hxxp://google[.]com

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Drops file in System32 directory 7 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\NDF\{C38BA877-B062-4B42-B344-635AF7BCFFCE}-temp-06182024-1124.etl	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	svchost.exe
File created	C:\Windows\system32\NDF\{C38BA877-B062-4B42-B344-635AF7BCFFCE}-temp-06182024-1124.etl	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk	svchost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

1464 ipconfig.exe

pid	process
1464	ipconfig.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exesdiagnhost.exesvchost.exemsedge.exe

pid	process
1616	msedge.exe
1616	msedge.exe
5044	msedge.exe
5044	msedge.exe
1192	identity_helper.exe
1192	identity_helper.exe
2576	sdiagnhost.exe
2576	sdiagnhost.exe
1760	svchost.exe
1760	svchost.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

sdiagnhost.exe

description pid process

Token: SeDebugPrivilege 2576 sdiagnhost.exe

description	pid	process
Token: SeDebugPrivilege	2576	sdiagnhost.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exemsdt.exe

pid	process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
3448	msdt.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5044 wrote to memory of 4968	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 4968	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 3120	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 1616	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 1616	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe
PID 5044 wrote to memory of 2208	5044	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa80746f8,0x7fffa8074708,0x7fffa8074718
2⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
2⤵
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
2⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2428 /prefetch:1
2⤵
PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:8
2⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
2⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
2⤵
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
2⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
2⤵
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
2⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
2⤵
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
2⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
2⤵
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
2⤵
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
2⤵
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
2⤵
PID:1952

C:\Windows\system32\msdt.exe
-modal "589886" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFA256.tmp" -ep "NetworkDiagnosticsWeb"
2⤵
- Suspicious use of FindShellTrayWindow
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
2⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,17630807025604234201,15838893623844186832,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3792

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4608

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter
2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3572

C:\Windows\system32\ipconfig.exe
"C:\Windows\system32\ipconfig.exe" /all
2⤵
- Gathers network information
PID:1464

C:\Windows\system32\ROUTE.EXE
"C:\Windows\system32\ROUTE.EXE" print
2⤵
PID:2360

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
2⤵
PID:2304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4868

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun
2⤵
PID:2176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:1072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
398a31e360a8b8af9b4381f5636ee119

SHA1
51ef76ac114e9b0b678e0875c442ddec2bd984a5

SHA256
f724edb097838bb2cbf763afddd860116939671bf9205a6ec3cd9f023c8c5d81

SHA512
914ba114463349727d3964b7a9a17719ca9ac7c21192e9705bc9f3e21cfe251fbf53afbb95be168962f8028af17f87302109e8d59f6e82472f27f91d7b74987c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1eb97c5566d854b78e9594a979599207

SHA1
cecf09e6bc2416aa77f055b70d719291c603aaa3

SHA256
d8292d328af16b62c6acfab3a038fb4eca365edaa9e5a4b4aad0f2f50eba155a

SHA512
24f001fff3abcbd1cd71811cd01330a5d95e82bc44092efc7d26d6546249bbb44c8e180bb3690e0271247a64870294a590ece4de589d1d3c4779072f44351f95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f3316b50681d3f48136de027ebfa6e6b

SHA1
d27ba268d4cbdbf7909e7d94dc0321412516f664

SHA256
2235a98eb72c8516ace2025079f033397ad553d39f6e444dc4d4e293b8d37a0e

SHA512
01e44d832126f6ff1c3beeaacfad82347d96c9190d32c4cad6b9583e4a7d4097836a38bd1c75334da05cdf282a3a2b02ee8da0fbb9e82febbaaa7efd59f5e24b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c9f99140e65b1cecbbfa55eaf169a3cc

SHA1
e1cbad7ab78cbcea288809998071c2015b841f9c

SHA256
39cf7d510448d31c439bfa69bb90ced4c09dff9c01d1fb0bc4b0a24afcdddeaa

SHA512
67a3d92e75a3ceacf75d8434dcfff2535b8220666d459770cc0ec3ce79d93dcee5abb09f6fafd158fdf827be150c363bb4b602118db06653488eb64ec024dcff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
f069443068515e84488ecd3b4733528c

SHA1
0a2c0f4a851a0ee451958ecca7ddc431a9e5aa9c

SHA256
11a2633ac18d767abc647adbe539fdbd46d9e57f33e9705fb65ae10f59cf55fb

SHA512
e9421e22512420a81602c51adbf77020006fd0bd0edd76c8434a072523c616693cda37f442066e45f38c5acb130a7120cdbee91cd9b9eed0d99f29bd1f67a3b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
ee331cbd062239232e5b978211e937e8

SHA1
f233ce10bb028631f1e2e6ad5e8ec77be1bc94c3

SHA256
fb2f0f5caa139c45c7a55804c06ef0f085e638603377fd8a5097e578a41ec3f2

SHA512
17da50c9b92986edf9850444f798f7e6879031a9540c6918e6db8753756560cab12b549d4eda1415e987bc9646e408ec8e193ff2933fdf76d70acfa2f96f766c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\NetTraces\NdfSession-06182024-1124.etl
Filesize
192KB

MD5
28f89816e935f4bcbc0d82ce7e6f2cac

SHA1
95c5249233ac9031003f1eb136f86761729403fe

SHA256
57e25d6d6a8d8a92022489959f5a205ae6f1402188ef8ca82b97134a1a44da21

SHA512
49476c545abaf42499a23e7b953c8fd331b5c66c2365062bb001f528c4c801ec7b5d25ef5bdc2409dfaba18e820299e3bf38f5f3583e51996a64c4424bdae3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFA256.tmp
Filesize
3KB

MD5
90152f52d0e059da02de3222eb17ffa1

SHA1
74999afae85c06c135e79ddd6cbeda0a85206557

SHA256
c76b87a04318061f3b6929732ae8a4384bbb4a868b2c33855afedc82458842e8

SHA512
94a85ae6b6d885fef5e9306dd2c2e61f68439775ea8ddff4fd8123592b0937eecb64458ec4bafd55165d1bcdb5fcd15ed4bb3821f8dce892c0f6b3cd0c0f176f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ese35zkt.sai.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4387.tmp\NetworkConfiguration.cab
Filesize
1KB

MD5
e265fd59f2a2fd71535646f2b8a6dfe5

SHA1
69e34ac3beb8fd369b63c25a6438e7c93b1e3bc3

SHA256
63e41d68ba6fe08dfe379c4b3a03118501a5965c7e8453f9f38f9dd1afd80041

SHA512
c332db66ebe8d86645324365f1df5fb265b0425fb017eefb2c80f496925d0819edcc9b7d73ec724f6930c2da10b10fb1927d5e6978b9046dc5c970597cfcb4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4387.tmp\NetworkConfiguration.ddf
Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4387.tmp\ipconfig.all.txt
Filesize
2KB

MD5
78ad588eb38bdb3f759e52cd57adbcc0

SHA1
5a061156954123ac4f4f573005c33aa93067aaa0

SHA256
118f8f80154802def9e0f315f952504dcc3868418542f3ecacd9ffc63839150f

SHA512
11b3b9a2257fb37dc7e13920915c32d44fc516e482554b05d852cd496befbed05cf1cb7b39722351dfaa305fcea593a39340721a488bd8bab7379c5a935cbcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4387.tmp\route.print.txt
Filesize
4KB

MD5
28e997408199971da8ff2a4e2bed3d95

SHA1
cbf9392e4e5aa405ba0163bf057bcbc33b54c5f1

SHA256
a17112ab96b8dfca834d6e4aa08fb9914251dc7a883388f8660ef221272fb55a

SHA512
4e0c9e5ce7c6427eb4962ed55104dfb5f51a54b9760ba7abc5af941847e141bc4a9c0d1c317358b4fdb7d6023411cd88552e313300bd2efeea3aada2da790d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4387.tmp\setup.inf
Filesize
978B

MD5
d8306043b9c8fe5876859a6075d6069b

SHA1
70a0677ce6db9c58d32229f1dcc590cf7c51c235

SHA256
45af08b3d4fba17ad3f9ff01985feeccdc5b2fda1f7d5eba98be6812c7b9ec04

SHA512
10e36475c708689c0cd3c0a9cfa549dadd765831527bb490cbb843e166d4adf86c83d53e47e255a7e850cc863953fd961bfd37f88ac3a1f12e7f262b775d427d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4387.tmp\setup.rpt
Filesize
283B

MD5
291f775f3fad5471ce7e361511819089

SHA1
f487ac743f9f64b7c1c0e1d01159b64b73a22911

SHA256
60362c9b8e641c68ba2a41e41e1258c8911816b48f6b4697ed1c9f469cdc086e

SHA512
28bb985adcb9d36e911b17df9bbdc03911dd7f9509ffc08f5ed8b2fed5ef00493fc1bdc288524c05b4fe086ed9565c463edaa162997a96f50d1bae85eeafd7ed

Download Submit
C:\Windows\TEMP\SDIAG_a6f59ca4-7157-460c-b467-95fc6b4f3939\NetworkDiagnosticsResolve.ps1
Filesize
11KB

MD5
d213491a2d74b38a9535d616b9161217

SHA1
bde94742d1e769638e2de84dfb099f797adcc217

SHA256
4662c3c94e0340a243c2a39ca8a88fd9f65c74fb197644a11d4ffcae6b191211

SHA512
5fd8b91b27935711495934e5d7ca14f9dd72bc40a38072595879ef334a47f99e0608087ddc62668c6f783938d9f22a3688c5cdef3a9ad6c3575f3cfa5a3b0104

Download Submit
C:\Windows\TEMP\SDIAG_a6f59ca4-7157-460c-b467-95fc6b4f3939\NetworkDiagnosticsTroubleshoot.ps1
Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_a6f59ca4-7157-460c-b467-95fc6b4f3939\NetworkDiagnosticsVerify.ps1
Filesize
10KB

MD5
9b222d8ec4b20860f10ebf303035b984

SHA1
b30eea35c2516afcab2c49ef6531af94efaf7e1a

SHA256
a32e13da40ac4b9e1dac7dd28bc1d25e2f2136b61ff93be943018b20796f15bc

SHA512
8331337ccb6e3137b01aeec03e6921fd3b9e56c44fa1b17545ae5c7bfcdd39fcd8a90192884b3a82f56659009e24b63ce7f500e8766fd01e8d4e60a52de0fe67

Download Submit
C:\Windows\TEMP\SDIAG_a6f59ca4-7157-460c-b467-95fc6b4f3939\StartDPSService.ps1
Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_a6f59ca4-7157-460c-b467-95fc6b4f3939\UtilityFunctions.ps1
Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_a6f59ca4-7157-460c-b467-95fc6b4f3939\UtilitySetConstants.ps1
Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_a6f59ca4-7157-460c-b467-95fc6b4f3939\en-US\LocalizationData.psd1
Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_a6f59ca4-7157-460c-b467-95fc6b4f3939\DiagPackage.dll
Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_a6f59ca4-7157-460c-b467-95fc6b4f3939\en-US\DiagPackage.dll.mui
Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
\??\pipe\LOCAL\crashpad_5044_XAGGTDDEFYLBRLBQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1760-527-0x000001F6A1A50000-0x000001F6A1A51000-memory.dmp

Filesize
4KB

Download
memory/1760-519-0x000001F6A0F60000-0x000001F6A0F70000-memory.dmp

Filesize
64KB

Download
memory/1760-523-0x000001F6A0FA0000-0x000001F6A0FB0000-memory.dmp

Filesize
64KB

Download
memory/2576-513-0x000001DFFE080000-0x000001DFFE0A2000-memory.dmp

Filesize
136KB

Download