efb6cfdb6380457242770c0907bba1bf6006554b17f63d92eb25395bdfc47a3c

Analysis

max time kernel
155s
max time network
160s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/10/2024, 15:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

script.ps1
Size

631B
MD5

c353867bcf270fc4006bad99c414f569
SHA1

f42825eb6e03c8c4399e45ab4e8034954120fee1
SHA256

efb6cfdb6380457242770c0907bba1bf6006554b17f63d92eb25395bdfc47a3c
SHA512

95ebff1ff1e2946028e4e96d61d1a548a595ff435c2c2218310f5f8cfd357896ba7bb581ca9fc690104f818a96a2feba593943a230b0352d739cbec83dce681b

Score

10^/10

defense_evasion discovery evasion execution trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
5016	MediaCreationTool_22H2.exe
2260	SetupHost.Exe

Loads dropped DLL 9 IoCs

pid	Process
2260	SetupHost.Exe
2260	SetupHost.Exe
2260	SetupHost.Exe
2260	SetupHost.Exe
2260	SetupHost.Exe
2260	SetupHost.Exe
2260	SetupHost.Exe
2260	SetupHost.Exe
2260	SetupHost.Exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	MediaCreationTool_22H2.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MediaCreationTool_22H2.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4128	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MediaCreationTool_22H2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHost.Exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 83098.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MediaCreationTool_22H2.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4128	powershell.exe
4128	powershell.exe
3288	msedge.exe
3288	msedge.exe
2924	msedge.exe
2924	msedge.exe
3140	identity_helper.exe
3140	identity_helper.exe
3032	msedge.exe
3032	msedge.exe
840	msedge.exe
840	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe
1192	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeBackupPrivilege	5016	MediaCreationTool_22H2.exe
Token: SeRestorePrivilege	5016	MediaCreationTool_22H2.exe
Token: SeBackupPrivilege	5016	MediaCreationTool_22H2.exe
Token: SeRestorePrivilege	5016	MediaCreationTool_22H2.exe
Token: SeBackupPrivilege	2260	SetupHost.Exe
Token: SeRestorePrivilege	2260	SetupHost.Exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe
3288	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5016	MediaCreationTool_22H2.exe
5016	MediaCreationTool_22H2.exe
2260	SetupHost.Exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 1268	3288	msedge.exe	82
PID 3288 wrote to memory of 1268	3288	msedge.exe	82
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2736	3288	msedge.exe	83
PID 3288 wrote to memory of 2924	3288	msedge.exe	84
PID 3288 wrote to memory of 2924	3288	msedge.exe	84
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85
PID 3288 wrote to memory of 4804	3288	msedge.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
1⤵
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffaffcc3cb8,0x7ffaffcc3cc8,0x7ffaffcc3cd8
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6336 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:840
- C:\Users\Admin\Downloads\MediaCreationTool_22H2.exe
  "C:\Users\Admin\Downloads\MediaCreationTool_22H2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5016
- - C:\$Windows.~WS\Sources\SetupHost.Exe
    "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,6111648626254846855,18158881042208485759,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3928 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3240

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

Filesize
14.9MB

MD5
bdbd14f60fc78edca16a022c9801cf70

SHA1
e24ce3852cc9d42296c3fd550735069b86d7518a

SHA256
a2679d717db07f43d81f895e508520e01cd0262f1be5870333d12ce71fe02db4

SHA512
6d6aa6aa8108d49347b4d5b40c632e568d44805d6352b517363262a408f7e04cafb3a66d1cb121bf920df080c7119401c454f90ba9a47ffe593ce9cb11da78b8

Download Submit
C:\$Windows.~WS\Sources\SetupCore.dll

Filesize
2.1MB

MD5
55a4344e76136460be2c8547c38567b4

SHA1
83400b9a3bc4f1d935258a80b3e7636baaa618cb

SHA256
a9ac64ec515d04589dfc38b25d68d01f281bbb794d0df9ec4205fe473703aef5

SHA512
a8ad61caf69891ee31c48401ec87d3bb92db5e64c9fe878ee33e072fd6e5406db9a747485d1cf93f615072e6c565c36715700571dcd974c6eb7a76a7630d0f43

Download Submit
C:\$Windows.~WS\Sources\SetupHost.exe

Filesize
682KB

MD5
a5d94f9587f97e9c674447447721b77f

SHA1
1c130f95c82ab28a4a11a7ed41eb9ea9f613a339

SHA256
f33e7bce0ca712baac95557823096f929f78927e521c0448ed237f429141efd9

SHA512
e5e35480a489b0f63a2938a1c4ea19aca197a16020bb330662b62e98759fb5f7b6056416dc1d8894e433607c5b4fb3e7ae61f0d2fa3c7455dd000916ec3d5d62

Download Submit
C:\$Windows.~WS\Sources\SetupMgr.dll

Filesize
729KB

MD5
59d1a173f6b27a8a1cc367ca9ff6e560

SHA1
15b2c60011d97b99c4cd2eedb62ccab14d748df6

SHA256
45c2ee2387026a50f0c6b9c9119f39b6d2b6505312dbdf352399fd41e8deb78f

SHA512
a14d89fcf4964f7929936a16c0ef9d4896d14913b3e5bc050cd7044a1a0da50e58520de80a7966832f514365d031012d0e1829cd7b93d1b547812f8abbcf7557

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.dll

Filesize
6.9MB

MD5
0db2eb7b159d7289dfbdf3ca29d44704

SHA1
57a9aa7409a9040a701855bf610f68e5a9cfea24

SHA256
cbeec25c578f4e8eae81bb8829c3b7bc81648da6f63eeb4a606b9a66660d6d91

SHA512
8eada149f0c90df794d26efe8af2c90df1b8172b33ccc6639f3f1a18671aa34493a6d466b4bf2357075094bc13129e5001623b2388c39ed6fa4239b4e9ef6328

Download Submit
C:\$Windows.~WS\Sources\WDSCORE.dll

Filesize
196KB

MD5
07f3fac5518c90b22dfb9778ea280d0a

SHA1
6d20ff953a0c5aabc1970e80a5f96aedd830db9b

SHA256
65467bf1fbf10c2a399fe532b780f3604fda5b00db8319787cb6867bede4b90e

SHA512
f86447c3dd0ad11022b208ba04c7b62cddf57b1035f4b1e18aae3e6764b6dce53fbeaa68cb5ce3ab75ba08293474dc18e9a3f5ce6df43a01701abd9180e07ace

Download Submit
C:\$Windows.~WS\Sources\WinDlp.dll

Filesize
1.1MB

MD5
6f12ba2d5cb564f73d9813d105e5c1fe

SHA1
b634e34149f99f4336efc0c5de5e850c61be48e1

SHA256
26b66b81267dfda7a78890f20a4ed0d104db1cd350d2d9f649fdb496b6c11333

SHA512
4462f38b0a4eca1d09eb747853cc15c804e2e42e91812604a0aef25de06d5fa5a5a4d79731aeb462f61ed46d63dd904d0a943919aabd5adb771f94c63e6a175a

Download Submit
C:\$Windows.~WS\Sources\setupplatform.cfg

Filesize
10KB

MD5
033e7adc314c248cc29a9f14906c21e5

SHA1
6b31f8a23514b4e98217cd05be08e7967eca7048

SHA256
c40fddbb16853406d12d30e01e170de8474728bb8ec24794db721de0a7f67927

SHA512
46b46d548f5a2269e886a9f6873d97549eeb92c7294114c62baf7805ac423e4d3aa3a50cd7b3294be03e22c271f6bef1134adf797d9f838962ef5b42e8ecd19e

Download Submit
C:\$Windows.~WS\Sources\unbcl.dll

Filesize
816KB

MD5
5d52a4efac5b4b7530b388aeb6f9cb67

SHA1
4b5d32a6caecec6e261f5ba7bae392609a6a0f65

SHA256
137eca75b268556503e26cd5987dddac5eb0831ed4ce5ea3b0d34b5645a31abd

SHA512
f7f88c4229c97bf598f995cf31a8adff73089ef8d26143cc839a30d63221fb66b185e12ae20bc17f14712723bb20c34f6e546f6be961164deeae268703322756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
1ae3d75e0d63490cb51fa7efbaafdb09

SHA1
6e5eee716a7632fa4353261dfae95f1cad20ec23

SHA256
264f878b0cb41c9a7cff24c3c578cef905ab5f0a391fbf3f105ffaa74d2d1ec8

SHA512
80ba315557afd9a035ac7077c0dd6fdfc80626b4ad46cef0aa03a8b154f59de3b4c1b1ca0a1fef3cbcb34d008f5e2f70a1b937cc180b671f1985de6c78ae2a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc36221d3cc9a4657faeb51e3ea7023a

SHA1
22e3f8e68b2dd3992d544f8ca57c48c6878f77f9

SHA256
f393d5cc1a1b59d1bf0f19ade21515652b60bdea4b2d11780b904eb90fdd7b4b

SHA512
1d831b911b8e6970f3c829d7aed3c7d0faeb3f986fa029c8db8e2b2ced40898ad96b26311e620300ecd6d5a71f444582052b9ae11c4231224010096105bdb117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
70e969d4a2b40aef8eb0736379c0bcfb

SHA1
608c4fdf0e6b820eed23b793884e11210b32be58

SHA256
82e6cd647225c2781d32207ca56e1bf5e85dddabdfdf67a469c6e8910062975c

SHA512
e38f13e75d7a74400b1c21be8c5d8045c366078c4bfd7a25de86a872a22db8b383484c4f044d433f557ba3f181670398eeb7322fb6946a3bfff03875576b596d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2c37d3de-8e07-49e6-b1fb-de1d68ea0632.tmp

Filesize
5KB

MD5
799f425eb5aecd3e6cece00b45d27c4f

SHA1
15b35724079271d0de60f4583681a8f3acf0360f

SHA256
1da5b3f4d63f6f3dd719309d2ab94b1e8157c0abb67c02b0c40a3b65f452f99a

SHA512
e84705b2d32385712eae3797d2f46a18b115d60fa7b0d89659bef7c36bbaa8bb0e9a8175dbdb6fad7c647356c72ba3aa41992affe222a71cce78a54c985669bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a4af23286e769bed539bb28c62e289ff

SHA1
b39930d4f34f9df1150e3e17aa923c8a9d71a289

SHA256
43b5d0db1dda29e35caa46e206146f7abaf4c1d2c0944f6516a993c6d9ceaa34

SHA512
bd25c4f28e3e9c77c9e8bb620adc5748a2b72a296a71efc648490ec715954864c20364ac6e0ce2eb23ef8dacdfbe7aabc1dfec79d8bf0db150ecbd09a2099be2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
42e286353cb023036b761ec933c919ca

SHA1
9b49aa8b8692cebbbf4e67c00487f6869485d614

SHA256
04c02b05c91aed0233cdc9e38acba40945527f965fe1ba32fd418b1bf24e59c8

SHA512
f74f7786299c458ed84e0099752fb86117600229ffb9e83fa21357787d86177a9fb0a5d5af55131fc07d417815129041e94974c620cb6fa0cfa2033138085a0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0e8cffcb46f8f010942622022a80b224

SHA1
c44ef996064e4b4bb2461df646fbff6bc7f1496b

SHA256
e7dbc2fdc80e3beb6bb1f65e1ada69f120f69fbf142e5307d45113dc400ffd2e

SHA512
244f85e25802afbffcee3e01d74636427f236e66ff51d81daae68f9621cafddaac08b8c60773648678c4f44692084ac3ca0c797a23197b80aa798ac86e631d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b80d4d8b4745c3c4e42bd8a64b00e142

SHA1
7bac4903f94fde388aa9b1a3e46a906ff368f5aa

SHA256
31ce92b0e932d58fb19cd9ad93defc698f8521a908902a0590226bcb0163b209

SHA512
edba817795f0a81248d010d474d291559586d7ced58081f9b568d42dd183246033afa8dc27c162066cff7dad223b5b6ada726a23aea90ee22359281efb08cdbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5d5e88a7fd2799963fd6c9202e99183e

SHA1
802e673e40addc225943696c32f17150f8cffd3f

SHA256
4b1183958fd97c294d7d595c893fe21319d247a102be66e8fac2ba78e097789c

SHA512
653816df60a35b98d372239adf2ee2c9ec92f5b39c1fa816ca3c5c06c02db4b1d793a04b0d7000c194a9e691ea74cb68390d06c1e003ff245318965d811ee185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
8c0d6616af07f61a695d23555f03afb5

SHA1
4d920d7f35be99217c86ea4dc2396a55e960a537

SHA256
ecc17c289b6a0f4fe10cae7e9eed2413279d3d4354d82fcc9bc672b7bd7493aa

SHA512
f903fe7977d14cc2d021bbf54f103421d0500cbf7b7f3cfd4ba93ae56af294307ec1b7d82c93d1fb530bb132ef4d009aa244ce2a60c23d7748b5ca08e4c7a2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
08ca56778ab33a3ee07bf3f7df87dc8a

SHA1
fd67f36a6327be21a039c2b0bc2bd780da908fba

SHA256
07aad06a1ab03d64cc81d253bd00b9afb8b9f8b86d89c35e86d0c567bd959dbe

SHA512
58a2b044f572361a46a41abe4790063bd97655c3a8c498969539d0df32e7f93cc29924ee4c5a1988327f1209e0198d07608e8ae2de0e68f23ca5d3631a608efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581cf9.TMP

Filesize
1KB

MD5
37a7e40d21bcbcae5cb7f909cf44adf1

SHA1
a78a48b85b6eae31ac559e07677849d4cfb4c249

SHA256
ef47f82b4fbcff799b2804c69d003cb2eef900b6e1470328e1fdb0f01aca0056

SHA512
73f0b9ce0a28e04f17046ef5fdc23751fe28a10899a4677292938cf0b798fcf11c8cc4e47fb97da47a2412bb701f4a827fed4c2a5305c3bc4d6fd29d3484eebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a0c1cdbd997609a980b1c86643366c86

SHA1
974e96db464f1ad9650bd15f211e9f4e75eac36f

SHA256
32c09f1701ec997f6fa44315e8b403cbbbd9f95f784078bb70a3fed44e9726b1

SHA512
3c6aa0a1fb312065597997285219a655ef7bd533c03a186501e893fa5e47cdbb85c32c672621ad11d0670283cfedb934774214dc2537531a67b862f5c3b02df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d996aa2e5869a28b70698546747a745c

SHA1
e50fdb41bcb3e92cdcc4046d1f9e8af1a72003f9

SHA256
f6666c46333fd8a120e71952b456021903e5eefbe0b5614f54a44cf7ca86a23e

SHA512
d30a710dcc90392242251e4930c3476d391a471fcdeedb65d9bf43efca7091797337b82251e20a4ace1ba4616e7763d8a25010600c9d82402790b501481a757a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a4d30d71d37136840b7d5d93cfa6bc8c

SHA1
81defa8767aabe1829ad8b5dd5dc10bf7354ba69

SHA256
9f161ba4e29610b324d977805f11b9899033ae759be5a61d0dacc221d9c0ff3b

SHA512
1ae2b300a21f285d359a8ea04f288b5da8f4a036b65ecb6fba0c04ea49b224124d8294f147e55b791e43a2259a420fd6d85d710ebce1bd51a37cc3596aa6493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gjekyq1y.1vi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\MediaCreationTool_22H2.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 83098.crdownload

Filesize
18.6MB

MD5
aa2ad37bb74c05a49417e3d2f1bd89ce

SHA1
1bf5f814ffe801b4e6f118e829c0d2821d78a60a

SHA256
690c8a63769d444fad47b7ddecee7f24c9333aa735d0bd46587d0df5cf15cde5

SHA512
fab34ccbefbcdcec8f823840c16ae564812d0e063319c4eb4cc1112cf775b8764fea59d0bbafd4774d84b56e08c24056fa96f27425c4060e12eb547c2ae086cc

Download Submit
memory/4128-0-0x00007FFAEDD03000-0x00007FFAEDD05000-memory.dmp

Filesize
8KB

Download
memory/4128-9-0x000001FC60010000-0x000001FC60032000-memory.dmp

Filesize
136KB

Download
memory/4128-10-0x00007FFAEDD00000-0x00007FFAEE7C2000-memory.dmp

Filesize
10.8MB

Download
memory/4128-11-0x00007FFAEDD00000-0x00007FFAEE7C2000-memory.dmp

Filesize
10.8MB

Download
memory/4128-14-0x00007FFAEDD00000-0x00007FFAEE7C2000-memory.dmp

Filesize
10.8MB

Download
memory/4128-15-0x00007FFAEDD00000-0x00007FFAEE7C2000-memory.dmp

Filesize
10.8MB

Download