345dcbd65c098bfb7011ee6b54563bc540f1749b1fcfbf9a7b759299be04d12a

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
Size

140KB
MD5

e70f2cd3ecc01f5978be67c96c3a994e
SHA1

2f1e6ddaf066f6d9f9100041dd4a7bf2a16d02fe
SHA256

e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98
SHA512

4571f82fa212d11d971b547807781ba9f50261d9c88ec3736f6805ecacaf54b138681c2692e4c9f6b5d5d92f26ebcbc41aa7cc0acaef0f79299cf2a2033be92e
SSDEEP

1536:MEsyxfSBqE63VIf33YaV9r6C8b5f7rLk8YhJ/gnhSqHX4ixExm:MEsm6B56Of3RV9+C8b5vhSqHX4ixE

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\drivers\afunix.sys	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\WSDApi.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\kbdnec.DLL	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\SysWOW64\msvcr110.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\msvcrt.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\PhonePlatformAbstraction.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\SCardDlg.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\iprtprio.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\KBDGR.DLL	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\neth.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\OpenWith.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\wiadefui.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\MsCtfMonitor.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\rshx32.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\spinf.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\vaultcli.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\boot.sdi	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc100enu.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\DxpTaskSync.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\InputSwitch.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\KBDSG.DLL	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\msvcr120_clr0400.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\WebcamUi.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\mlang.dat	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\msident.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\RdpSaPs.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\cewmdm.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\joinutil.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\kbdnecnt.DLL	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\mfAACEnc.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc100cht.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\taskschd.msc	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\txfw32.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\dfscli.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\EtwRundown.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\mswsock.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\pcbp.rs	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\wmp.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\actxprxy.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\cliconfg.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\kerberos.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\MSVP9DEC.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\mfc42.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\srms-apr.dat	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\Windows.Devices.SmartCards.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\KBDCHER.DLL	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\MSAMRNBSink.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\OneDrive.ico	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\asferror.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\AuthBroker.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\desk.cpl	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\encapi.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\iac25_32.ax	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\Windows.Graphics.Printing.3D.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\WinRTNetMUAHostServer.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\MSVideoDSP.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\Windows.Graphics.Printing.Workflow.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\clbcatq.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\FamilySafetyExt.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\IconCodecService.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\KBDSW.DLL	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\msjter40.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\DeviceFlows.DataModel.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\dmdskmgr.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\SysWOW64\msiltcfg.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\win.ini	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\write.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\PFRO.log	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\splwow64.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\SysmonDrv.sys	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\system.ini	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\twain_32.dll	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\winhlp32.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\WMSysPr9.prx	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\mib.bin	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\sysmon.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\hh.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\setupact.log	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\HelpPane.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\lsasetup.log	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\notepad.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\Professional.xml	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File opened for modification	C:\WINDOWS\setuperr.log	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\bfsvc.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
File created	C:\WINDOWS\explorer.exe	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1352	msedge.exe
1352	msedge.exe
2224	msedge.exe
2224	msedge.exe
644	identity_helper.exe
644	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe
2224	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2224	4888	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe	96
PID 4888 wrote to memory of 2224	4888	e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe	96
PID 2224 wrote to memory of 2424	2224	msedge.exe	97
PID 2224 wrote to memory of 2424	2224	msedge.exe	97
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1628	2224	msedge.exe	98
PID 2224 wrote to memory of 1352	2224	msedge.exe	99
PID 2224 wrote to memory of 1352	2224	msedge.exe	99
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100
PID 2224 wrote to memory of 4332	2224	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe
"C:\Users\Admin\AppData\Local\Temp\e7d16c400ee858a5ba28e94e59da041dbd8ef9efaf6f77ec11fa262876556c98.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6c5746f8,0x7ffa6c574708,0x7ffa6c574718
    3⤵
    PID:2424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:1628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
    3⤵
    PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:3908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:3320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
    3⤵
    PID:408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4772 /prefetch:8
    3⤵
    PID:4512
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
    3⤵
    PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
    3⤵
    PID:3504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
    3⤵
    PID:1704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
    3⤵
    PID:3604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
    3⤵
    PID:452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
    3⤵
    PID:1280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
    3⤵
    PID:932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8268205229459373109,4628217750306126396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
    3⤵
    PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/
  2⤵
  PID:2324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6c5746f8,0x7ffa6c574708,0x7ffa6c574718
    3⤵
    PID:1692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x3a8
1⤵
PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
5cb151bf49d1ef10aebfc4767849f87a

SHA1
cf8e4d4f04ccd15e180fbefdf51c351724cc7c6b

SHA256
884847c05b88fd3620ec690fb5c33f3d8d4a883ea25e380da80db8a077c6a765

SHA512
d402345d2663a41e4a1d4ccc9d4079664d120c64115bef7a9e3ed9da96706105218afb9c6ebbacf08a5ff2124290d9df885585d01159a89873dcbb397244d380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
64542f4e0fc7c023a6c4034032cd7eca

SHA1
59f04a8b340d47f35e80121ffd98a177bb5345b9

SHA256
61fe4822f46cc5f1932f7727656958e5f44c131dcc2f0f142c387d9bf52100b4

SHA512
1017a56efee8ad82cb87215a0509b8f4c0e4b57a188a291d0249428f368d6068c7bfa2868f5e9655252ab91bb71c53473883bbdd393dffb3395999c1969ea912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0b2946d53027996976048f786d562999

SHA1
6858f6fc81a21fe9128605516eb1efe3b529baa3

SHA256
cc5ab6b8f353c0639e5158bbbc0fd38bf9cecf480689ce8a784c61618807725e

SHA512
19b5f301ddb44b3c4b5efd18d7a16cb3e69f434650c9e5b84dcd63129c944e095f7955591b108e8d60b2a896d383396276d36b253701c20e85e249ef15772ff0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7b92fec0af8bdd5868e16bb69b238ff4

SHA1
4629f48991f80b52b6e73fb222d617962b38fa0f

SHA256
a5e6b2462be676af9b9f102b47332fdb9fb1adcee5a81b7e7669f981c71de4f4

SHA512
9522aa7e7778632e8401e8171db07ef46c507f5cb6437c587555482dde037947e77e795c5a245a536e8c05b768092fb53697962b046ee1024d5b04a63ed41a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fa4205dd1fa8905c2e1623a94901ec84

SHA1
8951f44fb4788b9d666518a4a2908585343b3231

SHA256
947d41303a6cb1c5dc04eaee36692c8a293460c2be4830e222cfba2ad8ba0a63

SHA512
53121a7d587093280500c9f165d2b0bba1b79c6bf6a14d1fec8c48a4c98893277bc9adf39f3049b990da157513353a9a8e501e175096f455c9cec3588cf9e1c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
abcb1155413281c31401c96d8b5b6a2e

SHA1
afc8e7b317d438e3842cd27010ee68e3eae718df

SHA256
a4603a3e08311e114eccba91b50ae4b87a34dcca850a4439b0e80f51466273f0

SHA512
f4effa64f6f38f047c9a91840be2ab41918a93c73cff55a8861db240c1f4feabb9a6e00366e300eef0c034616b3260a9cc4c61fc56e3ddb7848f78f4df6b2004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2b67f6dbba6c369e04b8a86a99bf7761

SHA1
d289ae3e57c89af8ab853f1733a7a3c82509ca7f

SHA256
c7bf48250c397229b20ae42cc478a67e6ab74d574f17f6d59c88fb491961b320

SHA512
281bfc38116eb13361c669b58e5749af2b451967011771085721595358b6c3c69391b819f890c2de69a1de81af6edc47004fc45cdb0a654bccfe37e341097d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe597313.TMP

Filesize
1KB

MD5
08bd7c98c0a3c320f3ec91522c959c9c

SHA1
25993d0af1656a64d713421ccfe65cf8a68a291b

SHA256
97e12905687afc984b549e7cc443cd170347a2d23ee41469b5d92c992f0b3082

SHA512
3b24444028496a1ae2a4cc638866116ee6b4e8c7450b7f683ba71c165208f8ed8778ed295ca8dd0abb3a55a4dedc067f61d19a505de265e92db241e71d6345e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
796720444aebe1c972ca36a9d6f6007e

SHA1
cd4bb34e4f217786f4befcdae6c431c81b42a0d9

SHA256
884f0e7299afefa1d2d5101e838c70f334bf459ee25d9ad6597e9582dcb5e005

SHA512
6f34b88050ea92b91dd1772a66a85865fc49861001a3b7412ab011142d0b01fb08871101d70150eb25db968eb010a782ab28f40bf8da9ae000395261853da06b

Download Submit
C:\Windows\setupact.log

Filesize
29KB

MD5
41e83759f94ccb75d3c0c3c2dcf9e526

SHA1
e5aa3a8369020d7765c46df8b8f609e434e86475

SHA256
9f82553f7b54515709022480906bbdc3da0d84aa84cf8bb48da44c2a78d0a71b

SHA512
a17f7a13cd45bda233b794ac21816508d709d4a83181622192126e62f9167e1e0f73a19e0bd35aa2471b6cb239d4eb8366accd47a2274e1a8fb5b516fb31485b

Download Submit
C:\exc.exe

Filesize
112KB

MD5
60e1ad7401e6e5d136963abdc811275c

SHA1
fc4d578d727bc513ab22be831525ed4fca150d7e

SHA256
6bce773cbd5d65c8eadd1425aed5738bcc4e038ba69ccf7b9c4f7c09827c415a

SHA512
b4d94bdff4f0202878d9095f161e0fa763c29b7757e19d215fce62f075a1c50636b2db79ad5bbb05f37bfd1e89394a2927c85ae54be952382ed10d5f41dc8078

Download Submit
memory/4888-796-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4888-1224-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4888-108-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4888-306-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4888-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download