6e63becaf5c5e17a9d3afb6e2104eee3dbe473c8930ae8783eba0fedadb4a152

Analysis

max time kernel
69s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TMACv6.0.7_Setup.exe
Size

5.1MB
MD5

a7c8cf1d50ebe630a7d0c47686a0abbf
SHA1

3229e8080975f4f5512d2382552f68c0389acff5
SHA256

a453b3ea8d8133531fad26b18701c694c324cc201e3069d07e99f0e100908c1a
SHA512

42340b7435605049e3f817feac1ac238177772b2b1ebf05eb9311bb58ee3dd1cab39913240a4c39e3407374009310770d8221c31914549524ecd92beab93b787
SSDEEP

98304:ARU3j4wtopcj2dqCYV1coZ4hv3tmF1b6CrjfW/sfH6s7zQcKDsVv/JLSF66b/:ARqt/CdqRc64hv3tmF1b6CffW/sfH6sm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

TMAC.exe

pid process

3788 TMAC.exe
3788 TMAC.exe

Loads dropped DLL 14 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeTMAC.exe

pid	process
3480	regsvr32.exe
4636	regsvr32.exe
2076	regsvr32.exe
3656	regsvr32.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3480	regsvr32.exe
4636	regsvr32.exe
2076	regsvr32.exe
3656	regsvr32.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

TMACv6.0.7_Setup.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSCOMCTL.OCX	TMACv6.0.7_Setup.exe
File opened for modification	C:\Windows\SysWOW64\COMDLG32.OCX	TMACv6.0.7_Setup.exe
File opened for modification	C:\Windows\SysWOW64\MSCHRT20.OCX	TMACv6.0.7_Setup.exe
File opened for modification	C:\Windows\SysWOW64\TABCTL32.OCX	TMACv6.0.7_Setup.exe

Drops file in Program Files directory 13 IoCs

Processes:

TMACv6.0.7_Setup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\normal_back_blue_w800.jpg	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\Installer.exe	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\Default.tpf	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\help.html	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\logo.gif	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\normal_logo_back.jpg	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\oui.db	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\Read Me.txt	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\CLIHelp.txt	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\EULA.txt	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\index.css	TMACv6.0.7_Setup.exe
File opened for modification	C:\Program Files (x86)\Technitium\TMACv6.0\normal_footer_back_h30.jpg	TMACv6.0.7_Setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

TMAC.exeTMACv6.0.7_Setup.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TMAC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TMACv6.0.7_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\AlternateCLSID = "{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\AlternateCLSID = "{95F0B3BE-E8AC-4995-9DCA-419849E06410}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\AlternateCLSID = "{0B314611-2C19-4AB4-8513-A6EEA569D3C4}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}\AlternateCLSID = "{585AA280-ED8B-46B2-93AE-132ECFA1DAFC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\AlternateCLSID = "{556C2772-F1AD-4DE1-8456-BD6E8F66113B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}\AlternateCLSID = "{9A948063-66C3-4F63-AB46-582EDAA35047}"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\AlternateCLSID = "{87DACC48-F1C5-4AF3-84BA-A2A72C2AB959}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9181DC5F-E07D-418A-ACA6-8EEA1ECB8E9E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8E3867A3-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}\AlternateCLSID = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{66833FE6-8583-11D1-B16A-00C0F0283628}\AlternateCLSID = "{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C74190B6-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{95F0B3BE-E8AC-4995-9DCA-419849E06410}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1EFB6596-857C-11D1-B16A-00C0F0283628}\AlternateCLSID = "{9A948063-66C3-4F63-AB46-582EDAA35047}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24B224E0-9545-4A2F-ABD5-86AA8A849385}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2C247F23-8591-11D1-B16A-00C0F0283628}\Compatibility Flags = "1024"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{996BF5E0-8044-4650-ADEB-0B013914E99C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}\AlternateCLSID = "{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F91CAF91-225B-43A7-BB9E-472F991FC402}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{979127D3-7D01-4FDE-AF65-A698091468AF}\Compatibility Flags = "1024"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{35053A22-8589-11D1-B16A-00C0F0283628}\AlternateCLSID = "{A0E7BF67-8D30-4620-8825-7111714C7CAB}"	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F24-8591-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E074CF-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074E8-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E07527-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\VersionIndependentProgID\ = "MSComctlLib.TreeCtrl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E074D3-BA0A-11D1-B137-0000F8753F5D}\ = "IVcMarker"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074FC-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}\ = "Microsoft Toolbar Control 6.0 (SP6)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0E7BF67-8D30-4620-8825-7111714C7CAB}\ = "Microsoft ProgressBar Control 6.0 (SP6)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}\ = "IStatusBar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F04A-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E074D5-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6594-857C-11D1-B16A-00C0F0283628}\ = "ITabStrip"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E07527-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6599-857C-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E074D5-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E074F0-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E07523-BA0A-11D1-B137-0000F8753F5D}\ = "IVcValueScale"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDC217C7-ED16-11CD-956C-0000C04E4C0A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074FC-BA0A-11D1-B137-0000F8753F5D}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E07513-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{979127D3-7D01-4FDE-AF65-A698091468AF}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{627C8B79-918A-4C5C-9E19-20F66BF30B86}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FEB-8583-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.1\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1EFB6595-857C-11D1-B16A-00C0F0283628}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE5-8583-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD9DA660-8594-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074E6-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E074F2-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E0750E-BA0A-11D1-B137-0000F8753F5D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ListViewCtrl.2\CLSID\ = "{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{979127D3-7D01-4FDE-AF65-A698091468AF}\ProgID\ = "MSComctlLib.ListViewCtrl.2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DC6F291-BF55-4E50-B619-EF672D9DCC58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC5D0DDE-BD4C-11D1-B137-0000F8753F5D}\ = "VtChart Chart Property Page Object"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDC217C5-ED16-11CD-956C-0000C04E4C0A}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCDB0DF2-FD1A-4856-80BC-32929D8359B7}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSCOMCTL.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}\ = "Toolbar General Property Page Object"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1EFB6597-857C-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867A1-8586-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F9043C85-F6F2-101A-A3C9-08002B2F49FB}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\ = "ICommonDialog"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F9043C87-F6F2-101A-A3C9-08002B2F49FB}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074EA-BA0A-11D1-B137-0000F8753F5D}\TypeLib\ = "{65E121D4-0C60-11D2-A9FC-0000F8754DA1}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E0751D-BA0A-11D1-B137-0000F8753F5D}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B2ADD10-33B7-4506-9569-0A1E1DBBEBAE}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E074DC-BA0A-11D1-B137-0000F8753F5D}\ = "IVcShadow"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E9E0750A-BA0A-11D1-B137-0000F8753F5D}\ = "IVcLabels"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E9E0751B-BA0A-11D1-B137-0000F8753F5D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{556C2772-F1AD-4DE1-8456-BD6E8F66113B}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F91CAF91-225B-43A7-BB9E-472F991FC402}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F053-858B-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exe

pid process

1420 msedge.exe
1420 msedge.exe
1040 msedge.exe
1040 msedge.exe
1420 msedge.exe
1420 msedge.exe
1040 msedge.exe
1040 msedge.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

TMAC.exe

pid process

3788 TMAC.exe
3788 TMAC.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1040 msedge.exe
1040 msedge.exe
1040 msedge.exe
1040 msedge.exe
1040 msedge.exe
1040 msedge.exe

pid	process
1420	msedge.exe
1420	msedge.exe
1040	msedge.exe
1040	msedge.exe
1420	msedge.exe
1420	msedge.exe
1040	msedge.exe
1040	msedge.exe

pid	process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

TMACv6.0.7_Setup.exeTMAC.exemsedge.exe

pid	process
1112	TMACv6.0.7_Setup.exe
1112	TMACv6.0.7_Setup.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
3788	TMAC.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

TMAC.exemsedge.exe

pid	process
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
3788	TMAC.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

TMACv6.0.7_Setup.exeTMAC.exe

pid	process
1112	TMACv6.0.7_Setup.exe
1112	TMACv6.0.7_Setup.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
1112	TMACv6.0.7_Setup.exe
1112	TMACv6.0.7_Setup.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe
3788	TMAC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

TMACv6.0.7_Setup.exeTMAC.exemsedge.exe

description	pid	process	target process
PID 1112 wrote to memory of 3480	1112	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 1112 wrote to memory of 3480	1112	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 1112 wrote to memory of 3480	1112	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 1112 wrote to memory of 4636	1112	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 1112 wrote to memory of 4636	1112	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 1112 wrote to memory of 4636	1112	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 1112 wrote to memory of 2076	1112	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 1112 wrote to memory of 2076	1112	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 1112 wrote to memory of 2076	1112	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 1112 wrote to memory of 3656	1112	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 1112 wrote to memory of 3656	1112	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 1112 wrote to memory of 3656	1112	TMACv6.0.7_Setup.exe	regsvr32.exe
PID 3788 wrote to memory of 1040	3788	TMAC.exe	msedge.exe
PID 3788 wrote to memory of 1040	3788	TMAC.exe	msedge.exe
PID 1040 wrote to memory of 4744	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 4744	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 2384	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 1420	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 1420	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 4640	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 4640	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 4640	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 4640	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 4640	1040	msedge.exe	msedge.exe
PID 1040 wrote to memory of 4640	1040	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\TMACv6.0.7_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\TMACv6.0.7_Setup.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\system32\MSCOMCTL.OCX"
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
PID:3480

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\system32\COMDLG32.OCX"
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4636

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\system32\MSCHRT20.OCX"
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2076

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Windows\system32\TABCTL32.OCX"
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3656

C:\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe
"C:\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://blog.technitium.com/2011/05/tmac-issue-with-wireless-network.html
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa29f246f8,0x7ffa29f24708,0x7ffa29f24718
3⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,9915496892477981811,8650656452498970264,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
3⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,9915496892477981811,8650656452498970264,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,9915496892477981811,8650656452498970264,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
3⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9915496892477981811,8650656452498970264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
3⤵
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9915496892477981811,8650656452498970264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
3⤵
PID:832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,9915496892477981811,8650656452498970264,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
3⤵
PID:1912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Technitium\TMACv6.0\Default.tpf

Filesize
327B

MD5
b15b6771957a32ad93ffd0e044e4dca7

SHA1
1fc37282fce391d607c71dccbaba0fea8ae0f68b

SHA256
29106fa8e3c3d9370ced3d1c18f6d99a139710d6f77c8e61d468934dbd7efeeb

SHA512
49f28ac07e41de4cca37fcd6a898f1ba90766b3387bd49f171a1c49d75b7f94eb84b2d08e9efacc9a3281091413d8f19a06feb55825756ed533084565afccc5b

Download Submit
C:\Program Files (x86)\Technitium\TMACv6.0\Installer.exe

Filesize
189KB

MD5
9473840ec1c2981e805da17c0b700c49

SHA1
fdd826931c215717861254b099dba057b740e242

SHA256
00cb5fee0ba2ac509195187df7d97d9ff08ffcb7df2a3af076a739e0c29781f4

SHA512
8ba9ef5cc94e75d48aaa1440ae45841a4b002c5a64584b6a6dd7e4bc2f0ede8d576537d8f14dfd2d76f6e2f6de847102ec4f6755d4a1314b4dd891919ee8cce9

Download Submit
C:\Program Files (x86)\Technitium\TMACv6.0\TMAC.exe

Filesize
712KB

MD5
230b4c45774e95dd75241068c68aeb0d

SHA1
ef46dd76a8c6d4a7d6882469015a07a9bf660a50

SHA256
6c3d76c9a4d1652ce25ae8c2ba1907167cfaa0054b8e1325f370c52eafa74c97

SHA512
fc08d219e1023d7929250ecab81f640e4114f51b184d9004da0887c93b24a6026931a71da4ef0e95caa2a416d858496b5e174bcd0dd3bd3a76bca6582283e90c

Download Submit
C:\Program Files (x86)\Technitium\TMACv6.0\oui.db

Filesize
1.9MB

MD5
df01b5d254a5975ab617cf11d1c31fe1

SHA1
0fd90aee6d7a9b7417db574d9af5046fac45e14d

SHA256
eb13aff91a8ee50dfdf7b2cbf10e0e975f6d6111298737ab051539a4b9156944

SHA512
f6d1bfbb6793926c518b2a36f5fc46767d5fa508ee6f2973718ec8b8ae3e93d04f7d66c28c15aad1697d3bd81f4af7358dab9c4a56e95e85743ae7c6bf01f7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
395a0eee70de950503b560f6298bc76a

SHA1
97188b261a13f922631d80b53987e197760bc1d2

SHA256
f07faf392380dc79ac92295adc6831e8c4f82971730f1b4d901bad8cd201b3ff

SHA512
41e2e47f873c4ceefe848a96be6fa9747105d80b23f7b5af32f95a18573ebdfb604c5bcbcd5923b8d250a8910043262e1cc534ed937d0876e98970d3b4bb02b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4b95b828319a9cbe2863d250cde9edfd

SHA1
56bfd84fd83fd88cd1903e22b5be0e178c959605

SHA256
6617e78035347a75862dbd9c0341151b418462a418545d1ff8ea1aebbe8a89ce

SHA512
1c4ecbea6f5233a5ab00ca53913d73d57f755a0b14fa437477355d67a381474f2018e616fe2b7b44c60123a700aeff528e72b3841c7d580061bc6633d7a92bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b1a5093692e12eb8b5ce45afd62150c

SHA1
b3146707e89933a9cbd9876d480faaa2b076a9b3

SHA256
5c9b44d26611eccf430189804f50b65369e1ceb5dfd9980fc982d875bf368a5d

SHA512
a72a7a1bc43074d3903fb26b3139770365667feee1ccfa0b8800d11282d27193e92c0e56522cd3c340822ccffbef98d4934bf3e0c7c84106730a4594e677b0fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b13f0ba11ffb9c55dcf87c53c6a37795

SHA1
95f8b459ac248d5585105690a9119f85de6016d9

SHA256
5c9df9be0f58835e1317f52a660c4f9ecce144b50c899321fda6ebe024923545

SHA512
362fd448a16f86faf25e1dee09e3a38f6aa15db424010fcbad3caf0ecacfaf3ffd2b4870eff4444798ce9a440f41b0bc29320739a5ae947b3b4ed070c97cf905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5e9fbde3321acbf050e81fa6b3135cee

SHA1
ee525b1df328a64b6b5301d0cd788f8c02b16ee4

SHA256
8f28a98cf51338c8e15a1ded9aed2551c75f75cfa54a15d3a651a3514f6d129e

SHA512
591cb12deed5aa971efd3dab49bff1cfd166a141979a3e34c8956e462d53187bf770abb268bceb5424de45181a9f47d64b9702b122d7dcb225a1d395ae1b18f5

Download Submit
C:\Windows\SysWOW64\COMDLG32.OCX

Filesize
137KB

MD5
b73809a916e6d7c1ae56f182a2e8f7e2

SHA1
34e4213d8bf0e150d3f50ae0bd3f5b328e1105f5

SHA256
64c6ee999562961d11af130254ad3ffd24bb725d3c18e7877f9fd362f4936195

SHA512
26c28cb6c7e1b47425403ab8850a765ac420dd6474327ce8469376219c830ab46218383d15a73c9ea3a23fc6b5f392ee6e2a1632a1bf644b1bd1a05a4729e333

Download Submit
C:\Windows\SysWOW64\MSCHRT20.OCX

Filesize
987KB

MD5
38ce0c8fcd78d00fd717ce3a91214cbc

SHA1
953b182806a8ddcde48b033537e3432a56d1cf39

SHA256
de49eb9f935416cc57a1b590cca686e4a14e7b3cbbde10b8ff7fb88642a215ce

SHA512
bd7c0319953c5280d1e0f961cd6324c70c4949c0db0aa1cd77c27a8a1abfd6e592164a8888e3a06b5b127614d9b9caf1dfcae95b9e50216547a8e8ffb1f00006

Download Submit
C:\Windows\SysWOW64\MSCOMCTL.OCX

Filesize
1.0MB

MD5
766f501b61c22723536af696a74133d4

SHA1
b82b79c981da0750566cdbcccd8c7c6183e75d1b

SHA256
793fca37e1848495affb9bfbad543609d19e6549181e735ceb6f97b8e58faa26

SHA512
84a10cb82f1e52fbc74d074cf9d8bf761425d69fe893851d490cbf466ae647fa0cd3849ea81356a3ff1c91b67c0834ff59a6f67eddc3267c68f88667ef42fb83

Download Submit
C:\Windows\SysWOW64\TABCTL32.OCX

Filesize
218KB

MD5
dc925b6d77ba9ecb532e2f6750be943b

SHA1
f71215e701401f0dd6fe143e3a630b2e168a4fac

SHA256
d10a197fd53e65dc910ca4aed86cb674c613ff14ce6436d1a445bb27a7a499e0

SHA512
ee9c40e695a29de7e7b8a9fe1ca01ebba9a8bdc199d46d98c71a4e3ecfec566f2fc31300a5e9867e8c791b15ac3ebec076f0710e0f6eec6c3fdea3bde37ab171

Download Submit
\??\pipe\LOCAL\crashpad_1040_NBJWNKMACIHTGQWS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit