647f9880a88f2117cdc3c2de87d9666444419d8d500ff27b0a2361f82c42faad

Analysis

max time kernel
148s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-08-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrianityRelease/TrianityRelease.exe
Size

18KB
MD5

c48f4c9c7241554599b65b20f2b09861
SHA1

7a8c04746b82c3af21e280bb708970e2d41a31e9
SHA256

9a64be465aec45989cd84d8950737ef24eb356e7639f1d9ad2627552ddcfaad6
SHA512

b7ce13d5e5f43eae2dda7b3bb4daa76d8c0dcdf3f8430f45f8ce6c9875c19079ef0d1b510965b4b800d2641a0ccbf2eed571a978b40a3236887baf57f39bfa79
SSDEEP

384:5sSJTl6fXeetEH2eg9Exwd5lps41+qBpELBZSdB7EmbaXTEO/8z11VN2kvwKwq6C:uPEWeg93lpaLBeBwXn851b9F

Score

6^/10

discovery

Malware Config

Signatures

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

TrianityRelease.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrianityRelease.exe
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

msedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

pid process

3132 msedgewebview2.exe
2220 msedgewebview2.exe
4928 msedgewebview2.exe
3844 msedgewebview2.exe
4908 msedgewebview2.exe
2604 msedgewebview2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrianityRelease.exe

pid	process
3132	msedgewebview2.exe
2220	msedgewebview2.exe
4928	msedgewebview2.exe
3844	msedgewebview2.exe
4908	msedgewebview2.exe
2604	msedgewebview2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

pid	process
244	msedgewebview2.exe
244	msedgewebview2.exe
4908	msedgewebview2.exe
4908	msedgewebview2.exe
3132	msedgewebview2.exe
3132	msedgewebview2.exe
3132	msedgewebview2.exe
3132	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

msedgewebview2.exe

pid process

1124 msedgewebview2.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

TrianityRelease.exe

description pid process

Token: SeDebugPrivilege 3668 TrianityRelease.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msedgewebview2.exe

pid process

1124 msedgewebview2.exe

pid	process
1124	msedgewebview2.exe

description	pid	process
Token: SeDebugPrivilege	3668	TrianityRelease.exe

pid	process
1124	msedgewebview2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TrianityRelease.exemsedgewebview2.exe

description	pid	process	target process
PID 3668 wrote to memory of 1124	3668	TrianityRelease.exe	msedgewebview2.exe
PID 3668 wrote to memory of 1124	3668	TrianityRelease.exe	msedgewebview2.exe
PID 1124 wrote to memory of 1540	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 1540	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 2220	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 244	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 244	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe
PID 1124 wrote to memory of 4928	1124	msedgewebview2.exe	msedgewebview2.exe

C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe
"C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=TrianityRelease.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=3668.3052.6355418454912594873
2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1124

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b4,0x7ffab1fd3cb8,0x7ffab1fd3cc8,0x7ffab1fd3cd8
3⤵
PID:1540

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1860,7784042714693908750,12398103475084495167,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView" --webview-exe-name=TrianityRelease.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2220

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,7784042714693908750,12398103475084495167,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView" --webview-exe-name=TrianityRelease.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2064 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:244

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,7784042714693908750,12398103475084495167,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView" --webview-exe-name=TrianityRelease.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2484 /prefetch:8
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4928

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1860,7784042714693908750,12398103475084495167,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView" --webview-exe-name=TrianityRelease.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3844

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,7784042714693908750,12398103475084495167,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView" --webview-exe-name=TrianityRelease.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=3896 /prefetch:8
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4908

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1860,7784042714693908750,12398103475084495167,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView" --webview-exe-name=TrianityRelease.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=4568 /prefetch:8
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2604

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1860,7784042714693908750,12398103475084495167,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView" --webview-exe-name=TrianityRelease.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5004 /prefetch:2
3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView\Crashpad\settings.dat
Filesize
152B

MD5
ae342f1ec869f5a7107f55105a8bb484

SHA1
0c045afda3819c6061f2e8255ec0b7cf64a20878

SHA256
d2156f18cbafa8aae7a45bce4ad6870a73e5494db7292d911701531aad6790d7

SHA512
88dfaec0f71e85d83551e15d77417730bffe78c04da9995e1c5b7dddc2ec21df1d330785c863471ca32ed9479fbbb5ae4133b5dbd5e031cf2cd629cd887b0ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView\Crashpad\settings.dat
Filesize
152B

MD5
81926079d25dd902e134496c231ee9d8

SHA1
986a5e830c170ff9793dc77ba0bd1be63573a359

SHA256
5c8347ec129b0a2b475f8c7e429dcf2ded3ac4ca3e36f94c64cbfbfdf0a07a26

SHA512
26150e0153e7c558e064074b33a9bc371230cd02e53143bd8b5d4b5530447d63ffa7343eab5b153ae1b4c4582ce699ccb25016eccc32c2d56a10f943d3915196

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView\Default\Network Persistent State
Filesize
299B

MD5
df924324dee156cd9054d5f8b100dadf

SHA1
fd893b2b44987f4603aebf1036020797a16406a0

SHA256
217d36d69b7b2cc169eaf8c179568682a552b2687434aa9bcd4a5ffd908de003

SHA512
e7304eaf69b87b92bca5bd04a4c02944949403b05c3986fed09cad46381c8874562676d79b292869889982e3b929cc3981a04a41f53327cc03f3622662701baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView\Default\Network Persistent State~RFe58c5ac.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView\Default\Preferences
Filesize
9KB

MD5
c5a05543f75f80f4f16618cb5d458990

SHA1
da391f7056d3599d851482756e06b315dbccfb2b

SHA256
8442f6dd76592eaa1aec8d2435e2c0752d777d16783e83bb22a1c1cdec63527e

SHA512
44c9069bc4f7415c74663ac0fe765714d3d9e5a538f11b2c8b4800a2dc97dcf4e7164a1be0121d65366698108408d3be7353d8726c82b15e40e6d71dd1b23c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView\Default\Secure Preferences
Filesize
6KB

MD5
eba9f454d1761a6883703cd6003f9542

SHA1
601a35d7563db9bfc7707c797def2c691af64220

SHA256
745a09ad9a79a1aab4ab598bbe88bda54c3861574bb2ac036eca017992967172

SHA512
343fa4fd975496e1bb9ac3bf98ab30f2209a4028180d5cd1e1281f5cd4e7d1a17e10fc90ec0cfa43b7692d029bd1754c55d2c2a2a1fa3e3b690032aebdd5f8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView\Local State
Filesize
24KB

MD5
f44ac540f38d338def97182cf8b33153

SHA1
c44caf2a84a83078d4da2bfc97c65ca597e54afe

SHA256
67dfc2762f1aecd52847fc58fbf7305ab0c7f49bfb80e79e6d843c6504b3e603

SHA512
29a65eba60faf6040d69c2a9155eaa942c2aefe740a4233727f8b10d146a4ce5fc09c9a9ac5ba0539c8a3e40338a4696a6316f11c869987c3fea6a742e025785

Download Submit
C:\Users\Admin\AppData\Local\Temp\TrianityRelease\TrianityRelease.exe.WebView2\EBWebView\Local State
Filesize
24KB

MD5
cb0bc9abf4d8c16813b54c1cf4d20822

SHA1
2f4ab81fa15ad7f835c3b8da5cc0d0a1ef4ba63b

SHA256
8f04b36e30b53d98ae1a15d4591c38b1193ba8e7922cfc0882d32fd1e437a45f

SHA512
3650c8a0ed444263b517edb96695442c3947ad2dfb82d10bd4923ea2c13f6889cd15c2faf83b41b273721a935d627f55ea9dadc649ee9fc93baef9a98e8bdc32

Download Submit
\??\pipe\LOCAL\crashpad_1124_OEPXGZOWAAVEDULU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2220-30-0x00007FFABF980000-0x00007FFABF981000-memory.dmp

Filesize
4KB

Download
memory/3668-6-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3668-7-0x00000000052D0000-0x00000000052DA000-memory.dmp

Filesize
40KB

Download
memory/3668-11-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3668-8-0x00000000052F0000-0x00000000052FE000-memory.dmp

Filesize
56KB

Download
memory/3668-85-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/3668-86-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3668-9-0x0000000005C30000-0x0000000005CC0000-memory.dmp

Filesize
576KB

Download
memory/3668-14-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3668-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/3668-5-0x0000000074B30000-0x00000000752E1000-memory.dmp

Filesize
7.7MB

Download
memory/3668-4-0x0000000004DB0000-0x0000000004DD4000-memory.dmp

Filesize
144KB

Download
memory/3668-3-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/3668-2-0x0000000005330000-0x00000000058D6000-memory.dmp

Filesize
5.6MB

Download
memory/3668-1-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download