sality | 9d7d86f4acd808e65a749bc0ddc76246a8ae66ff2cc380430bb36dc3a6efdf9b

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 02:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9841a7fce9f90cb0bbdbefbb7033bc25.exe
Size

840KB
MD5

9841a7fce9f90cb0bbdbefbb7033bc25
SHA1

91386adecf08037670b94a41eceebfe2d2134ee9
SHA256

9d7d86f4acd808e65a749bc0ddc76246a8ae66ff2cc380430bb36dc3a6efdf9b
SHA512

61a3080585cae93ae592d1ab082bb7ed2350de3ac4a726f854b42d0243ccf9c1498592a57d9495fd4c62519a72e8f73d56b258f87f1ada800ebcb59d8401db8b
SSDEEP

24576:NQMJx4YqqEAMjDbYp2rJTr8muA/vmt3I84ZASPzB:NQjbqdsDbJrJTr8u/vmnoASt

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9841a7fce9f90cb0bbdbefbb7033bc25.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	9841a7fce9f90cb0bbdbefbb7033bc25.exe

Executes dropped EXE 1 IoCs

pid	Process
3916	pxinstall562.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1232-0-0x0000000000400000-0x00000000004E2000-memory.dmp	upx
behavioral2/memory/1232-1-0x00000000023A0000-0x00000000033D0000-memory.dmp	upx
behavioral2/memory/1232-3-0x00000000023A0000-0x00000000033D0000-memory.dmp	upx
behavioral2/memory/1232-8-0x00000000023A0000-0x00000000033D0000-memory.dmp	upx
behavioral2/memory/1232-49-0x0000000000400000-0x00000000004E2000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9841a7fce9f90cb0bbdbefbb7033bc25.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	9841a7fce9f90cb0bbdbefbb7033bc25.exe
File opened for modification	C:\Windows\wininit.ini	9841a7fce9f90cb0bbdbefbb7033bc25.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
3916	pxinstall562.exe
3916	pxinstall562.exe
556	msedge.exe
556	msedge.exe
2440	msedge.exe
2440	msedge.exe
1504	identity_helper.exe
1504	identity_helper.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe
60	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe
Token: SeDebugPrivilege	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3916	pxinstall562.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 772	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	2
PID 1232 wrote to memory of 776	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	14
PID 1232 wrote to memory of 316	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	3
PID 1232 wrote to memory of 2660	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	47
PID 1232 wrote to memory of 2700	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	44
PID 1232 wrote to memory of 2752	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	45
PID 1232 wrote to memory of 3524	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	56
PID 1232 wrote to memory of 3648	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	57
PID 1232 wrote to memory of 3832	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	58
PID 1232 wrote to memory of 3944	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	59
PID 1232 wrote to memory of 4008	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	60
PID 1232 wrote to memory of 4088	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	61
PID 1232 wrote to memory of 1720	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	62
PID 1232 wrote to memory of 2844	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	74
PID 1232 wrote to memory of 1104	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	75
PID 1232 wrote to memory of 3916	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	83
PID 1232 wrote to memory of 3916	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	83
PID 1232 wrote to memory of 3916	1232	9841a7fce9f90cb0bbdbefbb7033bc25.exe	83
PID 3916 wrote to memory of 2440	3916	pxinstall562.exe	88
PID 3916 wrote to memory of 2440	3916	pxinstall562.exe	88
PID 2440 wrote to memory of 3096	2440	msedge.exe	89
PID 2440 wrote to memory of 3096	2440	msedge.exe	89
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 1628	2440	msedge.exe	91
PID 2440 wrote to memory of 556	2440	msedge.exe	90
PID 2440 wrote to memory of 556	2440	msedge.exe	90

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	9841a7fce9f90cb0bbdbefbb7033bc25.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:316

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2700

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2752

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2660

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\9841a7fce9f90cb0bbdbefbb7033bc25.exe
  "C:\Users\Admin\AppData\Local\Temp\9841a7fce9f90cb0bbdbefbb7033bc25.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\pxinstall562.exe
    "C:\Users\Admin\AppData\Local\Temp\pxinstall562.exe" /prop PRIORITY=Y /prop INSTSHELL=Y /prop INSTNAME="9841a7fce9f90cb0bbdbefbb7033bc25.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.prevx.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5ae346f8,0x7ffe5ae34708,0x7ffe5ae34718
        5⤵
        
        PID:3096
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
        5⤵
        
        PID:1628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
        5⤵
        
        PID:2244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
        5⤵
        
        PID:2412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        5⤵
        
        PID:1276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
        5⤵
        
        PID:4272
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
        5⤵
        
        PID:2840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
        5⤵
        
        PID:1884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
        5⤵
        
        PID:4836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
        5⤵
        
        PID:448
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
        5⤵
        
        PID:2892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,8557529368398739128,3295993300567059494,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5192 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:60

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3648

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3832

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3944

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4008

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4088

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1720

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\PrevxCSI\csidb.csi

Filesize
33KB

MD5
6eb7b55ebff65243d6b3320ac6d043a8

SHA1
02a0fc4d99f3db3415a1ce63846c164f90e76062

SHA256
45084dea1366ceff22ae5ffc2a721dc63dee0971eaf5f2ab4dd9af1442af2fe0

SHA512
15b44f76fb82e0074bdda6db175acd45fafed7a5509765fb024d2b40bff23c972fb10b7f411b8b387daadac247dc0016a096a9b669c32b695ee0b6f591ae189b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e71d66ce903fcba6050e4b99b624fa7

SHA1
139d274762405b422eab698da8cc85f405922de5

SHA256
53b34e24e3fbb6a7f473192fc4dec2ae668974494f5636f0359b6ca27d7c65e3

SHA512
17e2f1400000dd6c54c8dc067b31bcb0a3111e44a9d2c5c779f484a51ada92d88f5b6e6847270faae8ff881117b7ceaaf8dfe9df427cbb8d9449ceacd0480388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
fb53d84c639c8a1c7a35fd7ed3553ffd

SHA1
cec69007516270b3db64c0e152dbc67499e75833

SHA256
149fe8502c5232eae8df63dd5996448bdc524446d59d00c46a35f8cbea0b6271

SHA512
c0ab7ba8e3de05c6f679a1903be5f02ca1164b5bb6886c963223d1276212426044f2c6026bfe67c06d92d8d7fd66e1993811ce99e861b51b39be1ef56b887ca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a86d2f3fbffc6c6c30cb81aeec567ebe

SHA1
b502a355aba15bc3f91f3c90a54679a3f43403ef

SHA256
9e02affd9397d4f85f1abebb849b1086e92b71565c0463ff5405416b544dc006

SHA512
1b493b7f0889729d7a76a03ca85cfb9a77e3934a0252efefbe66854a57d894678134338c6725e464cacc60815d4eb90d5643413d6125bad45917fd756d80b803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7eda10e82749643d23f58afa01dcad6f

SHA1
6fc40cfeee198ec48a4bfb56531db707b1a8ca0f

SHA256
e7a0a0e8ec10e5f3957de1c59accbbef2b97e5ee9ca78ed73903e1bc9fa96db5

SHA512
363f237ad20c8e5592c6de3a616ec1fc9b0dcbacc191c7690731f95e43fd9c09ab5c973cb2dd82a288fda957925ca9cdf64c6f00621dc0f6d42ac4919ed83f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3955fcc67c6644529f431aed27aca4a2

SHA1
e93e6990a4617b2be5d043f667446585f890baff

SHA256
246a73f562218e1cf9923c3c42d7ff15df9caaa58f0e857448e19428867407f6

SHA512
ed52906099f10769d42ed2e98c0b8640342b45ef6f6a6efb04eaf41c0bc4254fe7c89c1db3f5cad223214172854c9d5d9da9d682f00612fb9579770c3f36b1de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
1b1b142e24215f033793d1311e24f6e6

SHA1
74e23cffbf03f3f0c430e6f4481e740c55a48587

SHA256
3dca3ec65d1f4109c6b66a1a47b2477afaf8d15306a523f297283da0eccbe8b1

SHA512
a569385710e3a0dc0d6366476c457927a847a2b2298c839e423c485f7dcce2468a58d20133f6dc81913056fb579957e67f63cf1e20b910d61816210447cd1f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cafcf4b8037aaabbd94c09f5998596e3

SHA1
4854784305fb1106a745a6ff82faaaf4496ad638

SHA256
97308c300baa00f89c991d229395f57ef27075daf7bd07cbe2bcbd8ea42ffa5f

SHA512
e11c6223645907d8c2043a86dd0c2fed1608808200cc6b7d4f4601369bd3f8075b3f3c6110435372118ba20a08ae04ba923a0081e434fabfb9125e0e1da7626b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxinstall562.exe

Filesize
4.2MB

MD5
63b2db8f585e465e032889981e97ad2e

SHA1
472566b8ac2089352404b3faf0843abeda778d94

SHA256
dc8d37707eb5b5d7b1c099281d44d7c8ffabdb5492a4a4a7755bb3018c6b7d21

SHA512
f98ed37e7633f14ca408680c486ba0216a9607f863c75b5c9acf689efe85e67350a3fd6321e1c2625912f884afcb29b5b503493bf899d2c0fdf5c74a83105fe0

Download Submit
memory/1232-9-0x0000000003530000-0x0000000003532000-memory.dmp

Filesize
8KB

Download
memory/1232-49-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1232-29-0x0000000003530000-0x0000000003532000-memory.dmp

Filesize
8KB

Download
memory/1232-12-0x0000000003530000-0x0000000003532000-memory.dmp

Filesize
8KB

Download
memory/1232-0-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/1232-8-0x00000000023A0000-0x00000000033D0000-memory.dmp

Filesize
16.2MB

Download
memory/1232-10-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download
memory/1232-3-0x00000000023A0000-0x00000000033D0000-memory.dmp

Filesize
16.2MB

Download
memory/1232-1-0x00000000023A0000-0x00000000033D0000-memory.dmp

Filesize
16.2MB

Download