Analysis
-
max time kernel
508s -
max time network
511s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
22-03-2023 00:13
Behavioral task
behavioral1
Sample
Hyper.cc_Val_External.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Hyper.cc_Val_External.exe
Resource
win10v2004-20230220-en
General
-
Target
Hyper.cc_Val_External.exe
-
Size
3.9MB
-
MD5
8f5e1def999ae97b4b5e156b3a1cecf1
-
SHA1
5f84cfb283390e8511ed64d09b61102ce88cc965
-
SHA256
ca9cf220d20db485105b83acd519f880860b5fcb9275ecc015a3f539e0a709aa
-
SHA512
58d615877ac9d7e5eca3e0c3c29fd897d8cd235f8cdadcdef262896f8d4a1a6ad9c136a05ce455750815042108cf8b3bbdbde5ee66c24496b624b820390edd4b
-
SSDEEP
98304:oM9bkr8014K68PozHw0nbFEtugxhGLBsqlUMX+QOV:oMuRB5wQkbyfiuqlOQOV
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Hyper.cc_Val_External.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Hyper.cc_Val_External.exe -
Sets service image path in registry 2 TTPs 20 IoCs
Processes:
Hyper.cc_Val_External.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fivqTYthnEouhpSJikEwrtOt\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\fivqTYthnEouhpSJikEwrtOt" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\oqchWLoDaGUzHKxBKUPNrcqxh\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\oqchWLoDaGUzHKxBKUPNrcqxh" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bDhStADovu\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\bDhStADovu" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jWIOmocRfOCHYzOaLIhXJhhoxZy\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\jWIOmocRfOCHYzOaLIhXJhhoxZy" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\socDmkBnHbmpNhXZPDnQuIMs\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\socDmkBnHbmpNhXZPDnQuIMs" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\OMlMzsrODbeBqAefAYkfrGGvrJkrz\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\OMlMzsrODbeBqAefAYkfrGGvrJkrz" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WeFArnQrmwPaobfVFbqYcqlAaO\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\WeFArnQrmwPaobfVFbqYcqlAaO" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tVqxwjfwKIrLGcuamssgSPJzUxn\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\tVqxwjfwKIrLGcuamssgSPJzUxn" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\xIwVPHOhCT\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\xIwVPHOhCT" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\oBOnMMTCPZYUXQTznfKqcUtqkBGGv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\oBOnMMTCPZYUXQTznfKqcUtqkBGGv" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wbqbFIsXzlJBMrUqraQrNEgubGN\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\wbqbFIsXzlJBMrUqraQrNEgubGN" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BGEzfgbIjwXOLIYPUGtKnrzxOjVCT\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\BGEzfgbIjwXOLIYPUGtKnrzxOjVCT" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SrzkRQaHvlANpRiEcwNFKCR\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\SrzkRQaHvlANpRiEcwNFKCR" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kCOJDvyTiwGmRttkixmmZo\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\kCOJDvyTiwGmRttkixmmZo" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\FuKXywRtbGtbBZdowdWlGfTr\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\FuKXywRtbGtbBZdowdWlGfTr" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\JZXnYUAdTRIoAjZGYBzEZTmtwg\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\JZXnYUAdTRIoAjZGYBzEZTmtwg" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bSTYKDzcWGlnesjvZzTzDdEuVqAo\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\bSTYKDzcWGlnesjvZzTzDdEuVqAo" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XxhwkbqNOQzAdJnUBWwSVRY\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\XxhwkbqNOQzAdJnUBWwSVRY" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\bkuUDzYxGbWMcSslduYtoNrzE\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\bkuUDzYxGbWMcSslduYtoNrzE" Hyper.cc_Val_External.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gPAldXPiqlkZSkoKGRBLGALBrQXl\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\gPAldXPiqlkZSkoKGRBLGALBrQXl" Hyper.cc_Val_External.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Hyper.cc_Val_External.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Hyper.cc_Val_External.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Hyper.cc_Val_External.exe -
Processes:
resource yara_rule behavioral2/memory/2020-133-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp themida behavioral2/memory/2020-134-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp themida behavioral2/memory/2020-135-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp themida behavioral2/memory/2020-136-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp themida behavioral2/memory/2020-264-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp themida behavioral2/memory/2020-526-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp themida behavioral2/memory/2020-605-0x00007FF61FA70000-0x00007FF62050A000-memory.dmp themida -
Processes:
Hyper.cc_Val_External.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hyper.cc_Val_External.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Hyper.cc_Val_External.exepid process 2020 Hyper.cc_Val_External.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsedge.exepid process 1652 msedge.exe 1652 msedge.exe 1376 msedge.exe 1376 msedge.exe -
Suspicious behavior: LoadsDriver 59 IoCs
Processes:
Hyper.cc_Val_External.exepid process 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe 2020 Hyper.cc_Val_External.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
Hyper.cc_Val_External.exedescription pid process Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe Token: SeLoadDriverPrivilege 2020 Hyper.cc_Val_External.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msedge.exepid process 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe 1376 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Hyper.cc_Val_External.execmd.exemsedge.exedescription pid process target process PID 2020 wrote to memory of 3052 2020 Hyper.cc_Val_External.exe cmd.exe PID 2020 wrote to memory of 3052 2020 Hyper.cc_Val_External.exe cmd.exe PID 3052 wrote to memory of 1376 3052 cmd.exe msedge.exe PID 3052 wrote to memory of 1376 3052 cmd.exe msedge.exe PID 1376 wrote to memory of 1236 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 1236 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2000 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 1652 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 1652 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe PID 1376 wrote to memory of 2744 1376 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hyper.cc_Val_External.exe"C:\Users\Admin\AppData\Local\Temp\Hyper.cc_Val_External.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start https://discord.gg/printf2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/printf3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffa7c1346f8,0x7ffa7c134708,0x7ffa7c1347184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,3672838514425976274,2873495039050351692,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,3672838514425976274,2873495039050351692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,3672838514425976274,2873495039050351692,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3672838514425976274,2873495039050351692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3672838514425976274,2873495039050351692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,3672838514425976274,2873495039050351692,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause >nul 2>&12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cd4f5fe0fc0ab6b6df866b9bfb9dd762
SHA1a6aaed363cd5a7b6910e9b3296c0093b0ac94759
SHA2563b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81
SHA5127072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51d40312629d09d2420e992fdb8a78c1c
SHA1903950d5ba9d64ec21c9f51264272ca8dfae9540
SHA2561e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac
SHA512a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
120B
MD539cbb01520e8b62688482d0098d1838e
SHA1e6642b4e66f8dc52e9a6edfac3ba5ca56670eb8c
SHA256621cba8ce2d872c70c901588ca8db7cc95247c5ffc4b638b7b4a856ca211e10c
SHA5126734b93fc4c5883ec243c39813b0367f7441f75feb032f91f39e76b59c2c5dcf4bf4e86ed19ca43838206be8596f951b7f48d0c04dfc398cb50cba1cb748cbef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe569928.TMPFilesize
48B
MD5da14904bb2afc69227d998d2f7c94d19
SHA1382c48913f1e35948f636e56333c440da1205e35
SHA2560dd66d5344081f257d6a48ab8d0e0fe77c684aabd63e9878374cd9da8361f541
SHA512cfeb8b4be52bd770b43262451c79ffd2209c22a572212a90c67d164db4658d5d375e8794069db9860f4ef2138c107ed2e96c784053fda92aca1ca5d1aa633db5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD542f34e1cda22f4f28f2a059f007a19be
SHA17c5dc4ebe9faea51ec7670a0f479ed4024dcaa63
SHA25636caab9ad01f99de49635de59fb27afb30c2d64bf24834ec0b157bcf48e60109
SHA5123b2e46b57f1ef7ed56477a3ee1c35e5502ec15f77474c2cdbf1556e736335be30c5460ede58465ffb9d57f39109890c21e8b430b53928c76cef6d797ca9b3c30
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
459B
MD57d06fbf22d0809688bb53a201185d535
SHA1b8283f4ef3dfef3d179367dc719f6ba344d245d3
SHA256262f908fc17add446dff4811f8f90b9c54716db5051e7def7529d33c1dc621a0
SHA51274f70ef85880b04f252cd46d1de76a1379f5fd935d91284f3b8a02cde947564386131978bb41f30d82f076c55c0e0b75998908ae463e36f9d68999ab4714ca5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5b33d3471ffbfe24dd365554416570942
SHA15a8cb89b25b3d226206e4a161e08cd9210b07fec
SHA256f8033090e04f400180bafa129b562c7b812e7df6b466338966ba89c91cbe95b2
SHA5126ce51fc01992eedd51432d34b0107771d99647c1c164d47c5db978ed5c136cdec85fea831db6cfc4453dde49e01bc7b6a11e4909bd95b7090c968d799e0f50db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD534f69121eab0e1cd7af72021b15377df
SHA16c2a1d5fa1578663fc5f65be188cfe2da5d8d8bd
SHA2563f5a660d174d7ec2ebf26142a27760645660ebf4003279d8a5612ce243504414
SHA512b4272797acb76e547b3529e414b36f40d77ca704053c704a51ea86824ead5020ff495b122c87e6114ba7e37cadd487dc179473bc045a5f3358247b4557d4c1c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD51463bf2a54e759c40d9ad64228bf7bec
SHA12286d0ac3cfa9f9ca6c0df60699af7c49008a41f
SHA2569b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df
SHA51233e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD52e27cab38686bea2ecfa2029267c96f7
SHA1668b1db2978acd7267ca619217285841b651d368
SHA25617e15b8580ee56d9503100be5773aeeaa8a20c875e38a8aeae73f040beda94f6
SHA512d047f0da2c3d9ee0ccc666def06511126956e88e9c46adb2fc493daa4a27e7a5938fcccce44c8a69a511c31b6bfae4beb387ca764886737b85d323ed07d406f3
-
C:\Users\Admin\AppData\Local\Temp\jWIOmocRfOCHYzOaLIhXJhhoxZyFilesize
33KB
MD51898ceda3247213c084f43637ef163b3
SHA1d04e5db5b6c848a29732bfd52029001f23c3da75
SHA2564429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b
SHA51284c3ccc657f83725b24a20f83b87577603f580993920cc42d6da58648c6888d950fd19fbb8b404ce51a3eab674066c5cefe275763fbdb32e1ae1ba98097ab377
-
\??\pipe\LOCAL\crashpad_1376_SQEQQQUFOGTYAFOTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2020-264-0x00007FF61FA70000-0x00007FF62050A000-memory.dmpFilesize
10.6MB
-
memory/2020-133-0x00007FF61FA70000-0x00007FF62050A000-memory.dmpFilesize
10.6MB
-
memory/2020-136-0x00007FF61FA70000-0x00007FF62050A000-memory.dmpFilesize
10.6MB
-
memory/2020-135-0x00007FF61FA70000-0x00007FF62050A000-memory.dmpFilesize
10.6MB
-
memory/2020-134-0x00007FF61FA70000-0x00007FF62050A000-memory.dmpFilesize
10.6MB
-
memory/2020-526-0x00007FF61FA70000-0x00007FF62050A000-memory.dmpFilesize
10.6MB
-
memory/2020-605-0x00007FF61FA70000-0x00007FF62050A000-memory.dmpFilesize
10.6MB