b37679f69723fa5c6ef006bdb6464e6fbcb55df4f9d29206f9476fd6fb946abc

Analysis

max time kernel
74s
max time network
75s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/10/2024, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

injector.bat
Size

737B
MD5

1221e75df68bfb8831e5908dd016cb53
SHA1

f77c8397c97f7396f83c897dd285f645618ab490
SHA256

b37679f69723fa5c6ef006bdb6464e6fbcb55df4f9d29206f9476fd6fb946abc
SHA512

2f7a2878d39e1b51b4df90cacad543746583e8413b42b4cba261e8ab97488f73e15abb8edf0193e0376d6e09144a420d55f8ca58a38a1dd25bf85b418bc04ea7

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Time Discovery 1 TTPs 9 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
4332	certutil.exe
5104	certutil.exe
4368	certutil.exe
1772	certutil.exe
2928	certutil.exe
3960	certutil.exe
2484	certutil.exe
944	certutil.exe
4120	certutil.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
1452	WINWORD.EXE
1452	WINWORD.EXE
1004	vlc.exe
2080	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4336	msedge.exe
4336	msedge.exe
4736	msedge.exe
4736	msedge.exe
4752	msedge.exe
4752	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1004	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe
1004	vlc.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1452	WINWORD.EXE
1576	OpenWith.exe
1004	vlc.exe
2080	EXCEL.EXE
2080	EXCEL.EXE
2080	EXCEL.EXE
2080	EXCEL.EXE
2080	EXCEL.EXE
2080	EXCEL.EXE
2080	EXCEL.EXE
2080	EXCEL.EXE
2080	EXCEL.EXE
2080	EXCEL.EXE
2080	EXCEL.EXE
2080	EXCEL.EXE
2080	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 2172	1768	cmd.exe	79
PID 1768 wrote to memory of 2172	1768	cmd.exe	79
PID 1768 wrote to memory of 688	1768	cmd.exe	80
PID 1768 wrote to memory of 688	1768	cmd.exe	80
PID 1768 wrote to memory of 1696	1768	cmd.exe	81
PID 1768 wrote to memory of 1696	1768	cmd.exe	81
PID 1768 wrote to memory of 4976	1768	cmd.exe	82
PID 1768 wrote to memory of 4976	1768	cmd.exe	82
PID 1768 wrote to memory of 2952	1768	cmd.exe	83
PID 1768 wrote to memory of 2952	1768	cmd.exe	83
PID 1768 wrote to memory of 2996	1768	cmd.exe	84
PID 1768 wrote to memory of 2996	1768	cmd.exe	84
PID 1768 wrote to memory of 3992	1768	cmd.exe	85
PID 1768 wrote to memory of 3992	1768	cmd.exe	85
PID 1768 wrote to memory of 4000	1768	cmd.exe	86
PID 1768 wrote to memory of 4000	1768	cmd.exe	86
PID 1768 wrote to memory of 1552	1768	cmd.exe	87
PID 1768 wrote to memory of 1552	1768	cmd.exe	87
PID 1768 wrote to memory of 3004	1768	cmd.exe	88
PID 1768 wrote to memory of 3004	1768	cmd.exe	88
PID 1768 wrote to memory of 2384	1768	cmd.exe	89
PID 1768 wrote to memory of 2384	1768	cmd.exe	89
PID 1768 wrote to memory of 3796	1768	cmd.exe	90
PID 1768 wrote to memory of 3796	1768	cmd.exe	90
PID 1768 wrote to memory of 3068	1768	cmd.exe	91
PID 1768 wrote to memory of 3068	1768	cmd.exe	91
PID 1768 wrote to memory of 4468	1768	cmd.exe	92
PID 1768 wrote to memory of 4468	1768	cmd.exe	92
PID 1768 wrote to memory of 1356	1768	cmd.exe	93
PID 1768 wrote to memory of 1356	1768	cmd.exe	93
PID 1768 wrote to memory of 4732	1768	cmd.exe	94
PID 1768 wrote to memory of 4732	1768	cmd.exe	94
PID 1768 wrote to memory of 1184	1768	cmd.exe	95
PID 1768 wrote to memory of 1184	1768	cmd.exe	95
PID 1768 wrote to memory of 4332	1768	cmd.exe	96
PID 1768 wrote to memory of 4332	1768	cmd.exe	96
PID 1768 wrote to memory of 2484	1768	cmd.exe	97
PID 1768 wrote to memory of 2484	1768	cmd.exe	97
PID 1768 wrote to memory of 5104	1768	cmd.exe	98
PID 1768 wrote to memory of 5104	1768	cmd.exe	98
PID 1768 wrote to memory of 5028	1768	cmd.exe	99
PID 1768 wrote to memory of 5028	1768	cmd.exe	99
PID 1768 wrote to memory of 4724	1768	cmd.exe	100
PID 1768 wrote to memory of 4724	1768	cmd.exe	100
PID 1768 wrote to memory of 944	1768	cmd.exe	101
PID 1768 wrote to memory of 944	1768	cmd.exe	101
PID 1768 wrote to memory of 4120	1768	cmd.exe	102
PID 1768 wrote to memory of 4120	1768	cmd.exe	102
PID 1768 wrote to memory of 4368	1768	cmd.exe	103
PID 1768 wrote to memory of 4368	1768	cmd.exe	103
PID 1768 wrote to memory of 5092	1768	cmd.exe	104
PID 1768 wrote to memory of 5092	1768	cmd.exe	104
PID 1768 wrote to memory of 2096	1768	cmd.exe	105
PID 1768 wrote to memory of 2096	1768	cmd.exe	105
PID 1768 wrote to memory of 1772	1768	cmd.exe	106
PID 1768 wrote to memory of 1772	1768	cmd.exe	106
PID 1768 wrote to memory of 2928	1768	cmd.exe	107
PID 1768 wrote to memory of 2928	1768	cmd.exe	107
PID 1768 wrote to memory of 3960	1768	cmd.exe	108
PID 1768 wrote to memory of 3960	1768	cmd.exe	108
PID 1768 wrote to memory of 2868	1768	cmd.exe	109
PID 1768 wrote to memory of 2868	1768	cmd.exe	109
PID 1768 wrote to memory of 3404	1768	cmd.exe	110
PID 1768 wrote to memory of 3404	1768	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\injector.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\.ses" "C:\Users\Admin\AppData\Local\Temp\.ses.encrypted"
  2⤵
  PID:2172
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log" "C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log.encrypted"
  2⤵
  PID:688
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\aria-debug-324.log" "C:\Users\Admin\AppData\Local\Temp\aria-debug-324.log.encrypted"
  2⤵
  PID:1696
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1722612663.txt" "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1722612663.txt.encrypted"
  2⤵
  PID:4976
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\chrome_installer.log" "C:\Users\Admin\AppData\Local\Temp\chrome_installer.log.encrypted"
  2⤵
  PID:2952
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt" "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.encrypted"
  2⤵
  PID:2996
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2E64.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2E64.txt.encrypted"
  2⤵
  PID:3992
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2E81.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2E81.txt.encrypted"
  2⤵
  PID:4000
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI2E64.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI2E64.txt.encrypted"
  2⤵
  PID:1552
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI2E81.txt" "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI2E81.txt.encrypted"
  2⤵
  PID:3004
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log" "C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log.encrypted"
  2⤵
  PID:2384
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\jawshtml.html" "C:\Users\Admin\AppData\Local\Temp\jawshtml.html.encrypted"
  2⤵
  PID:3796
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\jusched.log" "C:\Users\Admin\AppData\Local\Temp\jusched.log.encrypted"
  2⤵
  PID:3068
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\LIRNGFNA-20240802-1531.log" "C:\Users\Admin\AppData\Local\Temp\LIRNGFNA-20240802-1531.log.encrypted"
  2⤵
  PID:4468
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\LIRNGFNA-20240802-1531a.log" "C:\Users\Admin\AppData\Local\Temp\LIRNGFNA-20240802-1531a.log.encrypted"
  2⤵
  PID:1356
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240802_152703676.html" "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240802_152703676.html.encrypted"
  2⤵
  PID:4732
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727.log.encrypted"
  2⤵
  PID:1184
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_000_dotnet_runtime_6.0.27_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_000_dotnet_runtime_6.0.27_win_x64.msi.log.encrypted"
  2⤵
  - System Time Discovery
  PID:4332
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_001_dotnet_hostfxr_6.0.27_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_001_dotnet_hostfxr_6.0.27_win_x64.msi.log.encrypted"
  2⤵
  - System Time Discovery
  PID:2484
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_002_dotnet_host_6.0.27_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_002_dotnet_host_6.0.27_win_x64.msi.log.encrypted"
  2⤵
  - System Time Discovery
  PID:5104
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240802152727_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log.encrypted"
  2⤵
  PID:5028
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750.log.encrypted"
  2⤵
  PID:4724
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_000_dotnet_runtime_7.0.16_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_000_dotnet_runtime_7.0.16_win_x64.msi.log.encrypted"
  2⤵
  - System Time Discovery
  PID:944
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_001_dotnet_hostfxr_7.0.16_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_001_dotnet_hostfxr_7.0.16_win_x64.msi.log.encrypted"
  2⤵
  - System Time Discovery
  PID:4120
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_002_dotnet_host_7.0.16_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_002_dotnet_host_7.0.16_win_x64.msi.log.encrypted"
  2⤵
  - System Time Discovery
  PID:4368
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240802152750_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log.encrypted"
  2⤵
  PID:5092
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814.log.encrypted"
  2⤵
  PID:2096
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_000_dotnet_runtime_8.0.2_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_000_dotnet_runtime_8.0.2_win_x64.msi.log.encrypted"
  2⤵
  - System Time Discovery
  PID:1772
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_001_dotnet_hostfxr_8.0.2_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_001_dotnet_hostfxr_8.0.2_win_x64.msi.log.encrypted"
  2⤵
  - System Time Discovery
  PID:2928
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_002_dotnet_host_8.0.2_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_002_dotnet_host_8.0.2_win_x64.msi.log.encrypted"
  2⤵
  - System Time Discovery
  PID:3960
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log" "C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240802152814_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log.encrypted"
  2⤵
  PID:2868
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\msedge_installer.log" "C:\Users\Admin\AppData\Local\Temp\msedge_installer.log.encrypted"
  2⤵
  PID:3404
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\wct5B5E.tmp" "C:\Users\Admin\AppData\Local\Temp\wct5B5E.tmp.encrypted"
  2⤵
  PID:4020
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\wctAD85.tmp" "C:\Users\Admin\AppData\Local\Temp\wctAD85.tmp.encrypted"
  2⤵
  PID:2820
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\wctB0B3.tmp" "C:\Users\Admin\AppData\Local\Temp\wctB0B3.tmp.encrypted"
  2⤵
  PID:4824
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\wctBE7F.tmp" "C:\Users\Admin\AppData\Local\Temp\wctBE7F.tmp.encrypted"
  2⤵
  PID:4588
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\wctCB00.tmp" "C:\Users\Admin\AppData\Local\Temp\wctCB00.tmp.encrypted"
  2⤵
  PID:2884
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\wctEC25.tmp" "C:\Users\Admin\AppData\Local\Temp\wctEC25.tmp.encrypted"
  2⤵
  PID:4172
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\wmsetup.log" "C:\Users\Admin\AppData\Local\Temp\wmsetup.log.encrypted"
  2⤵
  PID:992
- C:\Windows\system32\certutil.exe
  certutil -encode "C:\Users\Admin\AppData\Local\Temp\{CD6BD643-5578-438E-8874-C9BE0980F6C1} - OProcSessId.dat" "C:\Users\Admin\AppData\Local\Temp\{CD6BD643-5578-438E-8874-C9BE0980F6C1} - OProcSessId.dat.encrypted"
  2⤵
  PID:1812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc11903cb8,0x7ffc11903cc8,0x7ffc11903cd8
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,6185712030873427165,5548258654983507881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3404

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\CompareUnprotect.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1576

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\LockLimit.aif"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1004

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Downloads\ResizeExpand.xlt"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
dabd0b88527d99b0dd0673e25276d2b6

SHA1
58e76468b9b16ac5803c941f4235ce49eb9fd167

SHA256
e933ec83c2ff499ecf39b9d5dd01a8b14add2040d8703dc2dc7e098b482bc950

SHA512
8cb7de367c252aaf3426c9c82575fa80fe9c21f94bb70eddfed1ce575e0e28886677c3ec6ebbfe589a1499296d980512fba09b0e3c909854771c6f86360acdc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
30c8e65008cd05c0c556af448c3d4beb

SHA1
f10b60e1c54dda2ca034a83508be2a93814ebda1

SHA256
fda94d35a06e5fb84ccbeda7f70727161917ea8be13cb72bb5223f784aca11e0

SHA512
b5a4288223a8516e0912beb3c1b184731f668bb772be740be0a47b48d1eda862bf72ab2a265d3d591b840a845ff8f9a93272ad7a8b216c4fd8c0ac40562d935a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1b71e3cb-0359-42c3-af78-ee9a2fa37c8f.tmp

Filesize
10KB

MD5
7ab9b1f0d74290bc0966a691268ff8da

SHA1
d91f47e5e20f69f85897f13a4f6c1b396e25ff2e

SHA256
6592b2811ed7f2203d0a1fcf337e9b131c5a97e3d4768070a586ad8c010c5186

SHA512
f85f844e55e629be1c0996e7e0a67d3d72d689ee0e8d4ca36ac2606beeb5c3ccf4948bbe71789b8e2abef122b4045dc062abccecd61ad99dc71d46ffeba301ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f47ba88cb309d51086f6529e9d7d4eeb

SHA1
2721f3ce17bca4a78d026cc5d259a62863bd4c33

SHA256
5ec02d652a47802548cc9ea3c778a3ef94afacaf004e61903fc0c2d2e7c7bba1

SHA512
ce1dd9dee0ad357caecf1c5d51cf07fa491504b302d977102270c81af308876b9a6dc504e71e24149810c4e557d5e0c4a5ba860e4397c32635a0839e27d52b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85bd985ac356e9758d2430ef7e8ff22b

SHA1
f4f0147cf94593cfac6aeeb02e2f138719f9f3d6

SHA256
57fc732e29141117c49284b84d9192af94a6ae143883764967fd943e0d1ccb16

SHA512
61fb1a002b7e3942601e42eacfe62288cbca9012c22d94a01249de65f23fa20e777aef31b72ce810d3a9ca54cc5fafb3e2cad3bdf58bc7b73b1a00d12a671244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8F76A4E5-400C-46E6-BA97-4AA8699A59C5

Filesize
172KB

MD5
5673e3ea99c6f5fa82e49088f226c78c

SHA1
5e2eb4d36f197004f0dcafc7b5b13db8e5533002

SHA256
816e1d40cc1051c01799d34b9eb2a6c7eeb642a4d6089fd92a778b91101df12a

SHA512
f25141b60f42a5c7ef643cfd56adcab227fdab99729fb4eb25ef355282c5147e8888a45ae8e0f5cfdd935212c238bfcd6f130a528130c05853e6929368240c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctEC25.tmp.encrypted

Filesize
87KB

MD5
95addea41ced3f2f400f7a3cb21903c8

SHA1
1140235df208406cf62de3c7167040e4bf080f1d

SHA256
452ca45ee03b4b88c9b37d3c92cd25b0d811c0693b410863dd010dce277f2d88

SHA512
3603d483de82381696bec98f2b3182cf9dcf091bf1e8cb84a009837ba2bcb15726a989e2848d94f257cc55d03af5d03d333f60f266d0813ce0ee810f788eba67

Download Submit
memory/1004-222-0x00007FFBFFDF0000-0x00007FFC000A6000-memory.dmp

Filesize
2.7MB

Download
memory/1004-199-0x00007FFC10420000-0x00007FFC10431000-memory.dmp

Filesize
68KB

Download
memory/1004-223-0x00007FFBFE210000-0x00007FFBFF2C0000-memory.dmp

Filesize
16.7MB

Download
memory/1004-221-0x00007FFC11D30000-0x00007FFC11D64000-memory.dmp

Filesize
208KB

Download
memory/1004-220-0x00007FF6B68A0000-0x00007FF6B6998000-memory.dmp

Filesize
992KB

Download
memory/1004-209-0x000001F05FC80000-0x000001F0614EF000-memory.dmp

Filesize
24.4MB

Download
memory/1004-183-0x00007FFC11D30000-0x00007FFC11D64000-memory.dmp

Filesize
208KB

Download
memory/1004-189-0x00007FFC11170000-0x00007FFC11181000-memory.dmp

Filesize
68KB

Download
memory/1004-182-0x00007FF6B68A0000-0x00007FF6B6998000-memory.dmp

Filesize
992KB

Download
memory/1004-185-0x00007FFC15AF0000-0x00007FFC15B08000-memory.dmp

Filesize
96KB

Download
memory/1004-184-0x00007FFBFFDF0000-0x00007FFC000A6000-memory.dmp

Filesize
2.7MB

Download
memory/1004-191-0x00007FFC110D0000-0x00007FFC110E1000-memory.dmp

Filesize
68KB

Download
memory/1004-192-0x00007FFBFF9B0000-0x00007FFBFFBBB000-memory.dmp

Filesize
2.0MB

Download
memory/1004-190-0x00007FFC11150000-0x00007FFC1116D000-memory.dmp

Filesize
116KB

Download
memory/1004-188-0x00007FFC11590000-0x00007FFC115A7000-memory.dmp

Filesize
92KB

Download
memory/1004-187-0x00007FFC12000000-0x00007FFC12011000-memory.dmp

Filesize
68KB

Download
memory/1004-186-0x00007FFC152D0000-0x00007FFC152E7000-memory.dmp

Filesize
92KB

Download
memory/1004-196-0x00007FFC10CF0000-0x00007FFC10D08000-memory.dmp

Filesize
96KB

Download
memory/1004-204-0x00007FFC06250000-0x00007FFC062B7000-memory.dmp

Filesize
412KB

Download
memory/1004-208-0x00007FFBFF510000-0x00007FFBFF6CA000-memory.dmp

Filesize
1.7MB

Download
memory/1004-207-0x00007FFBFF8D0000-0x00007FFBFF927000-memory.dmp

Filesize
348KB

Download
memory/1004-206-0x00007FFC074D0000-0x00007FFC074E1000-memory.dmp

Filesize
68KB

Download
memory/1004-205-0x00007FFBFF930000-0x00007FFBFF9AC000-memory.dmp

Filesize
496KB

Download
memory/1004-203-0x00007FFC074F0000-0x00007FFC07520000-memory.dmp

Filesize
192KB

Download
memory/1004-202-0x00007FFC07520000-0x00007FFC07538000-memory.dmp

Filesize
96KB

Download
memory/1004-201-0x00007FFC0C8A0000-0x00007FFC0C8B1000-memory.dmp

Filesize
68KB

Download
memory/1004-200-0x00007FFC0DCB0000-0x00007FFC0DCCB000-memory.dmp

Filesize
108KB

Download
memory/1004-194-0x00007FFC0D4F0000-0x00007FFC0D531000-memory.dmp

Filesize
260KB

Download
memory/1004-198-0x00007FFC10BD0000-0x00007FFC10BE1000-memory.dmp

Filesize
68KB

Download
memory/1004-193-0x00007FFBFE210000-0x00007FFBFF2C0000-memory.dmp

Filesize
16.7MB

Download
memory/1004-197-0x00007FFC10CD0000-0x00007FFC10CE1000-memory.dmp

Filesize
68KB

Download
memory/1004-195-0x00007FFC10E10000-0x00007FFC10E31000-memory.dmp

Filesize
132KB

Download
memory/1452-138-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/1452-169-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/1452-168-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/1452-167-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/1452-166-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/1452-136-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/1452-140-0x00007FFBDE260000-0x00007FFBDE270000-memory.dmp

Filesize
64KB

Download
memory/1452-139-0x00007FFBDE260000-0x00007FFBDE270000-memory.dmp

Filesize
64KB

Download
memory/1452-134-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/1452-137-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/1452-135-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/2080-226-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/2080-224-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/2080-229-0x00007FFBDE260000-0x00007FFBDE270000-memory.dmp

Filesize
64KB

Download
memory/2080-225-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/2080-231-0x00007FFBDE260000-0x00007FFBDE270000-memory.dmp

Filesize
64KB

Download
memory/2080-228-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/2080-227-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/2080-257-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/2080-256-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/2080-259-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download
memory/2080-258-0x00007FFBE0A50000-0x00007FFBE0A60000-memory.dmp

Filesize
64KB

Download