2208dc3c8ca0aa3456e5f562b8f338be4bdc5270a488a9e44e5c4f6a972a792d

Resubmissions

26/04/2024, 16:04

240426-thygmafb72 9

26/04/2024, 15:39

240426-s3w9mafe8t 9

26/04/2024, 15:06

240426-sg9mtseb45 9

Analysis

max time kernel
600s
max time network
593s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IP.exe
Size

20.2MB
MD5

e72253d9c42192ba62b5e2552bbfbca4
SHA1

065af9ed0ec5d6d4b40c6dcf76e847b98b2572d2
SHA256

2208dc3c8ca0aa3456e5f562b8f338be4bdc5270a488a9e44e5c4f6a972a792d
SHA512

155879bbc185ce9df1b62f9ff9e0147cf99d5514004e92b8812bcec76783ad958dfaaf73ed6ddca99f2b942605a3b0a07156e12a1342241ad780d178a5074f4f
SSDEEP

393216:Ha5opL76qeFJ/KqbG1scz01nJr0dUMv3htIVCiOV82RqYBof8IuQK9CpBiz6:H5aJ/iFar09tIVCHR5ofKwpBQ6

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IP.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe

Executes dropped EXE 1 IoCs

pid	Process
1444	unsecapp.exe

Themida packer 58 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1300-0-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	themida
behavioral1/memory/1300-2-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	themida
behavioral1/memory/1300-3-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	themida
behavioral1/memory/1300-4-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	themida
behavioral1/memory/1300-5-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	themida
behavioral1/memory/1300-6-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	themida
behavioral1/memory/1300-7-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	themida
behavioral1/memory/1300-8-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	themida
behavioral1/memory/1300-9-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	themida
behavioral1/files/0x0007000000023454-20.dat	themida
behavioral1/memory/1444-30-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-33-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-31-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-32-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-34-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-36-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-37-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-35-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1300-38-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	themida
behavioral1/memory/1444-40-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-41-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-42-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-43-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-44-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-45-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-46-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-60-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-61-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-62-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-63-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-64-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-65-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-98-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-153-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-176-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-191-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-210-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-220-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-229-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-248-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-254-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-255-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-256-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-257-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-260-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-263-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-264-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-274-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-275-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-276-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-277-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-278-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-279-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-280-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-281-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-282-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-283-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida
behavioral1/memory/1444-284-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	IP.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe

AutoIT Executable 53 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1300-3-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	autoit_exe
behavioral1/memory/1300-4-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	autoit_exe
behavioral1/memory/1300-5-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	autoit_exe
behavioral1/memory/1300-6-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	autoit_exe
behavioral1/memory/1300-7-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	autoit_exe
behavioral1/memory/1300-8-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	autoit_exe
behavioral1/memory/1300-9-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	autoit_exe
behavioral1/memory/1444-33-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-32-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-34-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-36-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-37-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-35-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1300-38-0x00007FF627020000-0x00007FF628ED7000-memory.dmp	autoit_exe
behavioral1/memory/1444-40-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-41-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-42-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-43-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-44-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-45-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-46-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-60-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-61-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-62-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-63-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-64-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-65-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-98-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-153-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-176-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-191-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-210-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-220-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-229-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-248-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-254-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-255-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-256-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-257-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-260-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-263-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-264-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-274-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-275-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-276-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-277-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-278-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-279-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-280-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-281-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-282-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-283-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe
behavioral1/memory/1444-284-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp	autoit_exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\unsecapp.exe	IP.exe
File opened for modification	C:\Windows\SysWOW64\unsecapp.exe	IP.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1300	IP.exe
1444	unsecapp.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000ad6f2831d697da012a408e23de97da019c4b9796f497da0114000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\NodeSlot = "11"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000005000000040000000300000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\6\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 06000000010000000200000005000000040000000300000000000000ffffffff	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\	IP.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\WinMgmts:\	IP.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1300	IP.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe
1444	unsecapp.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1444	unsecapp.exe
3348	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe
1848	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3348	taskmgr.exe
Token: SeSystemProfilePrivilege	3348	taskmgr.exe
Token: SeCreateGlobalPrivilege	3348	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe
3348	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4068	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 1444	1300	IP.exe	85
PID 1300 wrote to memory of 1444	1300	IP.exe	85
PID 1848 wrote to memory of 2540	1848	msedge.exe	101
PID 1848 wrote to memory of 2540	1848	msedge.exe	101
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 2912	1848	msedge.exe	102
PID 1848 wrote to memory of 1772	1848	msedge.exe	103
PID 1848 wrote to memory of 1772	1848	msedge.exe	103
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104
PID 1848 wrote to memory of 3456	1848	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\IP.exe
"C:\Users\Admin\AppData\Local\Temp\IP.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\unsecapp.exe
  C:\Windows\SysWOW64\unsecapp.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5012

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb19a346f8,0x7ffb19a34708,0x7ffb19a34718
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3640 /prefetch:8
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3640 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,14887836050974221173,3265022078210257820,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2840 /prefetch:2
  2⤵
  PID:3152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
918cda29eb2ffb5f0fa39c6dbe1bdc1b

SHA1
81c39503a330b3427aa146cd9461951dcb4064b3

SHA256
160a4800271d610b7385da05b049e1c3f5d76af53fb0b719275cf69d934ad2f2

SHA512
9055609068a99d5938ee53d1f5a5d0029bbca8955097a261af0ddc0229d077e05086f58ec329728d8ba575635507518e69b6c952e8461ec83e4d519586a1d6e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
387B

MD5
b216c129491f2daa32be869b9ba013be

SHA1
4f51095b3d5394efad9dfb3768c42728908d31d1

SHA256
0cf9f002d4e0bb3dabcaf74d5bdb5a7b9408451b943d8bb7bba73a1f2aa4a47b

SHA512
e3848c890271e3994d6d51f97e71b645dd680e4cf7b86fb62d514c4d62bd975d80aea368242b83e3ee9d9c54228cb7aa6433675543828db930a9009fd01ad529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f08f8ed21236ea2f41376a7763b266e

SHA1
c843c5fcfbc675fff5684f544066490efe6284f9

SHA256
83529aa7384ca790c71f5b68f3f709ae4b2ed86700aee1b6f3180d54937719cb

SHA512
621432d2806049c20a98824c7a5390006f56896b32c4499d8a18b38851b268a42cffe3bd04807436b3e75653cb5399f0ae802a0024ba0a1bb30919a316b4dc44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8db1c7ae72006d2cf4474720cd1eb60

SHA1
8c3f20016d76c7e5baef57ac909eca35fb05ab6f

SHA256
3f1faf21613a6ccb63d44fb84bc288bfdee7fd73978dded7465918bff8eba468

SHA512
a4aef230c6b9f9de2209e926669abf7d76f762029319f0fd4c584629f74d315bd2c94da726910080ec1f56bec75d7721c90fb2c6d1d064246ae960427ca67c49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c07c3a1e0357f66e45c9b69f654cdf2d

SHA1
01710935bc815be3840dfd243ba8dc0d138ecba6

SHA256
9c2138b66fd900fcfd6748338fb377d1e4291a20814b0a09d6dab9a62f8689f3

SHA512
e680d66e998fb88abde28e90598b66b128de2448cfb1ca7824e3db32ef9c58d513467c933aaa972b01e03376182d37a47e30d44117bafbf2b280cabc94bce77a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
f05067d276b51e2cd09eee42c900a91f

SHA1
f0714e4e48bf934a9028ad3a966013ebd4bbdabe

SHA256
cb1cda8804c139c485a62ac187ea3d3c237d2f458cf20e19d423e34f43a8e1b1

SHA512
69982bd155db2644911e5502a02f746f8f7c764610410d971874cce502e6a85fc73b46fb5844b93a11e07815830d61ab620a6d77a8d187db574a292db475744e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c961.TMP

Filesize
370B

MD5
4f205f0edd76194e2f69d67a8533ba3f

SHA1
f62bb78b4b89acc65f041e1c716f59d3a520c969

SHA256
80a17d5120339be370e755f1087884ce1211fe70b11f2e8f78020bf6c39b4297

SHA512
cfa9c7e88f867ec166f9f1318104ad11ef72d31edcd7b0fe75489cc9b585b48db3ed60375faa44c5439fb6b1ce2beb2c03d8be93917fcee8270eedc2c4283393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fa6c92fef953b1c49352ff9aef3425d3

SHA1
7eb922ee304040aed7e69bdec4b387423a48beea

SHA256
746fa1cb78f7e9965ed6810b81dcad8f139fc31fa32bc42566184c7a042cef6e

SHA512
4d42cbed146f6740582f845134996bcbfcf584d9b5456ff1e44fd0de5a8f00eb4b812f413d85a18a6fbced84684097a0ceccd4f64eac0fafb2d66775a2daffca

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut5EBA.tmp

Filesize
13.0MB

MD5
f41ac8c7f6f7871848ddb6fb718a15bb

SHA1
bce00d05c76d0a4eedbd76c2e87fc55c644edac0

SHA256
d30a26d6f6676d700f86db8ff522cccfea285e1272f2dba210cf99c3b676a773

SHA512
62316becb846b12396401fdb79c14ada97495abdd241fe4815c963d6ea315989bc6f283ff68c17cd90e5b62d3ea025770f4883b2b1f387d0dbe2d41a1c541ba6

Download Submit
memory/1300-5-0x00007FF627020000-0x00007FF628ED7000-memory.dmp

Filesize
30.7MB

Download
memory/1300-38-0x00007FF627020000-0x00007FF628ED7000-memory.dmp

Filesize
30.7MB

Download
memory/1300-39-0x00007FFB28890000-0x00007FFB28A85000-memory.dmp

Filesize
2.0MB

Download
memory/1300-9-0x00007FF627020000-0x00007FF628ED7000-memory.dmp

Filesize
30.7MB

Download
memory/1300-8-0x00007FF627020000-0x00007FF628ED7000-memory.dmp

Filesize
30.7MB

Download
memory/1300-7-0x00007FF627020000-0x00007FF628ED7000-memory.dmp

Filesize
30.7MB

Download
memory/1300-6-0x00007FF627020000-0x00007FF628ED7000-memory.dmp

Filesize
30.7MB

Download
memory/1300-4-0x00007FF627020000-0x00007FF628ED7000-memory.dmp

Filesize
30.7MB

Download
memory/1300-3-0x00007FF627020000-0x00007FF628ED7000-memory.dmp

Filesize
30.7MB

Download
memory/1300-2-0x00007FF627020000-0x00007FF628ED7000-memory.dmp

Filesize
30.7MB

Download
memory/1300-0-0x00007FF627020000-0x00007FF628ED7000-memory.dmp

Filesize
30.7MB

Download
memory/1300-1-0x00007FFB28890000-0x00007FFB28A85000-memory.dmp

Filesize
2.0MB

Download
memory/1444-64-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-31-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-46-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-60-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-61-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-284-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-283-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-282-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-281-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-280-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-279-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-278-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-277-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-62-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-63-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-44-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-65-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-43-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-42-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-41-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-40-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-98-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-35-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-37-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-36-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-153-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-34-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-176-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-32-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-45-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-33-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-191-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-210-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-220-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-229-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-248-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-30-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-254-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-255-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-256-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-257-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-260-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-263-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-264-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-274-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-275-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/1444-276-0x00007FF71B950000-0x00007FF71CF4E000-memory.dmp

Filesize
22.0MB

Download
memory/3348-56-0x0000028267E00000-0x0000028267E01000-memory.dmp

Filesize
4KB

Download
memory/3348-57-0x0000028267E00000-0x0000028267E01000-memory.dmp

Filesize
4KB

Download
memory/3348-58-0x0000028267E00000-0x0000028267E01000-memory.dmp

Filesize
4KB

Download
memory/3348-59-0x0000028267E00000-0x0000028267E01000-memory.dmp

Filesize
4KB

Download
memory/3348-54-0x0000028267E00000-0x0000028267E01000-memory.dmp

Filesize
4KB

Download
memory/3348-48-0x0000028267E00000-0x0000028267E01000-memory.dmp

Filesize
4KB

Download
memory/3348-49-0x0000028267E00000-0x0000028267E01000-memory.dmp

Filesize
4KB

Download
memory/3348-47-0x0000028267E00000-0x0000028267E01000-memory.dmp

Filesize
4KB

Download
memory/3348-55-0x0000028267E00000-0x0000028267E01000-memory.dmp

Filesize
4KB

Download
memory/3348-53-0x0000028267E00000-0x0000028267E01000-memory.dmp

Filesize
4KB

Download