Analysis
-
max time kernel
39s -
max time network
45s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27-08-2024 13:43
Static task
static1
Behavioral task
behavioral1
Sample
downloader.exe
Resource
win7-20240705-en
General
-
Target
downloader.exe
-
Size
70.1MB
-
MD5
1e7167175840eea72194bf4b686128af
-
SHA1
e19590ed9201cf5c80fad6dba45550115b577350
-
SHA256
a6a87d0bb1f5d284a1135037ca0ec0ab2a2d1fd6f5b80d2738514877a8254ab2
-
SHA512
d59809f1eb99a2c381985e21c81b3401abb716f7cf1caabede413194b50d41cd679c8a23b3bba27dd3306fde724345bb314a87dd5a6584a70940ab0bf3e08811
-
SSDEEP
393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qEsGg4GUo3Nt:lWoI7zGi5ahWc3Im7
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
notepad.exenotepad.exenotepad.exenotepad.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ notepad.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ notepad.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ notepad.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ notepad.exe -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
notepad.exenotepad.exenotepad.exenotepad.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion notepad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion notepad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion notepad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion notepad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion notepad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion notepad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion notepad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion notepad.exe -
Executes dropped EXE 4 IoCs
Processes:
notepad.exenotepad.exenotepad.exenotepad.exepid process 2896 notepad.exe 4764 notepad.exe 1584 notepad.exe 6120 notepad.exe -
Loads dropped DLL 4 IoCs
Processes:
notepad.exenotepad.exenotepad.exenotepad.exepid process 2896 notepad.exe 4764 notepad.exe 1584 notepad.exe 6120 notepad.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\notepad.exe agile_net behavioral2/memory/2896-41-0x0000000000FE0000-0x0000000001792000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\adf514ad-42fc-49f6-b976-c80d1e35d456\AgileDotNetRT64.dll themida behavioral2/memory/2896-55-0x00007FF8CE370000-0x00007FF8CEEF4000-memory.dmp themida behavioral2/memory/2896-76-0x00007FF8CE370000-0x00007FF8CEEF4000-memory.dmp themida behavioral2/memory/2896-69-0x00007FF8CE370000-0x00007FF8CEEF4000-memory.dmp themida behavioral2/memory/4764-89-0x00007FF8CE640000-0x00007FF8CF1C4000-memory.dmp themida behavioral2/memory/4764-95-0x00007FF8CE640000-0x00007FF8CF1C4000-memory.dmp themida behavioral2/memory/4764-105-0x00007FF8CE640000-0x00007FF8CF1C4000-memory.dmp themida behavioral2/memory/1584-180-0x00007FF8CA550000-0x00007FF8CB0D4000-memory.dmp themida behavioral2/memory/1584-183-0x00007FF8CA550000-0x00007FF8CB0D4000-memory.dmp themida behavioral2/memory/1584-187-0x00007FF8CA550000-0x00007FF8CB0D4000-memory.dmp themida behavioral2/memory/6120-210-0x00007FF8CA550000-0x00007FF8CB0D4000-memory.dmp themida behavioral2/memory/6120-221-0x00007FF8CA550000-0x00007FF8CB0D4000-memory.dmp themida behavioral2/memory/6120-225-0x00007FF8CA550000-0x00007FF8CB0D4000-memory.dmp themida -
Processes:
notepad.exenotepad.exenotepad.exenotepad.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA notepad.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
notepad.exenotepad.exenotepad.exenotepad.exepid process 2896 notepad.exe 4764 notepad.exe 1584 notepad.exe 6120 notepad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 1156 msedge.exe 1156 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 2220 identity_helper.exe 2220 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
Processes:
msedge.exepid process 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe 3840 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
downloader.execmd.exemsedge.execmd.exemsedge.exedescription pid process target process PID 2792 wrote to memory of 2264 2792 downloader.exe cmd.exe PID 2792 wrote to memory of 2264 2792 downloader.exe cmd.exe PID 2264 wrote to memory of 3840 2264 cmd.exe msedge.exe PID 2264 wrote to memory of 3840 2264 cmd.exe msedge.exe PID 3840 wrote to memory of 4016 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4016 3840 msedge.exe msedge.exe PID 2792 wrote to memory of 1088 2792 downloader.exe cmd.exe PID 2792 wrote to memory of 1088 2792 downloader.exe cmd.exe PID 1088 wrote to memory of 1532 1088 cmd.exe msedge.exe PID 1088 wrote to memory of 1532 1088 cmd.exe msedge.exe PID 1532 wrote to memory of 2100 1532 msedge.exe msedge.exe PID 1532 wrote to memory of 2100 1532 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 4924 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 1156 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 1156 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2508 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2508 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2508 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2508 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2508 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2508 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2508 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2508 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2508 3840 msedge.exe msedge.exe PID 3840 wrote to memory of 2508 3840 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\downloader.exe"C:\Users\Admin\AppData\Local\Temp\downloader.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:4016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:24⤵PID:4924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1156 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:84⤵PID:2508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:14⤵PID:388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:14⤵PID:892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:14⤵PID:220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:14⤵PID:3060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:14⤵PID:4112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:14⤵PID:4472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:14⤵PID:4612
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:84⤵PID:4956
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:2220 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:14⤵PID:216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:14⤵PID:4816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:14⤵PID:4428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:14⤵PID:4784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:14⤵PID:5352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:14⤵PID:5564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:14⤵PID:5708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:14⤵PID:5724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:14⤵PID:5128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:14⤵PID:5520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:14⤵PID:4264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:14⤵PID:5024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,1553950474113875244,15069901357967980636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:14⤵PID:3880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:2100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2896 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:4748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:1788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:2716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:3916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:2316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:4032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:3128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:2692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4764 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:4764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:2300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:4956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:3800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:3200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:1728
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:5124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:5224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:5244
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:5152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:5392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:5416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:5164
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:5316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:5336
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:6028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:6084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:6096
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵PID:5936
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1584 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:5640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:5588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:5648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:6040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:6092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:5848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""2⤵PID:6052
-
C:\Users\Admin\AppData\Local\Temp\notepad.exe"C:\Users\Admin\AppData\Local\Temp\notepad.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:5860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:3732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:5076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:3040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\index.html3⤵PID:5212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d41b46f8,0x7ff8d41b4708,0x7ff8d41b47184⤵PID:5912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:5160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\index.html""2⤵PID:5024
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3548
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
5KB
MD57bfcac2a7f9feec7b9228353fc086a3b
SHA12f88fdb74010c3a5c004f5bc6e244542e0643fdb
SHA2568cb2da618968eaccc2893c0f9313184c46bd9e5e78149d61604cd03829c23800
SHA512a238412dfdfaff0332f9b4a06d75a3f883e4875365981a5200444938505cbb04b8c4e8b6fbe78117c38aaf45cc8b410d69a790fed4336827d7ae97ce38551f4a
-
Filesize
6KB
MD513608ecf1be54c5c55141331f5862d26
SHA17902bc5bd5accc20219be57916f5a07b68de3330
SHA2561bdd8c5defa9a4e85ffaffdf327b441afbaf642fe36eddeca2fb1134aa2ab357
SHA512f8c78080ff03f21dc683c6549ed3efe48f3e9cae8d5cc512ccc6bc143e4cd12b4c21b86a9b80f107b6b6088baa76dac0c8722c4cccf85bace83b215f1af1921e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a538d53970cb608db769187b219d90e8
SHA16f9e978429a3bac05eeec7fa52194681fd4aff2b
SHA25652caa04803b819fac2b92034fc4a9c75e22ed8398bedd7f4d55517c7000d5306
SHA512a9abe9d6ebac482ddfd9756e1fa54d2d389de73f46c83175af49fd6b27e588b345060f611d6e1ad456ac199c0fb030f4a7bbcb790dcd6da6b4f2abe3dd2c4678
-
Filesize
4.2MB
MD505b012457488a95a05d0541e0470d392
SHA174f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA2561f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA5126d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6
-
Filesize
135B
MD52181fb95769ba5fa41570609cebeb987
SHA142358e3ae66794b515749ccda53ed1b87469a334
SHA2566c50ec6ff71187a9a096acccc393b9f515c3f0f2259ebd4ee9b3b57b9e8c08ef
SHA512ab60c277f886df4a04f85b0bfafe90fb4d58ffe4ad32e0a69da8851e26c5272a9303c6688b82ad3ed5aece60ecb74036d6bdccc6675c7c9e0462e1233c3bfe96
-
Filesize
7.7MB
MD5579078bb734cfe6a03ed586843cda447
SHA1ae68766ce29d286f569f61621c8327159abc4b12
SHA2562bf7650e4577b8b07f212097beea142c3c7c469ccce4b62c2c1835cc20184623
SHA51219f191fbc5ad4ca139a78fdf4636c3dc767303df4e9f42e24931b66a47fba29d37219a3160531a1dc9c5698d7ec52be709eb751ca092867dcb86b358ce2292ed
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e