hxxps://vx-underground[.]org/Archive/Builders

Resubmissions

25-02-2024 21:16

240225-z4wg2sdb5v 10

25-02-2024 21:10

240225-z1fmesda5y 1

Analysis

max time kernel
329s
max time network
330s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vx-underground.org/Archive/Builders

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3924	msedge.exe
3924	msedge.exe
6120	msedge.exe
6120	msedge.exe
5628	identity_helper.exe
5628	identity_helper.exe
1680	msedge.exe
1680	msedge.exe
5332	msedge.exe
5332	msedge.exe
5332	msedge.exe
5332	msedge.exe
4288	msedge.exe
4288	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	5772	7zFM.exe
Token: 35	5772	7zFM.exe
Token: SeSecurityPrivilege	5772	7zFM.exe
Token: SeRestorePrivilege	5484	7zFM.exe
Token: 35	5484	7zFM.exe
Token: SeRestorePrivilege	1368	7zFM.exe
Token: 35	1368	7zFM.exe
Token: SeSecurityPrivilege	1368	7zFM.exe
Token: SeRestorePrivilege	1756	7zFM.exe
Token: 35	1756	7zFM.exe
Token: SeRestorePrivilege	2736	7zFM.exe
Token: 35	2736	7zFM.exe
Token: SeRestorePrivilege	3536	7zFM.exe
Token: 35	3536	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe
6120	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
404	OpenWith.exe
404	OpenWith.exe
404	OpenWith.exe
404	OpenWith.exe
404	OpenWith.exe
404	OpenWith.exe
404	OpenWith.exe
404	OpenWith.exe
404	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 6120 wrote to memory of 1240	6120	msedge.exe	73
PID 6120 wrote to memory of 1240	6120	msedge.exe	73
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 5208	6120	msedge.exe	88
PID 6120 wrote to memory of 3924	6120	msedge.exe	89
PID 6120 wrote to memory of 3924	6120	msedge.exe	89
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90
PID 6120 wrote to memory of 2892	6120	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vx-underground.org/Archive/Builders
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff884d046f8,0x7ff884d04708,0x7ff884d04718
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5184 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1400 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,6344854788615689223,4931465986679799977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3344

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\UnknownCheats Vulnerable Driver Collection.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5772

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\UnknownCheats Vulnerable Driver Collection\VulnerableDriverInfo.txt
1⤵
PID:3612

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\UnknownCheats Vulnerable Driver Collection\VulnerableDrivers.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5484

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:404

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e189354a800c436e6cec7c07e6c0feea

SHA1
5c84fbda33c9276736ff3cb01d30ff34b032f781

SHA256
826adca1e688de79a3ec5b91c75990927fb2a33ae717f474608c68336053f427

SHA512
ceb069a5e83a634503e253846fa17b8bf7aaa539c3353ce61251633d69068e24c5eadd1b496f43058790d2b513e65d2c0b0213730813d0b58bb82a00596e05e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9e3e150cfe464e9ebf0a6db1aa5e7a2

SHA1
3cb184e2781c07ac000661bf82e3857a83601813

SHA256
2325a6292907263d1fb089a09f22fbcc6bad56f4961d427efdef1abaef097bcc

SHA512
f5eb1e76eb9441cf5000d8d4db9296077b61714ead5012779c084b37f4bba07614055738f5dce69b13b25975d9b7c03eab049b7685eee09b23fd8d4a7d71a039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
e94422e2c5077fc2e409096058468baf

SHA1
6524ed988e5882e0813d50d52fa3d14d00c735e6

SHA256
1dbd4e890b6f7f02538ab3d3b1aa6e20a12fc3f0c9c8cb3a2c1460d090b06abe

SHA512
15e8c5cbac894520bccb68e0f68e032d3a4f1cc4dfd382692c57a243783b60c11de7996ca47870dde3ee42bca4bbd7f48fc227e177e4fafe7b5a35b549b07b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
ae65c0763337308a5f398763bf069033

SHA1
e1a3693cb15333bc7e7ab3ddfdacd97fc0bf6313

SHA256
aea516d68a9c6b485dbd62d02d73c8dd928757d973a0872a3f005e67287392e7

SHA512
52d7fb431bc6d853df08d27fe2ed1df5842410826ef251c7c6dbf655d263758311d66f1f7913d572cee22f02db9edda320497683651fccd951d361fc2fe473fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
91d86cb594665980d2bad021d0e0a3c7

SHA1
c96a2fc7e9d8a712fe740d1e66550122281695a7

SHA256
2f5a6d0d598cc105ee487391f3bb5a65adc60b819648804cd8855dc4eb666cea

SHA512
5897fee800133a8832e288979a4a13b61e329811e03a4d978bd50f98f4a39bf0400e1f708e2b497230ff463c1a10b848f46284599d7a64b98ace47d0ba30613b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5521bfeb86096e350b5b57a7f76b4665

SHA1
5aba2da34f86af7d17448483ede90f4ca53f88ad

SHA256
f53481069d263a0742509ae425c67ed113ea0ed32accc4bdde9f7247bbe32389

SHA512
e5b494bee879c7d3dd3c6b1fcea953b7e549eddf971cabe875f16d5e3ec5ffb5aa6efeb5b3e0afa0a3d9f5d0387809e1627b5dabba1d94be260ce822866fe74a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11004a7ffc08652681baab220f2db52f

SHA1
7d1fcb22983029a8ee91095c74aa02f59220fb86

SHA256
611d434aac55fe21e1c19966214dc9438b1b09117777eac5d60ba1e8d78866ac

SHA512
b8e71aa8bb076fa0679a1da6194b5b4d5e55136acb00ba1ae3f1cbc1ada68c527c2204851c952c9d626c2c1338b0c7a263cbeaa77b1b840eb68cf0372a8b84d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51dbb814c38c86873499f1e4038d5529

SHA1
54501c32811a7aefd1678d6fe0768096ad87533f

SHA256
5a95d50bf75f9974befc1dc94ea18dbfef06da65f2005ea2ff6ebd9bcdb65a07

SHA512
ee1c0368ca572e1219eb8f2cdf8832cdd4e0119f4827365030477650c19f369eaab3b61ad64bfdce53dacd0e923c7dc88da411cda888d8fdd680ffdce0ecfbca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
708fe66ed05f45abbfd7e14f71debc92

SHA1
c80d8e01fbfa69f16807109ac3ad222fbe02b6c1

SHA256
990ff5869f4b28c45a994abfc9e44718c131d34b2050388874702b10a0f50e39

SHA512
78e84a942f36aea9d9fc61f7c50f1d9ef494908b9c2cc9bb3dfb49d6ac167b097e094e15bf44ceb890a35c6eeff95f1465ba9135b49496b538295a04448423ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c04eee3e1d4b96310e90da5cc91bec87

SHA1
d2cee96ee297024841c615b2a2e3f382c0ba7068

SHA256
4ae06281146b2890bea8a673d83ef91d7b9703e4a42b7b65445aceb2683c37d6

SHA512
6d43ca91e2cf0c310ec87e066f989426db346971a33e171b9cd3ccfe16f034411c23a618554a41ec770a5f94029fe90fd7107df3b943ec2c69f42420499db156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
49d7bebc62870f4816740365a37e07dc

SHA1
9898fc8bfa0c4371bf0c05b13ee84b17a2cd81a2

SHA256
03b188df8e5124dc7f19879993220d2bbf2e997c65053733176bb177e287a544

SHA512
929713a5e42b0f34e9e6caecc2dba4c4697a3d613118db0a0e9abdcf81cf74058dafaa08c5bee437bfd8c34b69db76b7a8f05a82fc6415e61a5b3f4bac0af0b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1a9b6e28e873ee90f25ec5515a841e2b

SHA1
6729bda6f46af9743b8ddcbe6c1680fd095b2e21

SHA256
9fbdeebd6c2045b428ee4b6146296ca93d50404799469d7d6c675fa621b40be4

SHA512
3b7484e0532a751295eefa9af2d5bee6f56acc235aa76815227d4eaddc08739b241755170bc85c294e5c4dd7aee279b909380579614b561bcb03b7ede3a21ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9c6d75a6d0442f86fd86ed6e25b8e442

SHA1
497db02ee0d0c642e92769b7d3f905be8964cb55

SHA256
73b4d96cb2722bbf1743ae4cc481717ae6506dc2925d39a2c4638fc2a7611828

SHA512
b2ded32ad6a36d416ab8b02bc21c91e1cac67e97af4a3f68e98902efefcb1cf1eac7aba2ea6a600d8137964f16ce535adb3951289f4ac299b7ded58e048f9768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d92f21c688cad6aa8aaa967e8cd6c834

SHA1
b7f4601b44769617184adf216ad74b58e2c68431

SHA256
145a961cb87f70daaaed263b41664ca96bfd4ec4a40eae0bdf17fd408ae0de2e

SHA512
42482a570d2727b5dcec150bf0859684782f18d69853d121795661158d7da7f9bc59f4a9731eae65bd0426f5d918351a3d7d76b2ed6101332c9276c26bb139a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2d2a8dcf7517f7d526b94b5ef6e25320

SHA1
0a5e5aa5de79138807022667f8bad12735d326f8

SHA256
30d4d5359240f0d97324393d5909290533256d88260d37ab908d037c5e773af5

SHA512
4ba8014098b85c7bcfb87062a4ebc55cd6f750015cc2047bd8b9c33d87adfb2f60b50bb460bfb600710901ce310418cf7f92f073a8956d10cfdb21a67f3b49f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1d1ac33c04e8686c9b775b6933006041

SHA1
a652a93f48f9d56b18a1c516ff4ac02ba30e2ba8

SHA256
28f1f938fb1aac6aba70d1ce94613ed152513e1e6e0bfd215aa5f9bff5988036

SHA512
4aad975dc3bc581cbbeae4872c63cf12f1cf783c71a0774224d72745116fa106e37749b64941983c2df230bdbb581040e19159e1e94e388fcaec7b3b06518e21

Download Submit
C:\Users\Admin\Desktop\05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f

Filesize
1.4MB

MD5
0ada88218b67a313a4f5ab0062fbc4e6

SHA1
15dfcef932d666fdc7501bcee357ec2aabfcfdee

SHA256
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f

SHA512
0b217e5aa8b17d347dbb05507cb5cf179328aad593fb65a8083ca8c300de4901eb55e6c8e971ce3280f50ceefd327332cfafde0280e09044d8da1dc8e20a49ed

Download Submit
C:\Users\Admin\Desktop\UnknownCheats Vulnerable Driver Collection\VulnerableDriverInfo.txt

Filesize
29KB

MD5
7f6ae2944df5901b7a0458ef6348934b

SHA1
fbb6585a92df524b4192daa91b1b2497fba84e65

SHA256
e9081d0ddfbc2b2b9dcf42a766ba816969183e0eb98c3b114fceb8e4e1dda6b1

SHA512
b1df29096a4796482c900db15d58a56d7517c3de631dcb7157302d769aafbddfd6f98e057f2d1512851a1131387905336cbb3b6e72c43acaea06983fb7024b00

Download Submit
C:\Users\Admin\Desktop\UnknownCheats Vulnerable Driver Collection\VulnerableDrivers.7z

Filesize
260KB

MD5
762a8e3195ecd485cfa97c69bd6fd554

SHA1
f30cf1ada5a47e982790d7babd38dfc81706e424

SHA256
a5634841de1921bd1aa3e9f89bdd1d386f5d444a01c78af24aff2bd72462706d

SHA512
2cfe389b4cbb3afa1c1b8141d753fe3f343540750f58d52c4b510563d8fd92bc65c24104da0a062cb9a1778298229d52f42d0594f308932397304d8a9aaba567

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 120769.crdownload

Filesize
1.2MB

MD5
013caa3728c07cc3ed34ccf41429852e

SHA1
7abfe5c8947e19b27f7cc144d9b0a875fb5c4b40

SHA256
cb884ee98c0ef162a728d7a14594124c2fb9e0db4f03a0d0b82dcffe431b6dc2

SHA512
7d91f446041de97e2de1cf7dbb8690b8660706ac88695d58f3ed9f59e35580ecf9de085355d662e0e734ebc494f7f2219364539823f4d80466745fd1f7107b53

Download Submit
C:\Users\Admin\Downloads\UnknownCheats Vulnerable Driver Collection.7z

Filesize
269KB

MD5
b3d180abfb8e1528fb829719242c94fe

SHA1
bbb3c9c0161ac0c58114bceba68ad88b1253c5b3

SHA256
c7b506ba567d68c80eeed84ca33170609dd3f5b1c05a658910bda6fc4feb9277

SHA512
7007edb60f655ba3b44b224c344fddd07631d80a14c0e0159273ed518ba435aed15e4a2200b707d67bd2bc92cc41d1412ea6e49de659db632db2ac2e1b967767

Download Submit