hxxps://houseofgoodtones[.]org/richardmilliestpe/Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64[.]msi

Resubmissions

12-08-2024 15:01

240812-sd558s1apb 10

11-08-2024 12:42

240811-pxewlstgrh 10

11-08-2024 03:59

240811-ekb9vayanf 6

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://houseofgoodtones.org/richardmilliestpe/Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 663611.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	Process
1924	msedge.exe
1924	msedge.exe
3324	msedge.exe
3324	msedge.exe
1884	identity_helper.exe
1884	identity_helper.exe
5640	msedge.exe
5640	msedge.exe
5640	msedge.exe
5640	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid	Process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	Process
Token: SeShutdownPrivilege	816	msiexec.exe
Token: SeIncreaseQuotaPrivilege	816	msiexec.exe
Token: SeSecurityPrivilege	4268	msiexec.exe
Token: SeCreateTokenPrivilege	816	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	816	msiexec.exe
Token: SeLockMemoryPrivilege	816	msiexec.exe
Token: SeIncreaseQuotaPrivilege	816	msiexec.exe
Token: SeMachineAccountPrivilege	816	msiexec.exe
Token: SeTcbPrivilege	816	msiexec.exe
Token: SeSecurityPrivilege	816	msiexec.exe
Token: SeTakeOwnershipPrivilege	816	msiexec.exe
Token: SeLoadDriverPrivilege	816	msiexec.exe
Token: SeSystemProfilePrivilege	816	msiexec.exe
Token: SeSystemtimePrivilege	816	msiexec.exe
Token: SeProfSingleProcessPrivilege	816	msiexec.exe
Token: SeIncBasePriorityPrivilege	816	msiexec.exe
Token: SeCreatePagefilePrivilege	816	msiexec.exe
Token: SeCreatePermanentPrivilege	816	msiexec.exe
Token: SeBackupPrivilege	816	msiexec.exe
Token: SeRestorePrivilege	816	msiexec.exe
Token: SeShutdownPrivilege	816	msiexec.exe
Token: SeDebugPrivilege	816	msiexec.exe
Token: SeAuditPrivilege	816	msiexec.exe
Token: SeSystemEnvironmentPrivilege	816	msiexec.exe
Token: SeChangeNotifyPrivilege	816	msiexec.exe
Token: SeRemoteShutdownPrivilege	816	msiexec.exe
Token: SeUndockPrivilege	816	msiexec.exe
Token: SeSyncAgentPrivilege	816	msiexec.exe
Token: SeEnableDelegationPrivilege	816	msiexec.exe
Token: SeManageVolumePrivilege	816	msiexec.exe
Token: SeImpersonatePrivilege	816	msiexec.exe
Token: SeCreateGlobalPrivilege	816	msiexec.exe
Token: SeBackupPrivilege	5948	vssvc.exe
Token: SeRestorePrivilege	5948	vssvc.exe
Token: SeAuditPrivilege	5948	vssvc.exe
Token: SeBackupPrivilege	4268	msiexec.exe
Token: SeRestorePrivilege	4268	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe
3324	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 3324 wrote to memory of 3864	3324	msedge.exe	84
PID 3324 wrote to memory of 3864	3324	msedge.exe	84
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1124	3324	msedge.exe	86
PID 3324 wrote to memory of 1924	3324	msedge.exe	87
PID 3324 wrote to memory of 1924	3324	msedge.exe	87
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88
PID 3324 wrote to memory of 2844	3324	msedge.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://houseofgoodtones.org/richardmilliestpe/Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff807f246f8,0x7ff807f24708,0x7ff807f24718
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6816 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,6512490159773292705,3677663783680988536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6020

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013

Filesize
765B

MD5
fff2cc217cec93b9b4e91ea34e23efaa

SHA1
c6a7f0e18796e1c6b789ec9fb7e98fbc639bc1df

SHA256
9bd2f914e637e30ba764c0af86102be829546122e443b30588e5e9723a15873b

SHA512
f426e383b51806458533ddd15e4aec6cddde1acf497b8a84542818c4dffa3b5c21093a075a79a8e46ce5ddf6d16be9ed66c339724c63f76c6be7bd048cef5a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784

Filesize
637B

MD5
f29448db915ce12024c00f8db2735a37

SHA1
8c42cc59bf9684c8913d77b6481d6f9a35291fe2

SHA256
1220fbb03d07705373e10fff29e767a41a523ff3bbd1280f1e6c313421bd6930

SHA512
932aa9847dc8630259827605dbf4cca4a778fda7ae164b814d6d552086812395441389179094c01c0225477aafdf9f3e2daa235e5884cf6eba01d32ee54b6b01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
8991f83c49d2736793a0c917c3d8ae4d

SHA1
71752a06511633fcb9d2df14b507e555e4d1b17a

SHA256
a94ee10e4836486a24b1020e70055b440e46b52913a6e9cd66d0cae467276990

SHA512
6fedbb05506b87ca954be1e413a1ca2824ae3b060242e89a1002a06d6549838f2d9e09768a878211a1929ef9cd260415bb061a8a28d16ee6e647780fc7e8b3cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013

Filesize
484B

MD5
f8482405e2322cc767f3a4ef8aa92e56

SHA1
0e7b7f5a5a062936ecb5680ac1f45a67d9212268

SHA256
78b1a5c27ef85d36b058d9c207936cf98024cbab6ad30c93e3db3ad91c22f7d2

SHA512
69061899ee97e7809a11ca72206a663fd1b0ea754b4d1d0533d441fe6df4be20324584f6d5bdeeeaf7a5440ed9e7af018a9a6ee2593d312ce7439b0745b9880b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_D7025277F003EE88ED342C67F3525784

Filesize
480B

MD5
de54c7fbfaa06e9d80cdae3725373cbf

SHA1
2ab0d493d19215e310f65ce7d169c075053edc31

SHA256
8e0fca5473777ff092b632e28115031a24696f0b0c9995501ddc2301cd173423

SHA512
0640dfff138228cb6ee3830a44308df0c2424525f872ccba9ba3f51b9abb6e9108d15bdd375ccd9400863df01141ca32338569586507eaced0535c2681fe500c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
314e9ce9f73462ae1edf1e6e34afef4c

SHA1
aaa51a16a7fd597ac2f7396ec3597ae8b57cbdcf

SHA256
4edb16da4e823bde53be946880e87620ffc840427bd2ef124443d00d7c16e1f2

SHA512
4dc77b940ca020a8b84f0033c3e6c9892eb39531a197d230c2f1348e179368c80d2fd862601f6c12d4a886036a413ef3dfb752ba1bfbc0ccd1cabdcd7cec91eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
274920e8b7cab36b66f3e178f5418e29

SHA1
64e149e0b8bca1c5ccf3398c4dba801c7d765a97

SHA256
30112d1e41c9ca55edf0cb77d785886d162b5cfff6b5e418b48396aae7f8e4db

SHA512
eb1f76893293dc0af1918886ee3162a240ee5bdd21651ae3b7a94102194a773a223ca93c7e5bb751b02d78f437c2e7af2504d601d94f71d63edbf3424bde431a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a6b28e984b5c903e2a99febc802019fe

SHA1
4dc2d36d8191257d738586b8dcbf065432c6d558

SHA256
869a6982f9a6f7852394690ca59541e387dc2dc0188f45e4c094785fe8fda688

SHA512
7d897f037f92973ef98e660b6cb81fa69b203a66f83303c61a36aad633a455d8423195f3c5818aff3cf35fe98332900a5c3217dbe2e080bb7bbc5535c0ba4d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
be580d6d416687581d0e6f54600de2d9

SHA1
99e3310e6a9402a6f612faca3068ca9f926736af

SHA256
e5ef076287f050ed9a23a826de06b2d63853496772ea0a12e5294ff60359b2da

SHA512
aa250fb33fc33364c82ec58b177898bea973260b6cbeff29cf3d482aa643f10c6c5cbba3d3f0d9e7af1706dd7fcfa7aa54a0cdc8f78b75c2839b6a095401ac5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
566fa0e07ac11a18e5b4923dc60f21de

SHA1
018b7ca25326217b296af37e0f6310a9cf1c4ce0

SHA256
272b81fbf6fa5a8d03b7bcb45cb043325a84c70c2f107558c25a64d2346a5fdd

SHA512
0b09483f0083408356c2d8393f32708c9a929a1ddad2a1bdf55ab55d6939431406353acdf479f567a33b59a2cf60ca527b70b51894bb23f13302eaaab56c851e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4422019e6e841c529ce66aab30ed079b

SHA1
ba4541da0e31e3633543314ebed194fc34d406f6

SHA256
33c982620f10991245c16b4204078edb4f7a41328912d61610a4f895764d7ff0

SHA512
d92c26714aadcf326ece7fdf6c8254892caa09e1681d254a8086c585f72f10ccb2277e4321035b31dd9aa16d9c951196d08d43cc0be0eb0d7b61e3a5e7dc324d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
20a35402ff37eb9c48ab9b7766f7c169

SHA1
48ba3690b606f4bb06740cc4474d1a1fc40ada89

SHA256
fa0a6a207c92ec704504b8ecdf855dd375502fe87b3a804555ab5874f83bea25

SHA512
cf2f788bc3f4a1a147dbb2f1b1cf3d8c416053c32565430046d4ca6aaa7285b0c43ec9607674459d62e8f33bb3afa201bfb6b6f9e2fd8990628972e3edb06a23

Download Submit
\??\pipe\LOCAL\crashpad_3324_AJGQXJXTFWFAXRQC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit