hxxps://drive[.]google[.]com/drive/folders/1Zry70bwVx84a_nS9aYPJ6Otgueom0_KA?usp=drive_link

Resubmissions

03-12-2024 03:53

241203-efqlnsynbv 7

03-12-2024 03:48

03-12-2024 03:46

03-12-2024 03:43

03-12-2024 03:39

Analysis

max time kernel
70s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1Zry70bwVx84a_nS9aYPJ6Otgueom0_KA?usp=drive_link

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4544	350 branding torrent.exe
848	350 branding torrent.exe
2012	7za.exe

Loads dropped DLL 1 IoCs

pid	Process
1104	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
16	drive.google.com

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e589277.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI95D3.tmp	msiexec.exe
File created	C:\Windows\Installer\{6CE7FA83-63AC-4C55-A397-7FC88B3DC2F2}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\e589277.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6CE7FA83-63AC-4C55-A397-7FC88B3DC2F2}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI943C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{6CE7FA83-63AC-4C55-A397-7FC88B3DC2F2}\ARPPRODUCTICON.exe	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	350 branding torrent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	350 branding torrent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 276162.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\{9A4B10E1-2E2E-4088-898F-F714D0B54244}\350 branding torrent.exe\:SmartScreen:$DATA	350 branding torrent.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
992	msedge.exe
992	msedge.exe
720	msedge.exe
720	msedge.exe
3304	identity_helper.exe
3304	identity_helper.exe
2836	msedge.exe
2836	msedge.exe
2436	msiexec.exe
2436	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2248	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2248	MSIEXEC.EXE
Token: SeSecurityPrivilege	2436	msiexec.exe
Token: SeCreateTokenPrivilege	2248	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2248	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2248	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2248	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2248	MSIEXEC.EXE
Token: SeTcbPrivilege	2248	MSIEXEC.EXE
Token: SeSecurityPrivilege	2248	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2248	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2248	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2248	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2248	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2248	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2248	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2248	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2248	MSIEXEC.EXE
Token: SeBackupPrivilege	2248	MSIEXEC.EXE
Token: SeRestorePrivilege	2248	MSIEXEC.EXE
Token: SeShutdownPrivilege	2248	MSIEXEC.EXE
Token: SeDebugPrivilege	2248	MSIEXEC.EXE
Token: SeAuditPrivilege	2248	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2248	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2248	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2248	MSIEXEC.EXE
Token: SeUndockPrivilege	2248	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2248	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2248	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2248	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2248	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2248	MSIEXEC.EXE
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeTakeOwnershipPrivilege	2436	msiexec.exe
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeTakeOwnershipPrivilege	2436	msiexec.exe
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeTakeOwnershipPrivilege	2436	msiexec.exe
Token: SeRestorePrivilege	2012	7za.exe
Token: 35	2012	7za.exe
Token: SeSecurityPrivilege	2012	7za.exe
Token: SeSecurityPrivilege	2012	7za.exe
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeTakeOwnershipPrivilege	2436	msiexec.exe
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeTakeOwnershipPrivilege	2436	msiexec.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
2248	MSIEXEC.EXE
2248	MSIEXEC.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe
720	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 4936	720	msedge.exe	83
PID 720 wrote to memory of 4936	720	msedge.exe	83
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 3992	720	msedge.exe	84
PID 720 wrote to memory of 992	720	msedge.exe	85
PID 720 wrote to memory of 992	720	msedge.exe	85
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86
PID 720 wrote to memory of 4792	720	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/1Zry70bwVx84a_nS9aYPJ6Otgueom0_KA?usp=drive_link
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f78846f8,0x7ff9f7884708,0x7ff9f7884718
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,2139186940835460909,8908342669977010258,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2836
- C:\Users\Admin\Downloads\350 branding torrent.exe
  "C:\Users\Admin\Downloads\350 branding torrent.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\{9A4B10E1-2E2E-4088-898F-F714D0B54244}\350 branding torrent.exe
    "C:\Users\Admin\AppData\Local\Temp\{9A4B10E1-2E2E-4088-898F-F714D0B54244}\350 branding torrent.exe" /q"C:\Users\Admin\Downloads\350 branding torrent.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{9A4B10E1-2E2E-4088-898F-F714D0B54244}" /IS_temp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:848
  - - C:\Windows\SysWOW64\MSIEXEC.EXE
      "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{9B09620D-D297-4FAF-B426-09ACEEEC9C34}\data.msi" SETUPEXEDIR="C:\Users\Admin\Downloads" SETUPEXENAME="350 branding torrent.exe"
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2248
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\system32\explorer.exe
      4⤵
      PID:116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2A9499006CE711FA068C97791CF178BB
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1104
- C:\Users\Admin\AppData\Local\Temp\7za.exe
  "C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\\data.7z" -o"C:\users\admin\desktop\railworks\" -aoa
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e589278.rbs

Filesize
1KB

MD5
795131b437b5c6b1041893516d3e2853

SHA1
434a62d490ce86c798dbeb112046426c13ba841b

SHA256
939cc7f8cd18f7f4d7c0aca8a19396ccb109ce228edd7121c52d988a83031cc1

SHA512
f107ca51639c999a76c59aedf028bf8e26f35173fa16b9cbe14d77a7fa016ff1df44572d5364ad2a137f417173dbe212c918825bee94c7fee50529179da58bf1

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{9B09620D-D297-4FAF-B426-09ACEEEC9C34}\data.msi

Filesize
15.7MB

MD5
bf66ad0cd364e8bf991f49b0eac30482

SHA1
cb0426542db42bd1ebf801d5765bdebccdabf267

SHA256
2ca254c8e273b62a97cd4beb97444c553bdde6f719934512d0160a50cfbb1247

SHA512
99530295b536bcf2151445907581551ef2895da1dde25fe4db44d580efee18224227786c9b0781963c0d74876df6423fb8ad705bc3f435952dbbb9377bc776da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5ce913c2-f8ce-431e-89cd-586b01789188.tmp

Filesize
6KB

MD5
aa766e5ca31cb01659852597ad833965

SHA1
dd577e38180af7fb51bf6cb283b893e10245f5df

SHA256
b4f63527d81efcb3d171c8fb4620118fc5e6436ff03875c938820d27155cbfae

SHA512
d9435e965e963646bdfdc714f71033c17942d1e21bc63d139acccba76f1c22c0b1ca53cfe44d7c51d016aeffe9cafd690819fbfc657ba26d7a56c1fd221cfb70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
32KB

MD5
1f76396a01f9b997d149642fa19395bd

SHA1
f26dd69ff0c45d7fcd9553f0cc5caeaf5410cffe

SHA256
c519c5d085e60c32c52df7706f00daddd219415a5aa2c45d2d7d9dad1e5ac849

SHA512
0153e322815e320bbb18042488bffc0bd7a7c6c063c9919284086496c58865e4da89b3606c0f58e1b7c0a07380dddb2e2a59f967966868c21c26670c215064c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
03cd9c889bf09da01ecb35ce20d63e78

SHA1
4b48ead642c08b174c93d7bd148ae42ffc3c6d31

SHA256
7dca8e026805178ffab77727fb8c05860c31f1f2ed775f23f3d0faa8684c89e0

SHA512
8a61811dfa63d6b1ced02b5c3e5ca74eb6bb05739c2cd1d4ca8c056827eb1fc13d4e6a8a27d3f63f01e52eff2283353f2a0c3505562166b50f29461e61560797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
8ae111cd6c28e96fbe04055b2bab3d24

SHA1
6fc2826c4e24c043a336d60265591d22993d7819

SHA256
d218690114c45396f1c09f5753ec421df66e2c0d38d79c0394b616d52e6c34b5

SHA512
22b04ea3fbb20708a54bb63a501f3853581f1f77eee3945e003c95b34146c171702ebf665a0ca4fa9be585019a155ab6c6d7e510ca93d0bb9a186b90eb66aa82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a60d1e198f4fb8ff757b739d192bf563

SHA1
6b5b3dc2b81ddd055d6e87fd47dec63c3be20b38

SHA256
b3d2d43c53a374db7330d39a416f07163cd10946f8c9b300e8a26b9c23286890

SHA512
c34fcb3ed5489c68088ec11b986b2e612085efb82e62473dcc4d98d29dabf1474225b77dc47569efb273dd4bfc1c1adde94f3826896446f1f2ce910de9801979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f4e9367234a093af10af7e0a451161a7

SHA1
adbacf4f3bdb661cbdd121eb462144ce867b4514

SHA256
363330c7faf72b612885be683e25f52ab96c3e63faea72e48127df0db33b1342

SHA512
2fc94527b8e510f21c6aef3047b6675bf05f9ad0ff1c7f79e5c4c16a7c49dc0dfe898d5d9b2d3eae51feee222900087a916f3d1dd3ff3bea82914cc661fe8689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9665874074d2863f85ea0864f952a6b9

SHA1
c5a55ccd6396315925eaec93cfce6888e1bdc140

SHA256
55df3133f55ea36ea7e0385d576de155298c6b2a493094c7b52ec76990817951

SHA512
fe21cc519c93f31c3ae03a4866114245c5a63b2edd6873ea2640abbcccf481c077f97c4b08494d33eaa8c332d267cdb58e8a783c23c466b8cd94e728743c2d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f8b06fb03dca5893b94106a931314034

SHA1
3cf0980fbfd5edd5bb73d59578fa468823d78037

SHA256
7d3ac13164d71473fe2e5ac19cb2514fe9ce579fb05fabd49ef1ac064c29bab5

SHA512
36aeb2ffa2f1eb79cf27e15486b871bc9ba6700cca5cb52c7a855b11323c0be220e3e3f27707d60180b3bf1134d55525ef2d29944e2f274fd5cf3dc21763f464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0a7e0bf331e1ce4be477edae1dcdae2d

SHA1
37a0a1cf18525e43a4df72ecfdf61dcdd9ff4131

SHA256
6a26d778a02d8a53bf6dffb3b79451ebc11b2a23ef7207e2590879c0aaf75a68

SHA512
516fe92a28dce755a45c5c93b6239188e43400f191387cfc1fcfcdfed25cc739142f1f6bcc6b14458282515b85a4f2d2cdefe14bacfac75f34bd55092d4eafe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
721KB

MD5
2395868a72bfe1fd5e888b679faab621

SHA1
7ab01a1e3b0ae8a0e59ff586a6777b78dbe67750

SHA256
8e679f87ba503f3dfad96266ca79de7bfe3092dc6a58c0fe0438f7d4b19f0bbd

SHA512
369b487da9dae83cdaf98ee45c056fc847a5f50585979638d9d8e8ba8511a31267307d885fd40399bf4c22461f82c60f6298bd7e31402e12bfebd0621b131222

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.7z

Filesize
14.3MB

MD5
ebb43c234a0b2a44e50aa03eed185902

SHA1
15a1d27bb4ce66b7689ac94335105af6485c9eb9

SHA256
4052bb2606efe65a27cf4852eae9b6a161ab0fac751510049c9489523e15ad19

SHA512
560ae8c72f9c6177d79e605a406b5484bbf09b4aca866d501c76f505fd480e9b62167f7ba7fece774efa8d5f8ad8af8a96c0ac1d4d9ba7ac1f55cdd94caf43ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9A4B10E1-2E2E-4088-898F-F714D0B54244}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9A4B10E1-2E2E-4088-898F-F714D0B54244}\Setup.INI

Filesize
5KB

MD5
7e33c79f13d863c3289f60957eaac2a4

SHA1
926d01314231cba7b0370eaca9c6e300a805ceeb

SHA256
a40e2aba0c134831fba4a37c5486faeca36fe34e7db9ce9248dd05326562f25f

SHA512
bdec4b5890307fbd72b3736f552b5d448f1ed6e8f740161d0a773a19df521adb7d69d579c466388b06f33cd1d181c76b89ffbbd2b5777183d6686421a874fc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9A4B10E1-2E2E-4088-898F-F714D0B54244}\_ISMSIDEL.INI

Filesize
652B

MD5
fbc5a2aad95cad887e729e061b292672

SHA1
f520a3e7fa16278ef0df9af7dbd0e01bfbe79c40

SHA256
721c1f5174456c5adf7d36ef6e07b668b5c2f4f768907d3d8a50a30f981a762e

SHA512
2b1dcfcd881108e453e856aaeeb939ee9b6d7f84abdc4ea2d46bdec8529dac69a930e7817e83523117374aee64bb860082e12ea850d270ecf5c439f2f942c352

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9A4B10E1-2E2E-4088-898F-F714D0B54244}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 276162.crdownload

Filesize
16.1MB

MD5
f9aa49d727481846ef5864275980ab6a

SHA1
600e6bc1eb813f55e7f519ea92a7f8c92aa21bc0

SHA256
5ec498a357ef6c5eacedbd199990935465d5c842c4d8fa103203b2c8941ec860

SHA512
78d71079b8548e06d72968d37fe4b4ae0ba682b8433cfed45e2d4eef291a810a3b28ccff04d1f152b72c4b79f38076abc3f9c74000ea885e71198d0c1560b988

Download Submit
C:\Windows\Installer\MSI943C.tmp

Filesize
105KB

MD5
547edaedf124ec8848d8625fe3045bd9

SHA1
d6b69020ceaf0ad6eacab9b4f228f67c3023b423

SHA256
182eae16a648e6de8c45ea5b433b0035e257ac7e51e43f9b1afe7968e01f8a27

SHA512
74b34b9a7602513dfc6352917fd41678057a5bc0b8b3047cfd680582a76168d4dd9f160c6fa8ab7b37133bf8a81a8328cfddd50bbabf59b84defdbc8efbb6a4a

Download Submit