ca9cf220d20db485105b83acd519f880860b5fcb9275ecc015a3f539e0a709aa

Analysis

max time kernel
508s
max time network
511s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 00:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hyper.cc_Val_External.exe
Size

3.9MB
MD5

8f5e1def999ae97b4b5e156b3a1cecf1
SHA1

5f84cfb283390e8511ed64d09b61102ce88cc965
SHA256

ca9cf220d20db485105b83acd519f880860b5fcb9275ecc015a3f539e0a709aa
SHA512

58d615877ac9d7e5eca3e0c3c29fd897d8cd235f8cdadcdef262896f8d4a1a6ad9c136a05ce455750815042108cf8b3bbdbde5ee66c24496b624b820390edd4b
SSDEEP

98304:oM9bkr8014K68PozHw0nbFEtugxhGLBsqlUMX+QOV:oMuRB5wQkbyfiuqlOQOV

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Hyper.cc_Val_External.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Hyper.cc_Val_External.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Hyper.cc_Val_External.exe

Sets service image path in registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Hyper.cc_Val_External.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fivqTYthnEouhpSJikEwrtOt\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\fivqTYthnEouhpSJikEwrtOt"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\oqchWLoDaGUzHKxBKUPNrcqxh\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\oqchWLoDaGUzHKxBKUPNrcqxh"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bDhStADovu\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\bDhStADovu"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jWIOmocRfOCHYzOaLIhXJhhoxZy\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\jWIOmocRfOCHYzOaLIhXJhhoxZy"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\socDmkBnHbmpNhXZPDnQuIMs\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\socDmkBnHbmpNhXZPDnQuIMs"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\OMlMzsrODbeBqAefAYkfrGGvrJkrz\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\OMlMzsrODbeBqAefAYkfrGGvrJkrz"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WeFArnQrmwPaobfVFbqYcqlAaO\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\WeFArnQrmwPaobfVFbqYcqlAaO"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tVqxwjfwKIrLGcuamssgSPJzUxn\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\tVqxwjfwKIrLGcuamssgSPJzUxn"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xIwVPHOhCT\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\xIwVPHOhCT"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\oBOnMMTCPZYUXQTznfKqcUtqkBGGv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\oBOnMMTCPZYUXQTznfKqcUtqkBGGv"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wbqbFIsXzlJBMrUqraQrNEgubGN\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\wbqbFIsXzlJBMrUqraQrNEgubGN"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BGEzfgbIjwXOLIYPUGtKnrzxOjVCT\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\BGEzfgbIjwXOLIYPUGtKnrzxOjVCT"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SrzkRQaHvlANpRiEcwNFKCR\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\SrzkRQaHvlANpRiEcwNFKCR"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kCOJDvyTiwGmRttkixmmZo\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\kCOJDvyTiwGmRttkixmmZo"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FuKXywRtbGtbBZdowdWlGfTr\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\FuKXywRtbGtbBZdowdWlGfTr"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\JZXnYUAdTRIoAjZGYBzEZTmtwg\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\JZXnYUAdTRIoAjZGYBzEZTmtwg"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bSTYKDzcWGlnesjvZzTzDdEuVqAo\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\bSTYKDzcWGlnesjvZzTzDdEuVqAo"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XxhwkbqNOQzAdJnUBWwSVRY\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\XxhwkbqNOQzAdJnUBWwSVRY"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bkuUDzYxGbWMcSslduYtoNrzE\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\bkuUDzYxGbWMcSslduYtoNrzE"	Hyper.cc_Val_External.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gPAldXPiqlkZSkoKGRBLGALBrQXl\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\gPAldXPiqlkZSkoKGRBLGALBrQXl"	Hyper.cc_Val_External.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Hyper.cc_Val_External.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Hyper.cc_Val_External.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Hyper.cc_Val_External.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2020-133-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp	themida
behavioral2/memory/2020-134-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp	themida
behavioral2/memory/2020-135-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp	themida
behavioral2/memory/2020-136-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp	themida
behavioral2/memory/2020-264-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp	themida
behavioral2/memory/2020-526-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp	themida
behavioral2/memory/2020-605-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Hyper.cc_Val_External.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hyper.cc_Val_External.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Hyper.cc_Val_External.exe

pid process

2020 Hyper.cc_Val_External.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hyper.cc_Val_External.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

1652 msedge.exe
1652 msedge.exe
1376 msedge.exe
1376 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
1652	msedge.exe
1652	msedge.exe
1376	msedge.exe
1376	msedge.exe

Suspicious behavior: LoadsDriver 59 IoCs

Processes:

Hyper.cc_Val_External.exe

pid	process
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe
2020	Hyper.cc_Val_External.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

1376 msedge.exe
1376 msedge.exe
1376 msedge.exe

pid	process
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

Hyper.cc_Val_External.exe

description	pid	process
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe
Token: SeLoadDriverPrivilege	2020	Hyper.cc_Val_External.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msedge.exe

pid process

1376 msedge.exe
1376 msedge.exe
1376 msedge.exe
1376 msedge.exe

pid	process
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Hyper.cc_Val_External.execmd.exemsedge.exe

description	pid	process	target process
PID 2020 wrote to memory of 3052	2020	Hyper.cc_Val_External.exe	cmd.exe
PID 2020 wrote to memory of 3052	2020	Hyper.cc_Val_External.exe	cmd.exe
PID 3052 wrote to memory of 1376	3052	cmd.exe	msedge.exe
PID 3052 wrote to memory of 1376	3052	cmd.exe	msedge.exe
PID 1376 wrote to memory of 1236	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 1236	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2000	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 1652	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 1652	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe
PID 1376 wrote to memory of 2744	1376	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Hyper.cc_Val_External.exe
"C:\Users\Admin\AppData\Local\Temp\Hyper.cc_Val_External.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://discord.gg/printf
2⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/printf
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa7c1346f8,0x7ffa7c134708,0x7ffa7c134718
4⤵
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,3672838514425976274,2873495039050351692,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
4⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,3672838514425976274,2873495039050351692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,3672838514425976274,2873495039050351692,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
4⤵
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3672838514425976274,2873495039050351692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
4⤵
PID:564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3672838514425976274,2873495039050351692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
4⤵
PID:3000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3672838514425976274,2873495039050351692,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
4⤵
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause >nul 2>&1
2⤵
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
120B

MD5
39cbb01520e8b62688482d0098d1838e

SHA1
e6642b4e66f8dc52e9a6edfac3ba5ca56670eb8c

SHA256
621cba8ce2d872c70c901588ca8db7cc95247c5ffc4b638b7b4a856ca211e10c

SHA512
6734b93fc4c5883ec243c39813b0367f7441f75feb032f91f39e76b59c2c5dcf4bf4e86ed19ca43838206be8596f951b7f48d0c04dfc398cb50cba1cb748cbef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe569928.TMP
Filesize
48B

MD5
da14904bb2afc69227d998d2f7c94d19

SHA1
382c48913f1e35948f636e56333c440da1205e35

SHA256
0dd66d5344081f257d6a48ab8d0e0fe77c684aabd63e9878374cd9da8361f541

SHA512
cfeb8b4be52bd770b43262451c79ffd2209c22a572212a90c67d164db4658d5d375e8794069db9860f4ef2138c107ed2e96c784053fda92aca1ca5d1aa633db5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
42f34e1cda22f4f28f2a059f007a19be

SHA1
7c5dc4ebe9faea51ec7670a0f479ed4024dcaa63

SHA256
36caab9ad01f99de49635de59fb27afb30c2d64bf24834ec0b157bcf48e60109

SHA512
3b2e46b57f1ef7ed56477a3ee1c35e5502ec15f77474c2cdbf1556e736335be30c5460ede58465ffb9d57f39109890c21e8b430b53928c76cef6d797ca9b3c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
459B

MD5
7d06fbf22d0809688bb53a201185d535

SHA1
b8283f4ef3dfef3d179367dc719f6ba344d245d3

SHA256
262f908fc17add446dff4811f8f90b9c54716db5051e7def7529d33c1dc621a0

SHA512
74f70ef85880b04f252cd46d1de76a1379f5fd935d91284f3b8a02cde947564386131978bb41f30d82f076c55c0e0b75998908ae463e36f9d68999ab4714ca5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
b33d3471ffbfe24dd365554416570942

SHA1
5a8cb89b25b3d226206e4a161e08cd9210b07fec

SHA256
f8033090e04f400180bafa129b562c7b812e7df6b466338966ba89c91cbe95b2

SHA512
6ce51fc01992eedd51432d34b0107771d99647c1c164d47c5db978ed5c136cdec85fea831db6cfc4453dde49e01bc7b6a11e4909bd95b7090c968d799e0f50db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
34f69121eab0e1cd7af72021b15377df

SHA1
6c2a1d5fa1578663fc5f65be188cfe2da5d8d8bd

SHA256
3f5a660d174d7ec2ebf26142a27760645660ebf4003279d8a5612ce243504414

SHA512
b4272797acb76e547b3529e414b36f40d77ca704053c704a51ea86824ead5020ff495b122c87e6114ba7e37cadd487dc179473bc045a5f3358247b4557d4c1c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1463bf2a54e759c40d9ad64228bf7bec

SHA1
2286d0ac3cfa9f9ca6c0df60699af7c49008a41f

SHA256
9b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df

SHA512
33e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
2e27cab38686bea2ecfa2029267c96f7

SHA1
668b1db2978acd7267ca619217285841b651d368

SHA256
17e15b8580ee56d9503100be5773aeeaa8a20c875e38a8aeae73f040beda94f6

SHA512
d047f0da2c3d9ee0ccc666def06511126956e88e9c46adb2fc493daa4a27e7a5938fcccce44c8a69a511c31b6bfae4beb387ca764886737b85d323ed07d406f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jWIOmocRfOCHYzOaLIhXJhhoxZy
Filesize
33KB

MD5
1898ceda3247213c084f43637ef163b3

SHA1
d04e5db5b6c848a29732bfd52029001f23c3da75

SHA256
4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b

SHA512
84c3ccc657f83725b24a20f83b87577603f580993920cc42d6da58648c6888d950fd19fbb8b404ce51a3eab674066c5cefe275763fbdb32e1ae1ba98097ab377

Download Submit
\??\pipe\LOCAL\crashpad_1376_SQEQQQUFOGTYAFOT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2020-264-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp

Filesize
10.6MB

Download
memory/2020-133-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp

Filesize
10.6MB

Download
memory/2020-136-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp

Filesize
10.6MB

Download
memory/2020-135-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp

Filesize
10.6MB

Download
memory/2020-134-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp

Filesize
10.6MB

Download
memory/2020-526-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp

Filesize
10.6MB

Download
memory/2020-605-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp

Filesize
10.6MB

Download