
1KB

MD5
0c4ef6c262bb81ddcf2c35fce1c4a4d8

SHA1
a7b0a737c944b13e4058e426e0167ece0ab98dfa

SHA256
2202243c23e3373049886366f1681b921b86f00aa5d020e9717b4a9a17f9d7f1

SHA512
15d83f4f1d5055a365f70a11ce64c9012dbdc6914b14f0bcd69fa881f40cc7283f205e0a021eecb09e16d74cc70c8d9fe4810538c0322e1108461ef64b16aab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B03113490075047F519A3F760F0FF379_95980E5E8BBE730A69D3C1EABF291983

Filesize
2KB

MD5
896af7507db9fb6868c48837b44550b1

SHA1
ea89719214239616c6125033546eca0a6d3f3795

SHA256
7510c393bd6b9e812a16c42a4e62cfb5046c74d18e7d09d0df3fe02faac37512

SHA512
387483ca84910c3350365d346a184d20dd9f0d79ab595d23703066f2436493a92b532e57511ce489b0d50b4f653326a992127d92702635b6d01154afd07bc240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5

Filesize
412B

MD5
ec276a80c1d625d851ca06abe4b93d70

SHA1
72637dbb4aa4ce88cd6b4b7d9bd93e0cc7b19f50

SHA256
978a13cb2f87e1dcc9adab2f648e4932913011e63e3b0facca513141f4e97b22

SHA512
a079dcf52c8e4b26db9e850026a0535e0993d9ff64d85118f5e2c8a62b616f0568659a3668d78278556d35acea885a71622dd19838b393bca6e391f8faf0008e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B03113490075047F519A3F760F0FF379_95980E5E8BBE730A69D3C1EABF291983

Filesize
428B

MD5
3452f1dfb8fca35cf6f01311cc1a2ec9

SHA1
e29d0795a3b9b952852de87138319677510739f0

SHA256
b5f08c5b9c2ca838b4bfc5c41d54175f102026f6472c6a280e72f64f24d1d014

SHA512
7cf3fae2d9d1ca2f219042b22adf49d957229d03e6ced0e62ecfad442db0f6c0a1c92b7eb4edc800441905e113c4449e824a7fe23df9f7884658aa5bc4c11127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3a09f853479af373691d131247040276

SHA1
1b6f098e04da87e9cf2d3284943ec2144f36ac04

SHA256
a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

SHA512
341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9081c34e133c32d02f593df88f047a

SHA1
a0da007c14fd0591091924edc44bee90456700c6

SHA256
c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

SHA512
12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
685B

MD5
68762746b18b301444022682a7bcdc21

SHA1
880b98dea782eb0f9a4a453dd37885fc077d3477

SHA256
bcce43c840870c0bcb4c476ca044c73d54a70060fcb76faa9cfd98630d510386

SHA512
96a2e0f3c0a3386a2d06907c7dff9eddb80ab3e7bae3009a230eb65a281c5362f7dc7df2f4c140921a8f6f2a4f7b3be4e8853edac016e9d6ec6794d6e15bf2d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f1c8d5ffb80a9e4200fffc8519b2da3

SHA1
acf2707950e061ba55d870975d161e0317286262

SHA256
fd244dc836b0bc962bd8ea2468a2f2dfbeab8e6e72d35dae5458fb1a3eed74f8

SHA512
6739f2834050fa09b16092754c08ac1eb58318ccfb0ba69ec4d2f9c05fd665e8ca960855b82e26d73981c30ba6eef4d12a4e64b4fcd81c97238317fb987bbc90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c84ad59f25d8746e1a7d08b19038baf5

SHA1
1079816f42a8854a3ae75f587272e11a42e22569

SHA256
b1428ea765733cc5c22a968b78b5bf01c93963ea8ed2985c7ca0270ac2b69214

SHA512
60e80b418a351759d7de7c74a48e0c8191ae1c485e56d3b18b3683141d6deec7182b6e4c673dd3ac130bf1212f9858bfe7d1eb43a24912b3f032be635549747e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
05043f9bcf9dcae2796ef1f4348dd5d2

SHA1
daf6cbcd886a6dbff35459dd9a5c6eb16e32ab3c

SHA256
929cb1040532ea91ee872fc08dbea34501d685fe74184510af9ef75656db5d84

SHA512
367399b9d53ed8884a921f53e499a3ba1f6831a41267b454b846428ba0bde3ba6eb82881e841383936cf71870b494825869476f7d53f9bffbe328e334bc19451

Download Submit
C:\Windows\Installer\MSI41CC.tmp

Filesize
738KB

MD5
8d84543f774c6b280b32b24265e272e8

SHA1
cd3a0dbc06b9b4945f3a5d3b40972a0b5f66044b

SHA256
32b60176177d943df28f931828717f4b52b1434b8c0cd3ca8cc8a424b016b092

SHA512
247c5c3c4765e61b4d4b7514886e9eccb45746593b21a8dc8f718a224a1a0bc813fe227030738c3035cb9a9017ba53d7feff07cccb11407e9b22678af0c42056

Download Submit
C:\Windows\Installer\MSI45CA.tmp

Filesize
416KB

MD5
4f5c40ec5d343ed9f185fbd1d6123d0b

SHA1
3b7569cbe35834c21493385329e43a73ef66413f

SHA256
0272659c6402b95da6c59cbfe4e3e60a361c50bebf536dd0b4c7b914e05cf175

SHA512
64d5476938997a4478744c1185e73391047a1f198d57dc91cc49b9229f144086cae831af828600d979f02c1739065e252fc54e1491354438d875785ba9d8efac

Download Submit