Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-es -
resource tags
arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
12/11/2024, 12:02
Static task
static1
Behavioral task
behavioral1
Sample
1c1d333fe2bdbda247dccc97fdd46513e39d95c8393019360e1c1597f263fa69.msi
Resource
win7-20240729-es
Behavioral task
behavioral2
Sample
1c1d333fe2bdbda247dccc97fdd46513e39d95c8393019360e1c1597f263fa69.msi
Resource
win10v2004-20241007-es
General
-
Target
1c1d333fe2bdbda247dccc97fdd46513e39d95c8393019360e1c1597f263fa69.msi
-
Size
1.9MB
-
MD5
2e2febe11417e673b886abe428111b89
-
SHA1
4d11a766e023f22058971deebf93cead7bb0ae7a
-
SHA256
1c1d333fe2bdbda247dccc97fdd46513e39d95c8393019360e1c1597f263fa69
-
SHA512
cb7fcc2fa38d80acf9c8539efe1beaa401d0ef6a43acd0fcc95e3287fc7b25874d2219c4a4066703e3da6ba23d1b98eba87c4b0bc23ce8a02c84eec97585da36
-
SSDEEP
49152:xp21z0A+biU50unDN5GQKNkyRmopy4duG/8Wea/xwu:cK3KNkomky
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 4 912 msiexec.exe 6 912 msiexec.exe 8 912 msiexec.exe 9 912 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation MSIBD89.tmp -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e57b9af.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIBBF0.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{D32C6FB0-8269-44B7-96EE-95947512476D} msiexec.exe File opened for modification C:\Windows\Installer\MSIBA57.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBBE0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBD89.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBBB0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBC5F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBCAE.tmp msiexec.exe File created C:\Windows\Installer\e57b9ab.msi msiexec.exe File opened for modification C:\Windows\Installer\e57b9ab.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 1764 MSIBD89.tmp -
Loads dropped DLL 5 IoCs
pid Process 3864 MsiExec.exe 3864 MsiExec.exe 3864 MsiExec.exe 3864 MsiExec.exe 3864 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 912 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIBD89.tmp -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 20 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\Version = "83886080" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BF6C23D96287B4469EE5949572174D6 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2DE54A9E1A28BD4F8F813FEAEBEF3BC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F2DE54A9E1A28BD4F8F813FEAEBEF3BC\0BF6C23D96287B4469EE5949572174D6 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0BF6C23D96287B4469EE5949572174D6\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\PackageCode = "E9FBA36C72B752F4ABB4D937C39A088A" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\SourceList\PackageName = "1c1d333fe2bdbda247dccc97fdd46513e39d95c8393019360e1c1597f263fa69.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\ProductName = "Installer" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0BF6C23D96287B4469EE5949572174D6\SourceList\Net msiexec.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1064 msiexec.exe 1064 msiexec.exe 3224 msedge.exe 3224 msedge.exe 992 msedge.exe 992 msedge.exe 224 identity_helper.exe 224 identity_helper.exe 1712 msedge.exe 1712 msedge.exe 1712 msedge.exe 1712 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 912 msiexec.exe Token: SeIncreaseQuotaPrivilege 912 msiexec.exe Token: SeSecurityPrivilege 1064 msiexec.exe Token: SeCreateTokenPrivilege 912 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 912 msiexec.exe Token: SeLockMemoryPrivilege 912 msiexec.exe Token: SeIncreaseQuotaPrivilege 912 msiexec.exe Token: SeMachineAccountPrivilege 912 msiexec.exe Token: SeTcbPrivilege 912 msiexec.exe Token: SeSecurityPrivilege 912 msiexec.exe Token: SeTakeOwnershipPrivilege 912 msiexec.exe Token: SeLoadDriverPrivilege 912 msiexec.exe Token: SeSystemProfilePrivilege 912 msiexec.exe Token: SeSystemtimePrivilege 912 msiexec.exe Token: SeProfSingleProcessPrivilege 912 msiexec.exe Token: SeIncBasePriorityPrivilege 912 msiexec.exe Token: SeCreatePagefilePrivilege 912 msiexec.exe Token: SeCreatePermanentPrivilege 912 msiexec.exe Token: SeBackupPrivilege 912 msiexec.exe Token: SeRestorePrivilege 912 msiexec.exe Token: SeShutdownPrivilege 912 msiexec.exe Token: SeDebugPrivilege 912 msiexec.exe Token: SeAuditPrivilege 912 msiexec.exe Token: SeSystemEnvironmentPrivilege 912 msiexec.exe Token: SeChangeNotifyPrivilege 912 msiexec.exe Token: SeRemoteShutdownPrivilege 912 msiexec.exe Token: SeUndockPrivilege 912 msiexec.exe Token: SeSyncAgentPrivilege 912 msiexec.exe Token: SeEnableDelegationPrivilege 912 msiexec.exe Token: SeManageVolumePrivilege 912 msiexec.exe Token: SeImpersonatePrivilege 912 msiexec.exe Token: SeCreateGlobalPrivilege 912 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe Token: SeRestorePrivilege 1064 msiexec.exe Token: SeTakeOwnershipPrivilege 1064 msiexec.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 912 msiexec.exe 912 msiexec.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe 992 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1064 wrote to memory of 3864 1064 msiexec.exe 88 PID 1064 wrote to memory of 3864 1064 msiexec.exe 88 PID 1064 wrote to memory of 3864 1064 msiexec.exe 88 PID 1064 wrote to memory of 1764 1064 msiexec.exe 89 PID 1064 wrote to memory of 1764 1064 msiexec.exe 89 PID 1064 wrote to memory of 1764 1064 msiexec.exe 89 PID 1764 wrote to memory of 992 1764 MSIBD89.tmp 90 PID 1764 wrote to memory of 992 1764 MSIBD89.tmp 90 PID 992 wrote to memory of 1256 992 msedge.exe 91 PID 992 wrote to memory of 1256 992 msedge.exe 91 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 2100 992 msedge.exe 94 PID 992 wrote to memory of 3224 992 msedge.exe 95 PID 992 wrote to memory of 3224 992 msedge.exe 95 PID 992 wrote to memory of 1452 992 msedge.exe 96 PID 992 wrote to memory of 1452 992 msedge.exe 96 PID 992 wrote to memory of 1452 992 msedge.exe 96 PID 992 wrote to memory of 1452 992 msedge.exe 96 PID 992 wrote to memory of 1452 992 msedge.exe 96 PID 992 wrote to memory of 1452 992 msedge.exe 96 PID 992 wrote to memory of 1452 992 msedge.exe 96 PID 992 wrote to memory of 1452 992 msedge.exe 96 PID 992 wrote to memory of 1452 992 msedge.exe 96 PID 992 wrote to memory of 1452 992 msedge.exe 96 PID 992 wrote to memory of 1452 992 msedge.exe 96 PID 992 wrote to memory of 1452 992 msedge.exe 96
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1c1d333fe2bdbda247dccc97fdd46513e39d95c8393019360e1c1597f263fa69.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:912
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E5573FC8560DBD10089E323A8C6197DC2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3864
-
-
C:\Windows\Installer\MSIBD89.tmp"C:\Windows\Installer\MSIBD89.tmp" https://seekspot.io/tyy2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://seekspot.io/tyy3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc861f46f8,0x7ffc861f4708,0x7ffc861f47184⤵PID:1256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:24⤵PID:2100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:84⤵PID:1452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:14⤵PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:14⤵PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:14⤵PID:1724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:84⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:14⤵PID:3272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:14⤵PID:456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:14⤵PID:3764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:14⤵PID:1244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,16487389670763394819,14055560915704610022,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3156 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4236
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD569bfa7d2ec4d7b8bc6d96b460e8c19d4
SHA10d5167e0f83f0371ca263a12e220b769d2f75239
SHA256bd29acf71b791d7507d16e2242e892d0e538d845dcaf8eef3fa3630dffa6b23d
SHA5127cff411d89e8166b510ae44a15d4546dc0e58f3a5586043464530a902a51d42a8f029772d5e566c164edb4ec63ede03f66de2ba58bbb7b66a2e7d9d00c90d214
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\248DDD9FCF61002E219645695E3FFC98_8E0C0D0E410547CB370CB3621BF77118
Filesize727B
MD5d6f17517eac577fb0077129a642ce42e
SHA1690d6def4e3e2bf9ca0b6d0c5ab10865a052e8d9
SHA256d986adee418a35f0da2bdd1427c8d31c4ab4c08c545b7f1b3334cfb13c0fb930
SHA5124adc32a5c3d544f4f7f27b849b8fb33ca232e790cab7ec01f70de706bc5cb4163b934bfd793b7d996fb4c12d8572b33f8619d1cdf657e6b53022ab3f0b0abf91
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize727B
MD57e5e9912de7a985ff6257b5e3005de2c
SHA13d5557f4d0ce85b5d42ae97579b154c53648c418
SHA256ec0bdea0fcc54be0a302cac5a2513186ccd5a9e1bd9de7c8dd81ce1773141571
SHA512a2a8e2118dcbbeeb1c208fc34ac67d78ba85bddeffe3cc81668ce2b90d8cb992b2be881ed9db2c9847cebc597558060d2cec50337cef115bc2a07773076a6e4a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\248DDD9FCF61002E219645695E3FFC98_8E0C0D0E410547CB370CB3621BF77118
Filesize482B
MD5c9051e5c39db2602ad51190a36139016
SHA15e2be512ad736a40c9f43a8b80ee995d94bdd0f8
SHA256c3021a78f3a24a6f7dca71ca7bfb14d6a30d4f550ae97fdb3491cf4e50439b33
SHA512f1fb97ef0f6563093e53fe3c2edce241d7e7b915253793e7f09b3208194be3c9f5023517228af64ed33e360646bcdaff1ba33d598c6bf7e1eaccea0571674246
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
Filesize478B
MD5443e75aa002b9a1323d5f2b055be6258
SHA183796ec8b548e210eb27f7a4aac2112438d5d12c
SHA25601550861ec7320742e4b64fd464360721ae3e5cc56b56b411ff3cfa4bf93a439
SHA512fd5f9bac8dc1d212b62ff2fff541d9acfe9f5c4c45c5e7a7a535d16b9b610560772129ee4acacb896e8dcfe77b627fb501e6b19c99c8b9572da00545a88be9d6
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9d2e96e7-d585-454d-82d3-6e61ef575f89.tmp
Filesize111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
825B
MD5487935043f2e43799fdb01c9a19c44bd
SHA1b7d64840256d3701ed8b06ce8d4009c4fd0a14eb
SHA256cdaccda9376e512e648633e0eea412ae9ad60b4fc4739d18538b1afa3189bd94
SHA51230fe0e92902b02fd08985ebac884968cecc5dbd9b3da7cf3120138144f8ec1c6bf53d27cf1200760de7621be4e6c4b31ce4cdb9bd55cbc92615961f75980541d
-
Filesize
825B
MD5e542e036d463fb5d5e5a00997c90ba06
SHA1550a73b1083fe47cd9621cd9a7a67017b9339fd3
SHA256c0906966cec31596595d0786d4abdcfd13672de6c78cdea068db3445eeee53b5
SHA5120cd94786b54a7836f7f35d5b8e91ca60031d8630151c21993a456a82091163c43c98beaae1d24a4ca0c72c699329abbdcfc9729194abf003eb4b03dc8a48b741
-
Filesize
6KB
MD582c3f3242db2e86d71dc4ef6232b3189
SHA18b5ed0219e9e6335923bfb60dc4b896d35a8031e
SHA256a0c5ac0558d089b905aec48919b639415be6b500b21f6fb5f44ee4b7effd1bda
SHA512aa9a42c765f6a39fc95cedf33464bcb14d92a994a2b09d2a98c34b72de9a1e9413e7cf829fc27799470d11eb286a16e7408c41a1056f4e46dfef52d842eb058e
-
Filesize
5KB
MD5ef83b9f0f02414e2042f6ba31e594267
SHA1af1f7c623e4f4245f442235c7ef1185b6ff6db4b
SHA256c40aaf32270bf2b1d44e51280258557bb6e9daed125573b8a1ade2700925cfbd
SHA51286d9f651c5668d507deb4f09b0902d22b1b10c70001749c21d0a5bfaa233089e5310b7cab3e151708d6186ac529399f31ed909c10657c2ff883c9ccf738a6ae4
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD520abbbe7be8809b93c0543189ad26b26
SHA1bc7b31b662f5924bbc0ae5a5f253d0ff15b2ea19
SHA256162a39dc1220781ab0e84456747e5410fe1a9b4670ec9654b573633e73d1db29
SHA5121b1197b9b09ce22ab28b89597ab152ded2cd0cb4aa5c658e0aedfe3ccb2be821c2ee320c9192b4b1a7307609f769cc576f8bc511e48119487ba1aa9bca6059ce
-
Filesize
10KB
MD5af26fce36ca21819a5eaf724d9c20587
SHA13509b386415fc48a317d18f31e5b031f04596a3e
SHA256241d0363c128e9f6cb32b1874cbf424770c1bedd45340e2257147611f32bb878
SHA5128568464eb34394e7427421e8bf354395ec621720478e87a7baf1b1af0d48784b0de0eb66c41fd5a74aefe0241f3857cd25c6ecac0117018157cc3abf2df58081
-
Filesize
997KB
MD5ec6ebf65fe4f361a73e473f46730e05c
SHA101f946dfbf773f977af5ade7c27fffc7fe311149
SHA256d3614d7bece53e0d408e31da7d9b0ff2f7285a7dd544c778847ed0c5ded5d52f
SHA512e4d7aafa75d07a3071d2739d18b4c2b0a3798f754b339c349db9a6004d031bf02f3970b030cec4a5f55b4c19f03794b0ce186a303d936c222e7e6e8726fffff7
-
Filesize
420KB
MD5f6cd321fc3e815450c782c5b21e80da5
SHA189cc7dea0afbcde359b651c5cef6ab42afe7153a
SHA25649c552ae24c05e2f5c144379de648ec604005e1d5e30fc6caec4d53828183dc5
SHA51263e1626ad3a5640b94a7d7dfc09d68451f054cea628e103bdacdd806eea6f2f072e25bdb17809c5d9ff95c5611598aca17317392c3a1f5952a2be61dc43e9784