hxxps://drive[.]google[.]com/drive/folders/1Zry70bwVx84a_nS9aYPJ6Otgueom0_KA?usp=drive_link

Resubmissions

03-12-2024 03:53

241203-efqlnsynbv 7

03-12-2024 03:48

03-12-2024 03:46

03-12-2024 03:43

03-12-2024 03:39

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1Zry70bwVx84a_nS9aYPJ6Otgueom0_KA?usp=drive_link

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
380	350 branding.exe
4892	350 branding.exe
4832	7za.exe

Loads dropped DLL 1 IoCs

pid	Process
2004	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
6	drive.google.com

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC649.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{6CE7FA83-63AC-4C55-A397-7FC88B3DC2F2}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{6CE7FA83-63AC-4C55-A397-7FC88B3DC2F2}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\e58c455.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58c455.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6CE7FA83-63AC-4C55-A397-7FC88B3DC2F2}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC744.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	350 branding.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	350 branding.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 888416.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\{627DC691-1A60-4E7B-9EE8-B02B91F35365}\350 branding.exe\:SmartScreen:$DATA	350 branding.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
372	msedge.exe
372	msedge.exe
2180	msedge.exe
2180	msedge.exe
4460	identity_helper.exe
4460	identity_helper.exe
2100	msedge.exe
2100	msedge.exe
5072	msiexec.exe
5072	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2596	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2596	MSIEXEC.EXE
Token: SeSecurityPrivilege	5072	msiexec.exe
Token: SeCreateTokenPrivilege	2596	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2596	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2596	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2596	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2596	MSIEXEC.EXE
Token: SeTcbPrivilege	2596	MSIEXEC.EXE
Token: SeSecurityPrivilege	2596	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2596	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2596	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2596	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2596	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2596	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2596	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2596	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2596	MSIEXEC.EXE
Token: SeBackupPrivilege	2596	MSIEXEC.EXE
Token: SeRestorePrivilege	2596	MSIEXEC.EXE
Token: SeShutdownPrivilege	2596	MSIEXEC.EXE
Token: SeDebugPrivilege	2596	MSIEXEC.EXE
Token: SeAuditPrivilege	2596	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2596	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2596	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2596	MSIEXEC.EXE
Token: SeUndockPrivilege	2596	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2596	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2596	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2596	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2596	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2596	MSIEXEC.EXE
Token: SeRestorePrivilege	5072	msiexec.exe
Token: SeTakeOwnershipPrivilege	5072	msiexec.exe
Token: SeRestorePrivilege	5072	msiexec.exe
Token: SeTakeOwnershipPrivilege	5072	msiexec.exe
Token: SeRestorePrivilege	5072	msiexec.exe
Token: SeTakeOwnershipPrivilege	5072	msiexec.exe
Token: SeRestorePrivilege	4832	7za.exe
Token: 35	4832	7za.exe
Token: SeSecurityPrivilege	4832	7za.exe
Token: SeSecurityPrivilege	4832	7za.exe
Token: SeRestorePrivilege	5072	msiexec.exe
Token: SeTakeOwnershipPrivilege	5072	msiexec.exe
Token: SeRestorePrivilege	5072	msiexec.exe
Token: SeTakeOwnershipPrivilege	5072	msiexec.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2596	MSIEXEC.EXE
2596	MSIEXEC.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe
2180	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 876	2180	msedge.exe	82
PID 2180 wrote to memory of 876	2180	msedge.exe	82
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 3400	2180	msedge.exe	83
PID 2180 wrote to memory of 372	2180	msedge.exe	84
PID 2180 wrote to memory of 372	2180	msedge.exe	84
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85
PID 2180 wrote to memory of 228	2180	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/1Zry70bwVx84a_nS9aYPJ6Otgueom0_KA?usp=drive_link
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84ce646f8,0x7ff84ce64708,0x7ff84ce64718
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,13093994852245285649,12907999395818869074,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2100
- C:\Users\Admin\Downloads\350 branding.exe
  "C:\Users\Admin\Downloads\350 branding.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\{627DC691-1A60-4E7B-9EE8-B02B91F35365}\350 branding.exe
    "C:\Users\Admin\AppData\Local\Temp\{627DC691-1A60-4E7B-9EE8-B02B91F35365}\350 branding.exe" /q"C:\Users\Admin\Downloads\350 branding.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{627DC691-1A60-4E7B-9EE8-B02B91F35365}" /IS_temp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4892
  - - C:\Windows\SysWOW64\MSIEXEC.EXE
      "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{627DC691-1A60-4E7B-9EE8-B02B91F35365}\data.msi" SETUPEXEDIR="C:\Users\Admin\Downloads" SETUPEXENAME="350 branding.exe"
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2596
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\system32\explorer.exe
      4⤵
      PID:372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2428

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D7CCA0E5807B621C38F9DD1F6DD131F7
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\\data.7z" -o"C:\users\admin\desktop\railworks\" -aoa
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58c456.rbs

Filesize
1KB

MD5
7c1ed9fd2328f30593b0814f825d5b79

SHA1
666546bd44b170c1599228b8743bfef99f35a3c1

SHA256
2ae8ce8c22db1ec00244b681544c2355aca1d59631169c9ad0e02138408e8532

SHA512
2fcc9ec0139ce2800bbaa3a946cc8e0c71a5add66f82edfa1090e7a9e921c5c0f1e4781c11418c7ed09190631394b7d0fdaf0942a19f2f1b495f8d5fbbe8ffa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\174c57f7-2123-4361-964f-250ca16df6f2.tmp

Filesize
1KB

MD5
f8ca07b502ac572d1171bfd18dfb6e89

SHA1
498857b7db8331c35fd74c5b242a989f8cc94acf

SHA256
25ac3d08bfda01cf66504573fe4653fb27f06d565b3abdc34aee4f9b928f93fb

SHA512
18889141ce71bb30dfe3abeacaac83cc9be29587f92a825d6aa756e5134fda8d8f6bd1c88c5fd2822f7d10ea78dbb399ee0d4c08da5f0f25eaf46119c1806584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
32KB

MD5
1f76396a01f9b997d149642fa19395bd

SHA1
f26dd69ff0c45d7fcd9553f0cc5caeaf5410cffe

SHA256
c519c5d085e60c32c52df7706f00daddd219415a5aa2c45d2d7d9dad1e5ac849

SHA512
0153e322815e320bbb18042488bffc0bd7a7c6c063c9919284086496c58865e4da89b3606c0f58e1b7c0a07380dddb2e2a59f967966868c21c26670c215064c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
800a1d6ae71a11e2df376a7604c53008

SHA1
9896393a8a1d10089dfeed88dfb28bf940208ffb

SHA256
b096fd1766ee582e33d6d48d96bcbeb25a05c53a4c267f98bcb2eba34ed3dd8e

SHA512
8bc3a0eb3ce6a564ab35278180f696a7ee3a792883a0525d80883c875f5a12710a1b83ddd5bf211860f2ec73eb4858851b88e981e52ea96d4cfbb5aaa154b5d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
608342f275984345e1c56921112ef69b

SHA1
cc2ff9c5d7b1fece5eecc642b7ae77e30101ec1e

SHA256
72111399473e69d637fc284bf1af41b140909a1ee0b3236c37ba5c59b906bd34

SHA512
42c8e6c25aff1b710aebc99ed7af58a96a0399785b9d987295023219b1111c569a5b40fb0f9d12e28d6b8d2f9d39ed0e97b2db796764083b974eea80315778e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
094318928da6a6ef0456f738ee71f297

SHA1
4cc15d093b916d320eb9c7800798723ebe346da6

SHA256
e11559889e74969c3f023360ec7a831e2b88de4bb794b385ca357e6e47fc4e4f

SHA512
3d873570346ed0106a74e0819267bca0d3ed2721e968efcfc8fa6288c156ecee0b4502faa5c99a0e47f5673f2389e67710877022cf037990463c829744005bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
72f43e93f86c50a2eeeef2d6aeb642a0

SHA1
f140d9e02e33e7649b1e950926058da61caef63f

SHA256
19f6031b8ef99fbb64295abe5ffcd978d034d984cf3a40cd8f0bf1d9c4ec97d6

SHA512
47c41b9a1a86f7d7044b91cb2efc48ce7c9a3df9c653614e7a37868e83f3dbb284dcd9f6ca9bd81a44896a58d4315915aec144fd3b2926e9f1ed647cffbc1535

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
74541a38631532aa408ec03fef7c526f

SHA1
26c60d0b5739a13c865b186fa6135595910fa965

SHA256
f671c23cca8606fdbf3c2fa1bdc956f107459df6189d86f76a675ee89c291846

SHA512
6a2b54b92d87f06ca539312520862860e8eebb6832f2764c90755fc0ad2f427f94e58aae50083af8025a922152686bd4f4e5daca1074d8bbcd4c141bc8b56807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
32ce8f3406cc6b117d318e927120dbeb

SHA1
61d630d0213bc4e85a1132e2b6c5feac2c2ad561

SHA256
3b79d155b8cf1d749c69490acc234bdea321a4acd66a1e7059ec3447f428f2cc

SHA512
2c6673a222dda009c502a1834e71dfaddb88da5d99fd059778ffeaaae18c936c1f4ce8928aa4f34b1dbcd6220f33192678abaf5d183496857af5551def3fc7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5803a5.TMP

Filesize
1KB

MD5
33b734396fe1ff021b2f02d343d63b43

SHA1
ff179815dc479fa8ecad0ef2af84ca41bea1146d

SHA256
a12741244ff35212654b6cdc6e481f647b112825ee342fc31a606b41ec870b81

SHA512
b69a8c745ddce9c7ae5e301a1dd97c178c1be419fd271b2c4eba6e22e89c34347c26f2e4f808db3f843247618255d2012ad4e4b02fc6f602d6b7cfed576d3c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e3571099d9a9c72d6b69b8727b01f0d1

SHA1
019e50520360f12e7766eab18224177f07f4b971

SHA256
46c41fd49d25942cd09c95753bb98d01f875e94873c1a286e61f446937c9995c

SHA512
6087d84149afa2ca35bc9d32311945156595c87a114f28012918f00d088d033448a9a96cf7f68a148954575bc514e71767baa1addb2f991e9121594627e84bd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
804c7b6566711a91a4b87c0524dbafa2

SHA1
598a5e91eeef571e5f10c0913694e689389e462f

SHA256
f79b1228c38c9f97104c293bd2fb53f6cc42b71c0f53f3fb60f5bf86b28e5622

SHA512
fd09036fdb1f26e61390606459ef0f63d8839a3aebdb714f7f1c387521f292c68168abc33700cfa7ab8e325804b18bd8d2ad91dd4276f80cdc89cfea7f22842f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
73ec78d97cc1ce4c86588e5240a5c6b7

SHA1
a07d48d6a65a88b1a8585ec3718c4adfdc339858

SHA256
348b7d21671ae21c162f87ff4627834d6bced7a7e7a73c7c889ba71d48531bed

SHA512
b33d86be7c82d68f05ec19d2cc0962b2ab1976dc1b26158b54da8b0bb42b33cf35d268c3dad1c5c8e23193f0032d4648203bf949ab684c2963761bdc3bc7cbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
721KB

MD5
2395868a72bfe1fd5e888b679faab621

SHA1
7ab01a1e3b0ae8a0e59ff586a6777b78dbe67750

SHA256
8e679f87ba503f3dfad96266ca79de7bfe3092dc6a58c0fe0438f7d4b19f0bbd

SHA512
369b487da9dae83cdaf98ee45c056fc847a5f50585979638d9d8e8ba8511a31267307d885fd40399bf4c22461f82c60f6298bd7e31402e12bfebd0621b131222

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.7z

Filesize
14.3MB

MD5
ebb43c234a0b2a44e50aa03eed185902

SHA1
15a1d27bb4ce66b7689ac94335105af6485c9eb9

SHA256
4052bb2606efe65a27cf4852eae9b6a161ab0fac751510049c9489523e15ad19

SHA512
560ae8c72f9c6177d79e605a406b5484bbf09b4aca866d501c76f505fd480e9b62167f7ba7fece774efa8d5f8ad8af8a96c0ac1d4d9ba7ac1f55cdd94caf43ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\{627DC691-1A60-4E7B-9EE8-B02B91F35365}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{627DC691-1A60-4E7B-9EE8-B02B91F35365}\Setup.INI

Filesize
5KB

MD5
e2673d89773160516736acaa98f7af5a

SHA1
e428598b356634a06eff3fe78cbde0d85dd9a039

SHA256
70282acc6724ea2a30dad0b1e1e74e19966bea26d06a9e17259fde190ecc71b6

SHA512
c08a8add48ae6fe16f42e87e58edbea5affe086c5b9b22ea1f0c8348c5099069a5ccb901ce01a926b6663c10e28a87215eae710be15c03aab74394ca55315cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\{627DC691-1A60-4E7B-9EE8-B02B91F35365}\_ISMSIDEL.INI

Filesize
620B

MD5
0ff95f40c67a17af99cace058f7f11eb

SHA1
d9981b51fb82646902287774ce62d87a3fe0836f

SHA256
604a3c4c8cf3c408ed5c1f994e7e8f9f5ac81329dc7dedf115330e0dd11b42d1

SHA512
640a6e63bb2146e86105f6decf1dfc816f21e0a21fd1ecd8a336dedff89976f07ed89ce63aea455add1b60b691386ae146c7fd1a1e22a3eb7b5677985aefb486

Download Submit
C:\Users\Admin\AppData\Local\Temp\{627DC691-1A60-4E7B-9EE8-B02B91F35365}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{627DC691-1A60-4E7B-9EE8-B02B91F35365}\data.msi

Filesize
15.7MB

MD5
2fc814505b900f5f5cfa381976a47eee

SHA1
af6b86fdddc8806a89bb636d2b8723bc6bccae16

SHA256
39307fea39b9fcaa57588549a704e80f01d4690dfa41f352bd39ebcbf4dc7484

SHA512
109c47ac33d2bb902c347ad8415527cdeda449ef0af696a6e5aa7740110c2ef3b8b03004ce7f676c3664a096f40f520d50655342356b0fcd72b5155f63f12367

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 888416.crdownload

Filesize
16.1MB

MD5
1ac13a423e747fd30b7aa38d89c9ec39

SHA1
7a77365101ece11d647168e352bb7ffbf90e0bb2

SHA256
ab8178e0964efd4cba81940f68219b5586eab1780aec69e17242636ff043e972

SHA512
b222c9b5a1d81a5b4fed1c28f5929139f9843ba23269db02268cbad11ce600053f566f987cd60470cdd464bcbf48ee06d98a3c69bd02449d4f8c6e4d7fbe4633

Download Submit
C:\Windows\Installer\MSIC649.tmp

Filesize
105KB

MD5
547edaedf124ec8848d8625fe3045bd9

SHA1
d6b69020ceaf0ad6eacab9b4f228f67c3023b423

SHA256
182eae16a648e6de8c45ea5b433b0035e257ac7e51e43f9b1afe7968e01f8a27

SHA512
74b34b9a7602513dfc6352917fd41678057a5bc0b8b3047cfd680582a76168d4dd9f160c6fa8ab7b37133bf8a81a8328cfddd50bbabf59b84defdbc8efbb6a4a

Download Submit