f6ec30cf0ba234fd8dc86488412c6d3632a741532f8dc7696b41bccc591dcec9

Analysis

max time kernel
112s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 15:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Keyrox_Installer_V1.04.15.exe
Size

27.1MB
MD5

ee5a18efc909ea498554079ad54d1b25
SHA1

6d97c102dc8a08e9ba590faa5d16f69b5e310b69
SHA256

f6ec30cf0ba234fd8dc86488412c6d3632a741532f8dc7696b41bccc591dcec9
SHA512

5c569e2c67df2a79e234e76b3bded610f2cb089a8c07278f44aff15e7719ad237385273a234bc149deaa05224f3b6fb86d1b6c972d2f9bb5f13caad13162d6f6
SSDEEP

786432:2s8hmwbosyF6M9tv7BZlx0P8oN9jTIWBTrP:2RmwK9JTANpIyT7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4252	Keyrox_Installer_V1.04.15.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2753856825-3907105642-1818461144-1000\{475DE4C3-2571-4009-A5BC-68D0E221730A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2753856825-3907105642-1818461144-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2588	msedge.exe
2588	msedge.exe
1776	msedge.exe
1776	msedge.exe
336	msedge.exe
336	msedge.exe
2572	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe
1776	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 4252	4344	Keyrox_Installer_V1.04.15.exe	85
PID 4344 wrote to memory of 4252	4344	Keyrox_Installer_V1.04.15.exe	85
PID 4344 wrote to memory of 4252	4344	Keyrox_Installer_V1.04.15.exe	85
PID 1776 wrote to memory of 3548	1776	msedge.exe	91
PID 1776 wrote to memory of 3548	1776	msedge.exe	91
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 4340	1776	msedge.exe	92
PID 1776 wrote to memory of 2588	1776	msedge.exe	93
PID 1776 wrote to memory of 2588	1776	msedge.exe	93
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94
PID 1776 wrote to memory of 1292	1776	msedge.exe	94

C:\Users\Admin\AppData\Local\Temp\Keyrox_Installer_V1.04.15.exe
"C:\Users\Admin\AppData\Local\Temp\Keyrox_Installer_V1.04.15.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\is-Q6ICT.tmp\Keyrox_Installer_V1.04.15.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-Q6ICT.tmp\Keyrox_Installer_V1.04.15.tmp" /SL5="$E007A,27984686,183808,C:\Users\Admin\AppData\Local\Temp\Keyrox_Installer_V1.04.15.exe"
  2⤵
  - Executes dropped EXE
  PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x40,0x130,0x7ffac46246f8,0x7ffac4624708,0x7ffac4624718
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=1708 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2472 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2168,257302605814998880,18223747614366564433,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x340 0x4a4
1⤵
PID:5004

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3967855 /state1:0x41c64e6d
1⤵
PID:3988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f060e9a30a0dde4f5e3e80ae94cc7e8e

SHA1
3c0cc8c3a62c00d7210bb2c8f3748aec89009d17

SHA256
c0e69c9f7453ef905de11f65d69b66cf8a5a2d8e42b7f296fa8dfde5c25abc79

SHA512
af97b8775922a2689d391d75defff3afe92842b8ab0bba5ddaa66351f633da83f160522aa39f6c243cb5e8ea543000f06939318bc52cb535103afc6c33e16bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a27d8876d0de41d0d8ddfdc4f6fd4b15

SHA1
11f126f8b8bb7b63217f3525c20080f9e969eff3

SHA256
d32983bba248ff7a82cc936342414b06686608013d84ec5c75614e06a9685cfe

SHA512
8298c2435729f5f34bba5b82f31777c07f830076dd7087f07aab4337e679251dc2cfe276aa89a0131755fe946f05e6061ef9080e0fbe120e6c88cf9f3265689c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
69KB

MD5
7d5e1b1b9e9321b9e89504f2c2153b10

SHA1
37847cc4c1d46d16265e0e4659e6b5611d62b935

SHA256
adbd44258f3952a53d9c99303e034d87c5c4f66c5c431910b1823bb3dd0326af

SHA512
6f3dc2c523127a58def4364a56c3daa0b2d532891d06f6432ad89b740ee87eacacfcea6fa62a6785e6b9844d404baee4ea4a73606841769ab2dfc5f0efe40989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
3358e831188c51a7d8c6be54efafc248

SHA1
4b909f88f7b6d0a633824e354185748474a902a5

SHA256
c4cd0c2e26c152032764362954c276c86bd51e525a742d1f86b3e4f860f360ff

SHA512
c96a6aae518d99be0c184c70be83a6a21fca3dab82f028567b224d7ac547c5ef40f0553d56f006b53168f9bba1637fdec8cf79175fd03c9c954a16c62a9c935e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
b55b8baf9ced2da93c17f6b749734870

SHA1
b7a0adbe14b12fd8f7bc3fbc27a5611693057cec

SHA256
38f98d8fffec9928c61be37a6d4a3da72e027dfc239b53d784964cc922a201a4

SHA512
69c98fb523179d002566ec88bfcd12800ec0154ef76efc017d05c1dc5f2ea479e5ced0e9c6158a2e8546f88fe19d58a3627bbea546e4ab6905f4f340767fffe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b369291e8a475163ffa2361c810780aa

SHA1
0ea6fbdab3fe35257d8a2013af162893cfb3f1e8

SHA256
beea36689984614af0a61a9a399312dcd02d29b7c61b8e88ba85bb5a1a5f2459

SHA512
3be5f7e13e251d937ce0b645aedd49ad39bba850f4f8674d1b5f4a3bdb6dd3231c92b9f6dd0446c0ef0632461fbd0619923239db407003f7c63021061b1b3357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
996B

MD5
00df45eea45fc9ab101a766f18c93ba8

SHA1
aa0ca7b63c5744f6a6f25ae3aeff073f83833274

SHA256
f456aa1e5d4f144084d94f0f2e720f06b3796c39152fb3edfad41d732f7047a4

SHA512
0227bab5e2567650be7d30501d13ea01f9ca996fb3e0e8591a1902a54acd5efed84caab648e7abd5f76c1746e2530106c7fbbf98e959d106cba8c3181c24c3ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8dadf05d85312518d05424ef83984b63

SHA1
80c9248a088b5071f9e90796dddf75bf0a18f3fc

SHA256
0cea447819816ff4b52940cac236a43bbfc33201614b2f3b07311762a9821a5c

SHA512
e38892257181ed093ba30d2e791565352052162d7a42a5b956f3612c7928236af52dd338fbbca51502d05642205c666f440f8332a333d9cb54107ae8703d5532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a0c4ba41f4d2bc1750fa8678530def8f

SHA1
63310738db71232e58fe0b80529007539d4496a6

SHA256
d53ae0cbf49a15bc01cdd0c38b23bcda370e7969c0b558755a2c5b5709b1205b

SHA512
dcc683043f5d1376caa4dd969d244b5aadbcba08a6d21660ea27ddbdde53696840e15b6679c5347af0510d1896bfef72488a7ee9875a68caaae3abbcb0d948c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cbcbd2063f0af6159b0a4b8783ba7230

SHA1
9b3017eb6e920666346041fff66c2b5aa64c2a6c

SHA256
f26d6634ec80d8bc0e6170f4ccd1b3f1354d326a128eb054691863c95216e46e

SHA512
eaf30548f51395166600ab797fae20406021ad644124f8fea47ddc7f22e988a0478a137756735c7983fd1d520fa0314b99d596d929462da6b5cf0b04734a71dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
717558f02859034acab7e83bb0455f04

SHA1
12ac04331d7dc6856620f6c072ab77bda84e1668

SHA256
a1a73508a06866b8034854999bca455da2217be15104220398d924dcb601a8db

SHA512
a294d92437725c83decf988da73e644afc747a6324ff07c7117de819094d601161ab8fcb74fd543a4f8d390d9c53e421b4e750a6987246f0a2758e03fff2aa0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
07d326435bbcfd5297cfe986abf91d63

SHA1
ca64d69fd522a87ab68fe00edeee753de4b9cf22

SHA256
82ffbc37bdeb89c81d1efbe64fb1b5d2c914217bee1df98213c0df4609dde290

SHA512
c784f30136ad9dcf75567d7e43b6c305eb89a3caf4b8f224ea1a1bcd1e50bee59f0699366a6713671af66beb55bf6634b5dba1395c8524bd07cf93fe892db977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
c8ec9dcfa07056bc44928760bc66c14c

SHA1
b44c6ff8a349e943e9d7819ff476e600bd5a80ee

SHA256
e67c12e17b24e0d1ad384a9456f965609d2057d7a40fb7aa8b520cd27fa4e184

SHA512
a5f15de7b310fb3171584f64ac720eed9a738f4eee29d0253c3eec100d932a29c353ebc3f6f7ba02e7a7d57f3634f2bf3e2d9e295b17b666ede5f5ebf7c3f4d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
435ad523a5b84036aae65c8ca80364d4

SHA1
dc4c316acf3b1e2099f91c7467762bd8867b46d8

SHA256
c1ff9823076d0f886050d7b92641a28cdd0990aafb04a60473d4dfc7734a12cf

SHA512
0ddb9736c21fedb7d567fe5d1ddd06eb6609a8fd0ea4af10af5139e59e70b765166a117252f1d99c516c74ec41e272969ae80ccc985d923e0da75b7ead1d6e83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe590304.TMP

Filesize
203B

MD5
e03b823e554fb5d673cd8a94ba662283

SHA1
84537f39e06440b5ae1a58fe743654e4f9bf90c2

SHA256
d661279bb3854a2854649064c0f7f4a8c3eb0fd1641930d075aef3c221655c52

SHA512
7cdb9e9d9130df4e86d71e9027ad69d2b4e635b7f59b5cf180d37b27ff1f5dcd5643394055cc9b5c14c5d7168cf13515b5dcd6d4ff2caaf420c67b1146727d43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d5f1ec89-dd4e-42a9-a093-362e11181389.tmp

Filesize
7KB

MD5
336e665904ff6685ee7d9e298068fe8a

SHA1
1eafe98cff0e94451b5441cef8583e6c883c921a

SHA256
2fdf73ceaaab2bba32079069939375a51f459e5691f4659132a6d18692683f1e

SHA512
d2e3bc0f1e7144655da21d5b447a7c274edec0171ab1e87518ed69e3bd1ff1c383348130c3447264a2e041abe1ae4799892c9cd7a3e0065e3cc768d323f11f84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d48d1208dfc81b5b7905b69640fdd55e

SHA1
f6817f25509f78d10f80add4c94af28f1fa35969

SHA256
92701748712fde3b750854be36e6a4c83a501f858a43870d9374996ab0ef159e

SHA512
506dd5004310161a4837b6c69a109198e3a62cafbb255c7dfe95f28de0e1eac47d5c71981feef5dc128ac46940103b5ce516eff024c88667c857ddef8e8a5c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4bd176357c150139e5188be6072e16b9

SHA1
864c2d7d8ce649f4e8497e5c28809e1f65178554

SHA256
eccb77ade5a9db15583785f431922702126812cb7b82044627bec8b28df70d9e

SHA512
c68ffa264dc93eea807abe3da42eabca7b6f00ff60aa0ffbae1701dcb9915434cf49cbf27d19c07fd1f7befa2805aad9ac98e46cd556bb728c873bf275f833ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q6ICT.tmp\Keyrox_Installer_V1.04.15.tmp

Filesize
1.2MB

MD5
5d352ef82b75a48867aafb7ae95f8987

SHA1
5f720a62e012ff0aa287e57a596b7a66dedf76e5

SHA256
58ca3f3f57ee75501074d8298d434c7ddbbdb23809af5eafa6e87bd318f6a6b4

SHA512
593a55bdc5be6b3290f01edabf73c2ba3a61f1440ab4d3010a04bc76763093784b72f3bc1b856725fbda70838ba8ab8028c9226782e981a5b8bd39ef876742e6

Download Submit
memory/4252-6-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4252-9-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4252-13-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/4344-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4344-1-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4344-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4344-15-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download