7f19b0c0bc1ce4ce7b0bd072527f2feade5809d8de040c01945737534502a4de

Analysis

max time kernel
427s
max time network
429s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 14:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

13.3MB
MD5

d3567c93fb7a218ad130542ac8b02a76
SHA1

e0f2e65b0eab58da6c26de403933ed6e22c0c364
SHA256

7f19b0c0bc1ce4ce7b0bd072527f2feade5809d8de040c01945737534502a4de
SHA512

a245ff8e8e6843298159ae207866df7f840865f02ac7c813faa9b7a5b1740b2b9bde496e98dc413f12597e96c5c8c62fde4845a774d904eb089070d80498be04
SSDEEP

196608:YTYz2RUiumFCR0F29+AFB1Au21QUhX2nUMhjIhK/gVCPxWrJerBtZEmla:EYz2RR69+an9WaUioVCPoozZN8

Score

9^/10

discovery evasion execution persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\winhb.sys	Loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Loader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869}	Loader.exe
File opened for modification	C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1060	Loader.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893}	Loader.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4580	sc.exe
1304	sc.exe
2060	sc.exe
1336	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
1060	Loader.exe
4620	msedge.exe
4620	msedge.exe
1472	msedge.exe
1472	msedge.exe
2232	msedge.exe
2232	msedge.exe
2144	msedge.exe
2144	msedge.exe
404	msedge.exe
404	msedge.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1936	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1060 wrote to memory of 4200	1060	Loader.exe	84
PID 1060 wrote to memory of 4200	1060	Loader.exe	84
PID 4200 wrote to memory of 1336	4200	cmd.exe	86
PID 4200 wrote to memory of 1336	4200	cmd.exe	86
PID 1060 wrote to memory of 2344	1060	Loader.exe	87
PID 1060 wrote to memory of 2344	1060	Loader.exe	87
PID 2344 wrote to memory of 4580	2344	cmd.exe	89
PID 2344 wrote to memory of 4580	2344	cmd.exe	89
PID 1060 wrote to memory of 2228	1060	Loader.exe	90
PID 1060 wrote to memory of 2228	1060	Loader.exe	90
PID 1060 wrote to memory of 4556	1060	Loader.exe	92
PID 1060 wrote to memory of 4556	1060	Loader.exe	92
PID 1060 wrote to memory of 3484	1060	Loader.exe	94
PID 1060 wrote to memory of 3484	1060	Loader.exe	94
PID 3484 wrote to memory of 2436	3484	cmd.exe	95
PID 3484 wrote to memory of 2436	3484	cmd.exe	95
PID 3484 wrote to memory of 760	3484	cmd.exe	96
PID 3484 wrote to memory of 760	3484	cmd.exe	96
PID 3484 wrote to memory of 4736	3484	cmd.exe	97
PID 3484 wrote to memory of 4736	3484	cmd.exe	97
PID 2228 wrote to memory of 2060	2228	cmd.exe	98
PID 2228 wrote to memory of 2060	2228	cmd.exe	98
PID 4556 wrote to memory of 1304	4556	cmd.exe	99
PID 4556 wrote to memory of 1304	4556	cmd.exe	99
PID 1060 wrote to memory of 3792	1060	Loader.exe	100
PID 1060 wrote to memory of 3792	1060	Loader.exe	100
PID 1060 wrote to memory of 5032	1060	Loader.exe	101
PID 1060 wrote to memory of 5032	1060	Loader.exe	101
PID 3916 wrote to memory of 3064	3916	msedge.exe	116
PID 3916 wrote to memory of 3064	3916	msedge.exe	116
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117
PID 3916 wrote to memory of 808	3916	msedge.exe	117

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\system32\sc.exe
    sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    - Launches sc.exe
    PID:1336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start windowsproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\sc.exe
    sc start windowsproc
    3⤵
    - Launches sc.exe
    PID:4580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\system32\sc.exe
    sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    - Launches sc.exe
    PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start windowsproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\system32\sc.exe
    sc start windowsproc
    3⤵
    - Launches sc.exe
    PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5
    3⤵
    PID:2436
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:760
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultef0ffd5chdb21h42a9hb817h78d5518afd64
1⤵
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd8b5e46f8,0x7ffd8b5e4708,0x7ffd8b5e4718
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3652229934835044161,14014786861622060885,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3652229934835044161,14014786861622060885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,3652229934835044161,14014786861622060885,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5a67b9behbb9bh4af6hbeddh665171b4c195
1⤵
PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd8b5e46f8,0x7ffd8b5e4708,0x7ffd8b5e4718
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,706377290320058589,13674949255695218476,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,706377290320058589,13674949255695218476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,706377290320058589,13674949255695218476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault8d1c0311hf601h4403h87ddh0f574437b52f
1⤵
PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd8b5e46f8,0x7ffd8b5e4708,0x7ffd8b5e4718
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4147272768260560289,16470817694696379795,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,4147272768260560289,16470817694696379795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,4147272768260560289,16470817694696379795,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:4896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault47f38e6dh14ffh45abhb0e5h6f9c201b5c9f
1⤵
PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd8b5e46f8,0x7ffd8b5e4708,0x7ffd8b5e4718
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,10064766881896874319,13156991534375273720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,10064766881896874319,13156991534375273720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,10064766881896874319,13156991534375273720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault785c173bhf872h498eh98f3hf15bcf7395aa
1⤵
PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd8b5e46f8,0x7ffd8b5e4708,0x7ffd8b5e4718
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,11508720703148749913,8254310324802759868,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,11508720703148749913,8254310324802759868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2508 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,11508720703148749913,8254310324802759868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
  2⤵
  PID:2332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:2524

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:4900

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:4532

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:2360

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOnDeveloperFeatures DeveloperUnlock
1⤵
- Suspicious use of SetWindowsHookEx
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
57ce7118cb0beed6973e62b94dbda4b5

SHA1
a9876806f2adee0fa6200e79a871ae3637a652be

SHA256
19e72be36bf08db3025ba96c0ea7c3d571ab2db5519cb93e3685dbcf747e389b

SHA512
2217be5ab6d03f253c81299aef99d3c1900ada8037e4a74e8e1df1e4b238fd59dd1ba8cad14435ecf15c06a18eeca6981e75890089804d679558856fe4f7976f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0f09d79044d230b6ea0d4a7cac393724

SHA1
59210afb63fca5a6c9718228d2612136ee594ed6

SHA256
2564c30f37cccefc2f7310bf2f3ed1ce7319da0f56d550ce84293beef1bdd5f0

SHA512
e2ab671a51c237268b9c654d53254f05480f2d64a6dac1e1e8cd7dd30eae3e7767ea65e50f7f12317866947263411fd33502114ad8894a7c0b5dff82cce549d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85c97f76d4cbb214e623dc535ed8dbd5

SHA1
e267d7944b337ee9774f0f9f630cb6a925a8c1e4

SHA256
9f04942e46cdcd50a124f7067dca1c64a9355609a3167b726cab7b267d125e93

SHA512
6962e235485501f5f64c29e3f19769cd531198b15e72e9bf61d4173c07093e53964bdc1d48a0d09846bd712f60bfc50ce00d791c3505008a6b8b054ce5f76765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4b9b1bf9-e13f-459b-8e7c-53ec59d2de99.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9e36358ed66524ef95fba04f1ab7d1be

SHA1
c717366371b7fe0683d466c9228853c7f80e3102

SHA256
c59fa79986cb677ba1b0deec97e9354b2d396046a88c0dd03ce4b4e3ba8bf72d

SHA512
c7cbd263bb7ba58408cfd6d9e3327ff999e97190a420af4c4d2d410b16a2a403f4888a1e8411b0a2e3d04b7cd505f9b5fc370929aca5e173719c4598dd1d291e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b5e2f915192bdff0ef2fdc6e5dc144bd

SHA1
7d9b367e50b4f72e7fcada8cb513ef4fb7df46dc

SHA256
5112e7a9339ed0cb9fd0b90a2c0b6e2f31253aaba2e786c1a7a0f28676f5ec1c

SHA512
ef434bc46d375a581f15e9ed3b0e54f636e08f3db5b6bcac4ab96afc67b1a4e1e38c751fd49b563b64ae6142bd3c719103016f3799675b7b72e6d3c9f155871d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3cc3f6ab57e86f3b03c439c57b03c1e4

SHA1
e5fa78103cd99ef7a18c29d486b7f4b332f313b4

SHA256
b97a8cb5b18399716ff2c87e35207366826625fa7128e50df3fc8b50e216cda5

SHA512
87a71146a87cc96f3eca2cfd2b157a79f45fc3c10f67a7277555e4aff9a510f053078f8bccbeb834ea8c3eba76d2beb4025849fc09a7faddc7139fb6c0f17c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c8adea0c35091a99f1005f1a382a4df

SHA1
49da7bec16dea5e4ce46b98bd43869d9f8c24372

SHA256
6c273362b3e58bf1a64dfe0725c0b7c20d7519818cf7a73292bfe7e6381ecb7e

SHA512
94220434f60388eeb8514518105190fcd7afa88b0bc096b957a1edce2b097823b967e74676e24da5c33c6e644fcddbb4e24aaed4aa9280e41b46f7691f709f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
5e7fb84645f6e614824e16036ebbad69

SHA1
a3159deaeafab1b34c031677f05ef747479894d5

SHA256
dd500335443f5b7958a99d79bc229a209f0d379cba720036ce055365ee002a36

SHA512
74e90c4f7099462b4a04c1c159172accd2f70f9b382cd8dcc45a59dfbc7422084bea21f989cd08d348d539c331fa25cb9bade7592509819d95687e6e9329ba2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
6d1f7aeb8ae6bc711e4f28678cfa1898

SHA1
58473437bf5032426431a7918c1d5d230f46f2d1

SHA256
27bb5b92ece400c4be47fe531dbbf2248f8c54da6499cd31c5afa538a05926a9

SHA512
ee461e68b7250bf9cf942ee0b3347df9c93ec7fcd5229a8cbd2ca29a39766b33885b756bdb022a1dd9317a2872c5402c9392828a903ba8a5b03091f96cc70cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
885f2919306a3f617e8a32724a2a32c0

SHA1
fbc5285ed5a700dda21f5ec9dcfe442d943474f4

SHA256
6f000e9cf6293d5848a11fc35aff50d3b547b0b737e58d735e32948deb5ecd5b

SHA512
10b00b1e5e6aaf6d91151d9e94c175a4ef42a2c6eadf855a4bfaf64aa9c861fca2e957eb3529d80f5d89a5705afcb2f3662d03ab4931fe937c26c1d20fdcd203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
13ce4dfe3caefd98e9abb99bc1ed4857

SHA1
1133101d6a5a38cf0736b6844817bc2e1c7b6fbd

SHA256
552f5f2e4eb18b741ee32398d6b10c640c857d4a9bbc983a8c85cc4af4466215

SHA512
ea2ae71f160fb8eff3048a73042dbdb9d47db527a5447ac9e3cb7c371c9751de1f95eb098867434e7e865fe3270e30669eaa24e823dfd3444c6fe11e68c7ebcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
6844844375c99278220c2f043339842b

SHA1
52e85ad9ea7090010bbef5517cb09920abe31205

SHA256
3351465ab967b6a4c14a9bde3ca4ead03854a6a92277f435535d1665e62dc9cb

SHA512
084c42bcbc5b5f5a1dc0485b37bd80c1fa77505dc0d9b4a4628d22308849aee25fecc34df3426927fbefe83c10d3d56a87afdaba434195ae0b4235615d0b0dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
c6892b38930feb5958858f6cb9ce0406

SHA1
37ba3555b39d2bf21f35b1741384334275353d82

SHA256
5faf497e3a4fb2547fba5164ca944d0a6ba1ea001b9d32ca223a9bcaa5582107

SHA512
c12e29b27b8fb4813641fd09a396dd7935c7115e1378b9560114c391dfcdb1c2710cf42be094ead0abc9fcae141a2dcc4246d8d8337861ce8eb901e232c8f698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
b9117363858d571ad7ee8722e45377ea

SHA1
0bf2241a1cd9e43b799e2bf583748e36178ae244

SHA256
403e7221be5256479f9bf8ad52d485afbc61125c243d90fe7e6f90df0c38ef86

SHA512
9913cbc83f2444e52dbecf3798387c8fad461078b60d6d13677ed3ed60b05cb355e15f96a376799ec211995fe32694e427d5378bc147d96faf2dae2310cf2a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
50bd7194c8346f0b706ccf0bd348a081

SHA1
55ace7454a489b65ccdfd3dd9c840291312c23f5

SHA256
cb61bbd77ee11aa088d0c9e8a814407ed7852000a70928371e0f8ea607881374

SHA512
359f0f9aa5cfd3dd1e566dc15514834eaea53cb138afc8196f8d4f5d0acc71e976e45d1590208cda72d6738f2cfcd63b23a26eb65d7040c30739b968a6a53417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ed3554e2-12f7-4a92-b553-3250e333203f.tmp

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
6721b729372648386f36525ec0b720ab

SHA1
d20a1e51b4e4a598ed3a93918a27254c17386464

SHA256
1993081e999a889a67013e46a9ceab8783b35bcc53b45b455c2cdc403c85ee40

SHA512
65bd5840ac32bbe479262ab6801fbe07a0ad62fd78995efb49fff4ee254f3a5b38c49f0e4668a6a69205a39c389c2582f786514af261c6755187ec771be273be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
87160b5ab18ffaace7ec9e1cc436c7a2

SHA1
91669c04401b20774b6229a7b3ba6d17d4305c70

SHA256
72f14d6477b1c133916eca283495cfcbcd441ca03128616f054ae54405ff9b49

SHA512
a86ce45014574e7d2b407da617ec74a22b6bc9474b440752a4ce8380848f9ced85c4c77c1b6d247be4e5ea4d453be05e5b36031d46180bb2c6a5aacd8ba58c0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
cb247b5cbe411285ed3b99bc03a1187c

SHA1
db2cff04a25741a41c27c9a54448785c020b6b14

SHA256
a478625edcead579f2a6e8af4b38bb1803f8c653e8f9b296b556a11d5326f968

SHA512
c298e1fee009348a671e8d8f3438fbb86e95479bb09e1f1a4f01352687a28928cc292893bc0b559a7c2a92b2c43de38c699f8f4cb90e3900abf72f8d1518c137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
97f2af2558617e969efba0c1caba7dd8

SHA1
2891ccad820bb42f95e575fc47672a2b7cdd019d

SHA256
f34cadc185db28e4559b8ac97c9d33a61b8d62ee351c2a8deb5e7f36a186b943

SHA512
0c4eadef720bbf555267d71139ffd3ff840dda3bf63d6193ff19ef3e3f0616c490a069e33d0c9df9193c14f99e367667941d8324304090a95b3031b6efe4ca75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
memory/1060-1-0x0000000140000000-0x0000000141E1B000-memory.dmp

Filesize
30.1MB

Download
memory/1060-3-0x0000000140000000-0x0000000141E1B000-memory.dmp

Filesize
30.1MB

Download
memory/1060-15-0x0000000140000000-0x0000000141E1B000-memory.dmp

Filesize
30.1MB

Download
memory/1060-2-0x00007FFDAA150000-0x00007FFDAA152000-memory.dmp

Filesize
8KB

Download
memory/1060-0-0x0000000140000000-0x0000000141E1B000-memory.dmp

Filesize
30.1MB

Download
memory/1060-4-0x0000000140000000-0x0000000141E1B000-memory.dmp

Filesize
30.1MB

Download