af087e44b9920b0dd59aac8a366a167d5f5457e608b6616450d73956294a9500

Analysis

max time kernel
60s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cleaners/applecleaner.exe
Size

3.6MB
MD5

f96eb2236970fb3ea97101b923af4228
SHA1

e0eed80f1054acbf5389a7b8860a4503dd3e184a
SHA256

46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172
SHA512

2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7
SSDEEP

98304:z7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6Ko:e+y4ihkl/Wo/afHPb

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	applecleaner.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4192	netsh.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	applecleaner.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 30004f00330048005300200020002d002000350000000000	applecleaner.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/392-0-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp	themida
behavioral1/memory/392-2-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp	themida
behavioral1/memory/392-4-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp	themida
behavioral1/memory/392-3-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp	themida
behavioral1/memory/392-5-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp	themida
behavioral1/memory/392-6-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp	themida
behavioral1/memory/392-10-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	applecleaner.exe

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	applecleaner.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
392	applecleaner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	applecleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "5dde8ccc-340b8b81-d"	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	applecleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "7195a3f4-791d4401-5"	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	applecleaner.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4312	ipconfig.exe
2336	ipconfig.exe
4816	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2400	taskkill.exe
2040	taskkill.exe
3956	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
392	applecleaner.exe
392	applecleaner.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	2040	taskkill.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2208	WMIC.exe
Token: SeSecurityPrivilege	2208	WMIC.exe
Token: SeTakeOwnershipPrivilege	2208	WMIC.exe
Token: SeLoadDriverPrivilege	2208	WMIC.exe
Token: SeSystemProfilePrivilege	2208	WMIC.exe
Token: SeSystemtimePrivilege	2208	WMIC.exe
Token: SeProfSingleProcessPrivilege	2208	WMIC.exe
Token: SeIncBasePriorityPrivilege	2208	WMIC.exe
Token: SeCreatePagefilePrivilege	2208	WMIC.exe
Token: SeBackupPrivilege	2208	WMIC.exe
Token: SeRestorePrivilege	2208	WMIC.exe
Token: SeShutdownPrivilege	2208	WMIC.exe
Token: SeDebugPrivilege	2208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2208	WMIC.exe
Token: SeRemoteShutdownPrivilege	2208	WMIC.exe
Token: SeUndockPrivilege	2208	WMIC.exe
Token: SeManageVolumePrivilege	2208	WMIC.exe
Token: 33	2208	WMIC.exe
Token: 34	2208	WMIC.exe
Token: 35	2208	WMIC.exe
Token: 36	2208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2208	WMIC.exe
Token: SeSecurityPrivilege	2208	WMIC.exe
Token: SeTakeOwnershipPrivilege	2208	WMIC.exe
Token: SeLoadDriverPrivilege	2208	WMIC.exe
Token: SeSystemProfilePrivilege	2208	WMIC.exe
Token: SeSystemtimePrivilege	2208	WMIC.exe
Token: SeProfSingleProcessPrivilege	2208	WMIC.exe
Token: SeIncBasePriorityPrivilege	2208	WMIC.exe
Token: SeCreatePagefilePrivilege	2208	WMIC.exe
Token: SeBackupPrivilege	2208	WMIC.exe
Token: SeRestorePrivilege	2208	WMIC.exe
Token: SeShutdownPrivilege	2208	WMIC.exe
Token: SeDebugPrivilege	2208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2208	WMIC.exe
Token: SeRemoteShutdownPrivilege	2208	WMIC.exe
Token: SeUndockPrivilege	2208	WMIC.exe
Token: SeManageVolumePrivilege	2208	WMIC.exe
Token: 33	2208	WMIC.exe
Token: 34	2208	WMIC.exe
Token: 35	2208	WMIC.exe
Token: 36	2208	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 220	392	applecleaner.exe	91
PID 392 wrote to memory of 220	392	applecleaner.exe	91
PID 220 wrote to memory of 2400	220	cmd.exe	92
PID 220 wrote to memory of 2400	220	cmd.exe	92
PID 392 wrote to memory of 1396	392	applecleaner.exe	94
PID 392 wrote to memory of 1396	392	applecleaner.exe	94
PID 1396 wrote to memory of 2040	1396	cmd.exe	95
PID 1396 wrote to memory of 2040	1396	cmd.exe	95
PID 392 wrote to memory of 2616	392	applecleaner.exe	96
PID 392 wrote to memory of 2616	392	applecleaner.exe	96
PID 2616 wrote to memory of 3956	2616	cmd.exe	97
PID 2616 wrote to memory of 3956	2616	cmd.exe	97
PID 392 wrote to memory of 2152	392	applecleaner.exe	101
PID 392 wrote to memory of 2152	392	applecleaner.exe	101
PID 2152 wrote to memory of 4248	2152	cmd.exe	102
PID 2152 wrote to memory of 4248	2152	cmd.exe	102
PID 392 wrote to memory of 2192	392	applecleaner.exe	110
PID 392 wrote to memory of 2192	392	applecleaner.exe	110
PID 392 wrote to memory of 2052	392	applecleaner.exe	116
PID 392 wrote to memory of 2052	392	applecleaner.exe	116
PID 392 wrote to memory of 2136	392	applecleaner.exe	117
PID 392 wrote to memory of 2136	392	applecleaner.exe	117
PID 2136 wrote to memory of 1272	2136	cmd.exe	118
PID 2136 wrote to memory of 1272	2136	cmd.exe	118
PID 392 wrote to memory of 3624	392	applecleaner.exe	120
PID 392 wrote to memory of 3624	392	applecleaner.exe	120
PID 3624 wrote to memory of 4668	3624	cmd.exe	121
PID 3624 wrote to memory of 4668	3624	cmd.exe	121
PID 392 wrote to memory of 1840	392	applecleaner.exe	122
PID 392 wrote to memory of 1840	392	applecleaner.exe	122
PID 1840 wrote to memory of 4192	1840	cmd.exe	123
PID 1840 wrote to memory of 4192	1840	cmd.exe	123
PID 392 wrote to memory of 460	392	applecleaner.exe	124
PID 392 wrote to memory of 460	392	applecleaner.exe	124
PID 460 wrote to memory of 2756	460	cmd.exe	125
PID 460 wrote to memory of 2756	460	cmd.exe	125
PID 392 wrote to memory of 2988	392	applecleaner.exe	126
PID 392 wrote to memory of 2988	392	applecleaner.exe	126
PID 2988 wrote to memory of 2060	2988	cmd.exe	127
PID 2988 wrote to memory of 2060	2988	cmd.exe	127
PID 392 wrote to memory of 220	392	applecleaner.exe	128
PID 392 wrote to memory of 220	392	applecleaner.exe	128
PID 220 wrote to memory of 4840	220	cmd.exe	129
PID 220 wrote to memory of 4840	220	cmd.exe	129
PID 392 wrote to memory of 4680	392	applecleaner.exe	130
PID 392 wrote to memory of 4680	392	applecleaner.exe	130
PID 4680 wrote to memory of 940	4680	cmd.exe	131
PID 4680 wrote to memory of 940	4680	cmd.exe	131
PID 392 wrote to memory of 4508	392	applecleaner.exe	132
PID 392 wrote to memory of 4508	392	applecleaner.exe	132
PID 4508 wrote to memory of 4312	4508	cmd.exe	133
PID 4508 wrote to memory of 4312	4508	cmd.exe	133
PID 392 wrote to memory of 2552	392	applecleaner.exe	134
PID 392 wrote to memory of 2552	392	applecleaner.exe	134
PID 2552 wrote to memory of 2336	2552	cmd.exe	135
PID 2552 wrote to memory of 2336	2552	cmd.exe	135
PID 392 wrote to memory of 900	392	applecleaner.exe	136
PID 392 wrote to memory of 900	392	applecleaner.exe	136
PID 900 wrote to memory of 4816	900	cmd.exe	137
PID 900 wrote to memory of 4816	900	cmd.exe	137
PID 392 wrote to memory of 3948	392	applecleaner.exe	138
PID 392 wrote to memory of 3948	392	applecleaner.exe	138
PID 3948 wrote to memory of 3644	3948	cmd.exe	139
PID 3948 wrote to memory of 3644	3948	cmd.exe	139

C:\Users\Admin\AppData\Local\Temp\Cleaners\applecleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Cleaners\applecleaner.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Battle.net.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://applecheats.cc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
    3⤵
    PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NETSH WINSOCK RESET >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\system32\netsh.exe
    NETSH WINSOCK RESET
    3⤵
    PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NETSH INT IP RESET >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Windows\system32\netsh.exe
    NETSH INT IP RESET
    3⤵
    PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall reset >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\system32\netsh.exe
    netsh advfirewall reset
    3⤵
    - Modifies Windows Firewall
    PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV4 RESET >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE IPV4 RESET
    3⤵
    PID:2756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV6 RESET >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE IPV6 RESET
    3⤵
    PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NETSH INTERFACE TCP RESET >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE TCP RESET
    3⤵
    PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NETSH INT RESET ALL >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Windows\system32\netsh.exe
    NETSH INT RESET ALL
    3⤵
    PID:940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /RELEASE
    3⤵
    - Gathers network information
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /RELEASE
    3⤵
    - Gathers network information
    PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c IPCONFIG /FLUSHDNS >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /FLUSHDNS
    3⤵
    - Gathers network information
    PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NBTSTAT -R >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\system32\nbtstat.exe
    NBTSTAT -R
    3⤵
    PID:3644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NBTSTAT -RR >nul 2>&1
  2⤵
  PID:2276
- - C:\Windows\system32\nbtstat.exe
    NBTSTAT -RR
    3⤵
    PID:796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c arp -a >nul 2>&1
  2⤵
  PID:4288
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c arp -d >nul 2>&1
  2⤵
  PID:1592
- - C:\Windows\system32\ARP.EXE
    arp -d
    3⤵
    PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
  2⤵
  PID:4368
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4016,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8
1⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=1632,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:1
1⤵
PID:728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4192,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4800 /prefetch:1
1⤵
PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5304,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:1
1⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5348,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5464 /prefetch:8
1⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5484,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:8
1⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5908,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5936 /prefetch:1
1⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6128,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5964 /prefetch:1
1⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5912,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:1
1⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=5080,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5996 /prefetch:1
1⤵
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5092,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6672 /prefetch:1
1⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6740,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:8
1⤵
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-0-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp

Filesize
9.6MB

Download
memory/392-1-0x00007FF8CCFD0000-0x00007FF8CCFD2000-memory.dmp

Filesize
8KB

Download
memory/392-2-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp

Filesize
9.6MB

Download
memory/392-4-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp

Filesize
9.6MB

Download
memory/392-3-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp

Filesize
9.6MB

Download
memory/392-5-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp

Filesize
9.6MB

Download
memory/392-6-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp

Filesize
9.6MB

Download
memory/392-10-0x00007FF65AB30000-0x00007FF65B4D2000-memory.dmp

Filesize
9.6MB

Download