ffaa6fadc298557e09c500a3ea9453bb22aa68827daa76453e6fe368cde2ee57

Analysis

max time kernel
248s
max time network
252s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VrInputViewer.exe
Size

165.0MB
MD5

9b8338ae21d62d51dce0bfb802dba073
SHA1

d1517fa4de702b674831e283d2d8ff6878e6701c
SHA256

ffaa6fadc298557e09c500a3ea9453bb22aa68827daa76453e6fe368cde2ee57
SHA512

724bb9f1e5fbf7d2ab7be7020f65b01994a279a1592e414545a96e08e1bdb44b92f9fe601f30e24a8a56648eebd48d0400b1a1a723677cb7fe1efa09ba43f120
SSDEEP

1572864:RdFEbPWOp7BHRu6eI6aZtdo1RN1zpALkr0flY8xT/yGG3L3dtP7rmnMjesry47tZ:Ddofu8CX

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{A6BD7C8F-6F50-489E-9D90-3EABB3EAF1A6}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
2880	msedge.exe
2880	msedge.exe
1156	msedge.exe
1156	msedge.exe
3284	identity_helper.exe
3284	identity_helper.exe
460	msedge.exe
460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
2460	msedge.exe
1096	msedge.exe
1096	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

VrInputViewer.exe

description	pid	process
Token: SeShutdownPrivilege	648	VrInputViewer.exe
Token: SeCreatePagefilePrivilege	648	VrInputViewer.exe
Token: SeShutdownPrivilege	648	VrInputViewer.exe
Token: SeCreatePagefilePrivilege	648	VrInputViewer.exe
Token: SeShutdownPrivilege	648	VrInputViewer.exe
Token: SeCreatePagefilePrivilege	648	VrInputViewer.exe
Token: SeShutdownPrivilege	648	VrInputViewer.exe
Token: SeCreatePagefilePrivilege	648	VrInputViewer.exe
Token: SeShutdownPrivilege	648	VrInputViewer.exe
Token: SeCreatePagefilePrivilege	648	VrInputViewer.exe
Token: SeShutdownPrivilege	648	VrInputViewer.exe
Token: SeCreatePagefilePrivilege	648	VrInputViewer.exe
Token: SeShutdownPrivilege	648	VrInputViewer.exe
Token: SeCreatePagefilePrivilege	648	VrInputViewer.exe
Token: SeShutdownPrivilege	648	VrInputViewer.exe
Token: SeCreatePagefilePrivilege	648	VrInputViewer.exe
Token: SeShutdownPrivilege	648	VrInputViewer.exe
Token: SeCreatePagefilePrivilege	648	VrInputViewer.exe
Token: SeShutdownPrivilege	648	VrInputViewer.exe
Token: SeCreatePagefilePrivilege	648	VrInputViewer.exe
Token: SeShutdownPrivilege	648	VrInputViewer.exe
Token: SeCreatePagefilePrivilege	648	VrInputViewer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1156 wrote to memory of 1108	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1108	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4444	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2880	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2880	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 2900	1156	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\VrInputViewer.exe
"C:\Users\Admin\AppData\Local\Temp\VrInputViewer.exe"
1⤵
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff03ce46f8,0x7fff03ce4708,0x7fff03ce4718
2⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2
2⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
2⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
2⤵
PID:1780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
2⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
2⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
2⤵
PID:3208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
2⤵
PID:1620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
2⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5768 /prefetch:8
2⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
2⤵
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
2⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
2⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
2⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6308 /prefetch:8
2⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6280 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
2⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
2⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
2⤵
PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5264 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
2⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
2⤵
PID:812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
2⤵
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2256,15439923790771111528,3232167006384041642,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3480

C:\Users\Admin\Downloads\VrInputViewer-win32-x64-0.1.0\VrInputViewer.exe
"C:\Users\Admin\Downloads\VrInputViewer-win32-x64-0.1.0\VrInputViewer.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Users\Admin\Downloads\VrInputViewer-win32-x64-0.1.0\VrInputViewer.exe
"C:\Users\Admin\Downloads\VrInputViewer-win32-x64-0.1.0\VrInputViewer.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\@jakzo/vr-input-viewer-desktop" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1684 --field-trial-handle=1688,i,464808884580061350,7063627189064707065,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
PID:1884

C:\Users\Admin\Downloads\VrInputViewer-win32-x64-0.1.0\VrInputViewer.exe
"C:\Users\Admin\Downloads\VrInputViewer-win32-x64-0.1.0\VrInputViewer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\@jakzo/vr-input-viewer-desktop" --mojo-platform-channel-handle=2120 --field-trial-handle=1688,i,464808884580061350,7063627189064707065,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
PID:1308

C:\Users\Admin\Downloads\VrInputViewer-win32-x64-0.1.0\VrInputViewer.exe
"C:\Users\Admin\Downloads\VrInputViewer-win32-x64-0.1.0\VrInputViewer.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\@jakzo/vr-input-viewer-desktop" --app-path="C:\Users\Admin\Downloads\VrInputViewer-win32-x64-0.1.0\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2284 --field-trial-handle=1688,i,464808884580061350,7063627189064707065,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
2⤵
PID:4864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d406f3135e11b0a0829109c1090a41dc

SHA1
810f00e803c17274f9af074fc6c47849ad6e873e

SHA256
91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4

SHA512
2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
7b29ee5e00cb4460edce0494be0902da

SHA1
650731fd16ff1fe9a0afb2216794c5e334989ffd

SHA256
42084bc2ba569f9f59f257eec2133cddb63813200fd2226fe7ba94a641aa22d6

SHA512
a7644d382a93ac2563e83c398d2ec9bd0c910b18f27d1a1a033f0a2d2756d3126ce36b604471fd854bc9b64152cbddfbc8291dce853d4ec0814c3f92c4d4d24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
84c2960aefd8214d3cfb8159f610842f

SHA1
29e9ab033c7cc0e5c0bba4f81abcf19d16089370

SHA256
5e264147a9b87456a2bb924587535ac1d7011fd0f78dc79e6d5404bd69d4a450

SHA512
703a661364fd2b15d5a7e0e6723286ff091b60e31ed35e1b663c8b6dc6be3f0c984f0062b1e4bb89d23fde663b3d660d7cf2f0df3e456968b9f58b7260f2c45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
336ffc2c740b2b824fb9632b6720a079

SHA1
f97fd48003275ad86e121723042e4eb4fa9b5a21

SHA256
57476dbf030de37c530bae492db237f01b75f190ba96cf0b10e0e28dd4a259ca

SHA512
f74ada3d6d527fc257ed85e58c9b9960bce84989581a41d6f689e640058143b3327b24d170bcba237c3af9acce40d10a56c1ad5ee233e14ec1f677b7cbe612ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
566B

MD5
f29886b5f01bb70fa8d8e7ff016dc4f9

SHA1
b6b2c3c69ae0693e0dc1f315742594a6d9947a45

SHA256
d4c238723c79f95010d87370510fdc5f7807ad15422a2dd323635e7784cd4613

SHA512
c1713bdea205fa2f2658c51d2569f421e7f87e620df255a179c68154cb8169d98c7099f28ab2194888cdd209077f2219be5d4877b90457b03fa778605e4c7bfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3fde94216815e79ae3fbd344594fbef9

SHA1
256b3b9324ffc87485d7124236b332952c5a7855

SHA256
6c8d5f7c10da1b7587f147f0af8294a3c49b4ba8056fc1806696543948b81044

SHA512
cbad9d8b54836969454774f3624068330f477265b7508558bb421fff72c6accda3d0fd11539a2310ebdbf42f6d15102e067a5310c643cab9151bdb6868584b85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
44af7de7abb6500cf259bba2808ba64a

SHA1
e988140beac4518e41e3dc5d2fa025233c3f56e0

SHA256
1f98a22b303c32de0d9b719d59bae132d7374a14101b7326890394f2e6021736

SHA512
f8afd796254e9c99bdb66cb54d19d50547ada47e64d79d502171ae50a0db43cecaafa2339cd15f2bc2700edbb1e991bc4cd8f11c5c5c2ed1df173808e5b4b484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
bb320dbaa80981da8e6a93717e7c3701

SHA1
77fd8f5eb07369998c5423ee75a0472d5df27e8c

SHA256
7f5ca17261ad9678aa486d82331dfa7546a84a073ee4ddd442d08922a50d3d12

SHA512
52f9c66756735695cc461120f269cfd9aa3bfba4168cc04bcd87d90d9d900cfeb66f52d8d56db34deaa64ba99ef4c9f35de828721904ed133daa34f078a0e38f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9ec786618284bbac46afbf567e681c0b

SHA1
627dd94397308398b05f48dfc872d2d7ad046839

SHA256
5f3cbf6759d8d0162104b25ccef1785ae3060d8a653b3a762d09399473a6b09d

SHA512
61c32f3ab4e2195dadb73f91cf4eea0d2b104c4743215d98ff41d6da99744d45b5d0458bd91a7b96c11ec6e3b1de1b33b5b9b3bd08e82c8d431c07ad844fa334

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ab5e4b7de65f9b9f4e5cf038869b286c

SHA1
066dbbb6ea2ff165f2a718e8166ab381abb94d18

SHA256
e74310680f4cc4b62204227c6e2ccf5922cbb183e18caceb54df7ee8129da151

SHA512
0adf0f10fc85c328895e19b760f342e52b5710cf4dabf7b34041894076b04261162f265e85de547678b195a33353309e5be6e291f0b21eeb781fc0312927aea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
add3a6c224f2aba4ef6a5a34d7c2edd8

SHA1
014a8daec60368f6ac981d5c7ee9786e288e9b19

SHA256
34a51c3a9004d1cdd6a88a1043c7ee9a492d562f70fb8e165408155c882e1156

SHA512
3a93cf8228245113327a7b413a48ca7b89c788cf58344a91c3273cd2b2cb722646e9d7af74b6e92a95ad97a66f3b3659a156fbfcee8e943816340170a6bb9f2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
58e62e300e794c5bff0da44e033a7d5a

SHA1
a53c7c65c30d3f9fd2020241cbcfbcff690ce461

SHA256
0caea726f9f0eda053d86fd566402fc4a6e6c59bfd055de3f298c109b43c89b9

SHA512
06137671a7848b3a1db9378b9681adb21fc364c1bdd890dfc93aabddc14fa72f3a6806e3e304d7d9af7181e33b31a0ef8fe0dd73ecf6a6790d6eee2d9504be73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
024dc2323934464fdbede7c33e149405

SHA1
5dfb5ca2784e41f72007c0b23be89016f4f6b548

SHA256
e810e3e911d5401c5b9223fe021208531b3f4587cafd8a0136c9e6d8b17d449a

SHA512
9a5912b6ceb4ff110131a0b4dc97591f9ad6b9fa1c6558dc0c314396ae13ecc5af1ea6447354d1d8c59f652006c2b4f9fcf9d6eaa5e0cbc336e4bf5cb0f47bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5900e1.TMP
Filesize
706B

MD5
0c375402e5665e01572c2864db9d3bab

SHA1
00691a5e148a060c1b5383e73ba1a3c7c870bb77

SHA256
52e37f249ae2355ed1a352753657773a23f2670f5925c422b4ad1bda11936f2f

SHA512
7e6e1a202a8e1bbfc090d3dd7d2eb75fea254fcbac98496479304c207521de97e454508a7428867b4b2cec732496685af28ec2ef240ea776dfa02764c4a20b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1cf4635b2e0d7b47b4ff8ca436818299

SHA1
90e7edac56d047cbaab21f1bf1516d8d263cb8cf

SHA256
6df274261869db908be8a1b7720829e556463b9b0cc5e4c8016c0b3784997991

SHA512
85195a208a8a2f121b8ba9e71ea78a965eefc302366084d21b7f12947110da95d2a34484163e88abb3ff1f81528577aae4a142d1b201ae50876eb0e2e3d9c531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
e41cf1fd4f0f61feed6c0cd3b49cab2d

SHA1
e9ff43961bfa064c393c9aab4b80f2ddb145fe8b

SHA256
54684e53d3991d5285998ab544129efbb81010c048097a8089327c3eef36cbbd

SHA512
3417b569ea269c3ed6d6c364d74f55c1474624f31e063f15c45745efa4fd1a31a60a641113572be66e4a7343d0f1c92f0a960208f8419e6eaf693aebcbddd566

Download Submit
C:\Users\Admin\AppData\Roaming\@jakzo\vr-input-viewer-desktop\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_1156_CPQJGPMFPZRTGVHI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4864-639-0x00007FFF209F0000-0x00007FFF209F1000-memory.dmp

Filesize
4KB

Download
memory/4864-638-0x00007FFF200D0000-0x00007FFF200D1000-memory.dmp

Filesize
4KB

Download