ef483723ac88d655dfc5f08537cbc7ca6bef3ca2c2f34fd1ade321156f4efe08

Analysis

max time kernel
1798s
max time network
1778s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5Gui.dll
Size

6.7MB
MD5

47307a1e2e9987ab422f09771d590ff1
SHA1

0dfc3a947e56c749a75f921f4a850a3dcbf04248
SHA256

5e7d2d41b8b92a880e83b8cc0ca173f5da61218604186196787ee1600956be1e
SHA512

21b1c133334c7ca7bbbe4f00a689c580ff80005749da1aa453cceb293f1ad99f459ca954f54e93b249d406aea038ad3d44d667899b73014f884afdbd9c461c14
SSDEEP

49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z

Score

6^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
117	raw.githubusercontent.com
118	raw.githubusercontent.com

Executes dropped EXE 1 IoCs

pid	Process
2912	DesktopPuzzle.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopPuzzle.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 173874.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 156043.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3872	msedge.exe
3872	msedge.exe
3520	msedge.exe
3520	msedge.exe
3516	identity_helper.exe
3516	identity_helper.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
4024	msedge.exe
2464	msedge.exe
2464	msedge.exe
1732	msedge.exe
1732	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
2912	DesktopPuzzle.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 4364	3520	msedge.exe	103
PID 3520 wrote to memory of 4364	3520	msedge.exe	103
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 4352	3520	msedge.exe	104
PID 3520 wrote to memory of 3872	3520	msedge.exe	105
PID 3520 wrote to memory of 3872	3520	msedge.exe	105
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106
PID 3520 wrote to memory of 3732	3520	msedge.exe	106

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ZRK 1.1 UC\src\PyQt5\Qt5\bin\Qt5Gui.dll",#1
1⤵
PID:2448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9e8be46f8,0x7ff9e8be4708,0x7ff9e8be4718
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5684 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1392 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,1165250396870130241,13100882689994486482,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4312

C:\Users\Admin\Downloads\DesktopPuzzle.exe
"C:\Users\Admin\Downloads\DesktopPuzzle.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ae72c35f3da8697b6366ce1fab71bc04

SHA1
ce0814298e76308bf439086f9bcd5fdcf5e43c44

SHA256
1403b24cb9a2376c1c8b39902dea8fa617bfb956f42d62a33a68a99d923864a5

SHA512
86d0f3bf324f2b22de362f1db8c5044a9f6dd10edec935695fec9b4884ee4746bbd6fff3dafe734ae7a4e72b2d371965752e5430206574edeb495634315613b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cacab2cda8fc06f9b8163b2db40b29e8

SHA1
cabc360feafdc42fe64a5cf95f70980397ad52c4

SHA256
64a267fa8b3acd0afcc185fa572e5dc3b3a4df6590da044261fc384c1827dc66

SHA512
acc568529fd3a2f26680d928c972cd43f7d9054449917ea90d9bd45584732fe9f308a7a43223f8c5841f6f60a43efa16e7b84176e2d83c3aaf9ad14bb866c22c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
940B

MD5
939243acb55386ee3e5dea7e77f946af

SHA1
669c2725d5155e760d89d94b18ce5705efe757a0

SHA256
7e70b457336d774d0a38869cfa427b61d69c0f076be4b1c900f54c91bde201de

SHA512
1d8419b7b6df1fceb379667d8b6fc5f1ea4b49df6c862662cd7c2ec484eb3b15055489d84ede301677edd1cf6b5725f96e2a12960a3e0fd406dd38a4f5b964e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
857B

MD5
a80e74ea1ccd2b32e142193a294e214d

SHA1
ef414b5dc4386d8bf0542ad90ad36ef1a5efb83c

SHA256
5f5446f58022ea0416d600786ff23d8ae0663af608a014def1652e540eb21fa0

SHA512
fcb73496cf5ac842d76d1d256d942c8253e33eb8e3e1e672c662fb6fbe9ce37d84f702fa7b2bc6aa1677875839edded3b9db9c11e0e4669fec46a5ed1fc08d67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aff22970151f11ef5abcebf515294e3f

SHA1
8eed2dcd04353b46114bf8854eacdca2b94d76d2

SHA256
92032c08b1fe06b69bc822a44521b8b819a58a5c42d1d1a6019b17719382fc3d

SHA512
3dede54d43692a07e5275d9c54dc82da0ebc81e2c78200a49b6b38911fdd705961122c677ad19c60015f7cb9474c5d457520f4015caa611e8fa294ce1e5d124e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0cc6a2bf1d5ae7ad0210a2cb187ae40

SHA1
b66d405c01aa2c312d73fb544b9e3c1945901add

SHA256
e9a2e476ea4caf8866f96bae0d9a23a5c90e91bb803270ede8b2d0df6a865ec6

SHA512
b4aae47e716abaa5d1bb6e1c7fd40d2f8672e9c3ac6a1e4d371e622bfd55b87faf9e1aad22439a0608df1185ffb59970590b2b1e9101f02893c5ead836d9569c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d9ce72a26c2ac71450b2db4da3c43a3b

SHA1
c528415ba2722d9e4ea92ae87807112f2ca6146a

SHA256
f10562c495d48f100e3c7ede555fc6a53929ccf26ba2cdf424188bfa415ac772

SHA512
54b0a46e84cf503351ab2869e63ac57fd7b32887564d7558eccfd3753f14c6e105658823e52ba56d06cf1520c0c317c4c368a3e9cf059b4a907616d291279a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
310ba2785a8df01eed1970c132247da6

SHA1
f106eb3c7abe9314b3dd0ff1129e7a672144a4e8

SHA256
3d58eb28de96e9e3c4d906ff1a50963f50b00ed34f135fc30dbd7215806f214b

SHA512
414808fe1e841073a3b1d396aabf924dccb04f455793d78b4d7330db861ad0a03fd46c651a29a6d99286d7bc5ffb74caecaf6bec0a4937b24769dd8b96c7a7d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb86c4c1c1e2c7bdb87159c20e2f4215

SHA1
2ce387637a1f8923fcb1b987d33aa3e9cb82e7a6

SHA256
ff9cc824d0aacd1f90b1d7fc5de49cfff86d154dba47f6c7b5a00e356e28e516

SHA512
e1ab7ea9ee8baf350dfdde16ac2b1326e759e01fec5cb43a919240c7ac267541cde2e2de27bf5a44c62e100c011fa6d9a14b5ac70b496da04d6003970797f0f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9e11f9651a24e28702e6005ebb556de9

SHA1
376e37c8cd12b4f9fcb51b8ee5d083f6332e7f13

SHA256
186e385b91796b5af7d6dc07d5082a9b3258ddcbaa7a1443e97d19b48f75ad6e

SHA512
1c07cca4675c1dc8bd8f1cddb7c874722405510a51bc3fdfb437c1d55091ed9364fcd391eba716684289d02b51ed61d89b2773be63074d70b422e394e601b8e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
395c76aa325c2cd2b23dab90d355123f

SHA1
0850d91dff4750e01c6bfac845b16a897b44cafc

SHA256
2cee17731c73a05efa3c73933b8e03dfee4f792069f80e9e4b59189ad849009f

SHA512
94d2909763ce20e180525065699dc67eecbb076921adad9081147a267492d03676a64324dce3d891f47c6d00c9da58ce8abed2359e729af834adeaf1bba1d2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
34aec721cab44e1099057c246aed691d

SHA1
b7bc91f92f49b47afb6573a9a18f9f693135e4c8

SHA256
813efc79d7578d02a0e02665de76fbf678255cce46b9e74e3b4ae25f47ab2c5e

SHA512
484aa549dc4fe3d9762132108ee0312806cf87e942d040259a0032985fb4f6191559c9d1595909b75ba02d79da8ed4bfeee690a96bd7ab6b7dff25f6dceffdfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c157f3082b867cc7e4e64a4df5a5b331

SHA1
077b2de8f4f2bf205139ecd425365bfce63ebc94

SHA256
3607304326e96f1583110b5adba96000dc1721c1c9e757ba708c6af689893518

SHA512
796a22605347f19a59e72ea6e677797a305c122bb7a39811a2cffaeccef23ce01b7604d9874e1a36e0ee984b14ca0d1254a598fd0298f7bcbe435f95b4a8dc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d4180.TMP

Filesize
538B

MD5
5eaf42b6a019a1f358aece161c6fdb2f

SHA1
6158ba5c30e18c5336eeeec3a9deb7bd7ddc29d4

SHA256
433de2c84e610b0e9f6a3c72ec798d33c6a85b40a86e5b227a2f6c201386fc8f

SHA512
8e581cb3a78de8364c1a89ad9f279a8510bd8b454db1c8814c2dd9589c542e651e74fb994d149ab2d961a9bd78d64f4ddaa63c80abb32e5e77675fc4244bc83a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8ff1292cb719d8477368ac8388a685d4

SHA1
d1e3b519f9838074c36c3bd53f337db6fc45f36d

SHA256
ab64754736e8a4d422502f68062c697ce91d9c7942587934fb183b509be657a6

SHA512
58757112aa69394ba8196dc09c0386a4be35d1cc4a509a0b0a63b3209727d0a5bb9001d19cb80b264782e7a539ed7748eae1e95d9ed887d8a4c35f5146e26453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a85fd5071bde0f275d49c443e42005f3

SHA1
ef9329fdcd5db74d06905f9d30a728ad72acdc20

SHA256
4a88a1effbd454b035555e6ddaeb7e09ba5ed4c068bca8d4eccb4e7f14eb5bbc

SHA512
0a9642ceda1f6fe565611c3bf496a4ae3fc5f2043da8c79c6c326abafcb1d30d0da489207ed60566874299b3262af871c5ff918a7804a380f9e3df23dba88fb5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 156043.crdownload

Filesize
239KB

MD5
2f8f6e90ca211d7ef5f6cf3c995a40e7

SHA1
f8940f280c81273b11a20d4bfb43715155f6e122

SHA256
1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6

SHA512
2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 173874.crdownload

Filesize
396KB

MD5
13f4b868603cf0dd6c32702d1bd858c9

SHA1
a595ab75e134f5616679be5f11deefdfaae1de15

SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Download Submit
memory/2912-529-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-533-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-534-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2912-544-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download