035a82de22713080aa43c483c1c1cef63b827bd575a0486996f3a70ce5477e49

Analysis

max time kernel
52s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Immortal Woofer.exe
Size

151.1MB
MD5

b3a420741d0c3ef020daa5332bcba7b6
SHA1

fab88334908bd6ac99ae2e98c7aa7b7412ebfc7d
SHA256

035a82de22713080aa43c483c1c1cef63b827bd575a0486996f3a70ce5477e49
SHA512

12b7af549557e9b705d4a11bdc023dcd2cab2dcb8673bb359a2ccfa284567f17fa9e97142352f416bc2b0edf198e56d900c69644198822fb16205fc98282f8e6
SSDEEP

786432:UPKYRuO3mOTgbr/skQsh/SgaNkbks5GoE3yKZ1fX36n:UPKCuO3mSgfkCKqksYoE3ySA

Score

9^/10

discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Fruit Cleener.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Fruit Cleener.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Fruit Cleener.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Immortal Woofer.exe

Executes dropped EXE 7 IoCs

pid	Process
3176	LOADER_HERE.exe
4588	LOADER_HERE.exe
4644	LOADER_HERE.exe
4328	LOADER_HERE.exe
1940	LOADER_HERE.exe
624	Fruit Cleener.exe
2876	LOADER_HERE.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000a0000000234f0-50.dat	themida
behavioral2/memory/624-52-0x00007FF7F3C50000-0x00007FF7F45EB000-memory.dmp	themida
behavioral2/memory/624-55-0x00007FF7F3C50000-0x00007FF7F45EB000-memory.dmp	themida
behavioral2/memory/624-56-0x00007FF7F3C50000-0x00007FF7F45EB000-memory.dmp	themida
behavioral2/memory/624-54-0x00007FF7F3C50000-0x00007FF7F45EB000-memory.dmp	themida
behavioral2/memory/624-57-0x00007FF7F3C50000-0x00007FF7F45EB000-memory.dmp	themida
behavioral2/memory/624-59-0x00007FF7F3C50000-0x00007FF7F45EB000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fruit Cleener.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
624	Fruit Cleener.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IME\serial_checker.bat	Immortal Woofer.exe
File created	C:\Windows\IME\Fruit Cleener.exe	Immortal Woofer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3204	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Immortal Woofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Immortal Woofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Immortal Woofer.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4600	taskkill.exe
3916	taskkill.exe
4376	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2424	msedge.exe
2424	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4756	WMIC.exe
Token: SeSecurityPrivilege	4756	WMIC.exe
Token: SeTakeOwnershipPrivilege	4756	WMIC.exe
Token: SeLoadDriverPrivilege	4756	WMIC.exe
Token: SeSystemProfilePrivilege	4756	WMIC.exe
Token: SeSystemtimePrivilege	4756	WMIC.exe
Token: SeProfSingleProcessPrivilege	4756	WMIC.exe
Token: SeIncBasePriorityPrivilege	4756	WMIC.exe
Token: SeCreatePagefilePrivilege	4756	WMIC.exe
Token: SeBackupPrivilege	4756	WMIC.exe
Token: SeRestorePrivilege	4756	WMIC.exe
Token: SeShutdownPrivilege	4756	WMIC.exe
Token: SeDebugPrivilege	4756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4756	WMIC.exe
Token: SeRemoteShutdownPrivilege	4756	WMIC.exe
Token: SeUndockPrivilege	4756	WMIC.exe
Token: SeManageVolumePrivilege	4756	WMIC.exe
Token: 33	4756	WMIC.exe
Token: 34	4756	WMIC.exe
Token: 35	4756	WMIC.exe
Token: 36	4756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4756	WMIC.exe
Token: SeSecurityPrivilege	4756	WMIC.exe
Token: SeTakeOwnershipPrivilege	4756	WMIC.exe
Token: SeLoadDriverPrivilege	4756	WMIC.exe
Token: SeSystemProfilePrivilege	4756	WMIC.exe
Token: SeSystemtimePrivilege	4756	WMIC.exe
Token: SeProfSingleProcessPrivilege	4756	WMIC.exe
Token: SeIncBasePriorityPrivilege	4756	WMIC.exe
Token: SeCreatePagefilePrivilege	4756	WMIC.exe
Token: SeBackupPrivilege	4756	WMIC.exe
Token: SeRestorePrivilege	4756	WMIC.exe
Token: SeShutdownPrivilege	4756	WMIC.exe
Token: SeDebugPrivilege	4756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4756	WMIC.exe
Token: SeRemoteShutdownPrivilege	4756	WMIC.exe
Token: SeUndockPrivilege	4756	WMIC.exe
Token: SeManageVolumePrivilege	4756	WMIC.exe
Token: 33	4756	WMIC.exe
Token: 34	4756	WMIC.exe
Token: 35	4756	WMIC.exe
Token: 36	4756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3652	WMIC.exe
Token: SeSecurityPrivilege	3652	WMIC.exe
Token: SeTakeOwnershipPrivilege	3652	WMIC.exe
Token: SeLoadDriverPrivilege	3652	WMIC.exe
Token: SeSystemProfilePrivilege	3652	WMIC.exe
Token: SeSystemtimePrivilege	3652	WMIC.exe
Token: SeProfSingleProcessPrivilege	3652	WMIC.exe
Token: SeIncBasePriorityPrivilege	3652	WMIC.exe
Token: SeCreatePagefilePrivilege	3652	WMIC.exe
Token: SeBackupPrivilege	3652	WMIC.exe
Token: SeRestorePrivilege	3652	WMIC.exe
Token: SeShutdownPrivilege	3652	WMIC.exe
Token: SeDebugPrivilege	3652	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3652	WMIC.exe
Token: SeRemoteShutdownPrivilege	3652	WMIC.exe
Token: SeUndockPrivilege	3652	WMIC.exe
Token: SeManageVolumePrivilege	3652	WMIC.exe
Token: 33	3652	WMIC.exe
Token: 34	3652	WMIC.exe
Token: 35	3652	WMIC.exe
Token: 36	3652	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3652	WMIC.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 3176	2392	Immortal Woofer.exe	95
PID 2392 wrote to memory of 3176	2392	Immortal Woofer.exe	95
PID 2392 wrote to memory of 4588	2392	Immortal Woofer.exe	97
PID 2392 wrote to memory of 4588	2392	Immortal Woofer.exe	97
PID 2392 wrote to memory of 4644	2392	Immortal Woofer.exe	99
PID 2392 wrote to memory of 4644	2392	Immortal Woofer.exe	99
PID 2392 wrote to memory of 4900	2392	Immortal Woofer.exe	101
PID 2392 wrote to memory of 4900	2392	Immortal Woofer.exe	101
PID 4900 wrote to memory of 4756	4900	cmd.exe	103
PID 4900 wrote to memory of 4756	4900	cmd.exe	103
PID 4900 wrote to memory of 3652	4900	cmd.exe	104
PID 4900 wrote to memory of 3652	4900	cmd.exe	104
PID 4900 wrote to memory of 752	4900	cmd.exe	105
PID 4900 wrote to memory of 752	4900	cmd.exe	105
PID 4900 wrote to memory of 4736	4900	cmd.exe	106
PID 4900 wrote to memory of 4736	4900	cmd.exe	106
PID 4900 wrote to memory of 2616	4900	cmd.exe	107
PID 4900 wrote to memory of 2616	4900	cmd.exe	107
PID 4900 wrote to memory of 4884	4900	cmd.exe	108
PID 4900 wrote to memory of 4884	4900	cmd.exe	108
PID 2392 wrote to memory of 4328	2392	Immortal Woofer.exe	110
PID 2392 wrote to memory of 4328	2392	Immortal Woofer.exe	110
PID 2392 wrote to memory of 4044	2392	Immortal Woofer.exe	113
PID 2392 wrote to memory of 4044	2392	Immortal Woofer.exe	113
PID 4044 wrote to memory of 2172	4044	cmd.exe	115
PID 4044 wrote to memory of 2172	4044	cmd.exe	115
PID 4044 wrote to memory of 2308	4044	cmd.exe	116
PID 4044 wrote to memory of 2308	4044	cmd.exe	116
PID 4044 wrote to memory of 4552	4044	cmd.exe	117
PID 4044 wrote to memory of 4552	4044	cmd.exe	117
PID 4044 wrote to memory of 3784	4044	cmd.exe	118
PID 4044 wrote to memory of 3784	4044	cmd.exe	118
PID 4044 wrote to memory of 3032	4044	cmd.exe	119
PID 4044 wrote to memory of 3032	4044	cmd.exe	119
PID 4044 wrote to memory of 1724	4044	cmd.exe	120
PID 4044 wrote to memory of 1724	4044	cmd.exe	120
PID 2392 wrote to memory of 1940	2392	Immortal Woofer.exe	122
PID 2392 wrote to memory of 1940	2392	Immortal Woofer.exe	122
PID 2392 wrote to memory of 4744	2392	Immortal Woofer.exe	124
PID 2392 wrote to memory of 4744	2392	Immortal Woofer.exe	124
PID 4744 wrote to memory of 3736	4744	cmd.exe	126
PID 4744 wrote to memory of 3736	4744	cmd.exe	126
PID 4744 wrote to memory of 1088	4744	cmd.exe	127
PID 4744 wrote to memory of 1088	4744	cmd.exe	127
PID 4744 wrote to memory of 1156	4744	cmd.exe	128
PID 4744 wrote to memory of 1156	4744	cmd.exe	128
PID 4744 wrote to memory of 2328	4744	cmd.exe	129
PID 4744 wrote to memory of 2328	4744	cmd.exe	129
PID 4744 wrote to memory of 3132	4744	cmd.exe	130
PID 4744 wrote to memory of 3132	4744	cmd.exe	130
PID 4744 wrote to memory of 1168	4744	cmd.exe	131
PID 4744 wrote to memory of 1168	4744	cmd.exe	131
PID 2392 wrote to memory of 624	2392	Immortal Woofer.exe	132
PID 2392 wrote to memory of 624	2392	Immortal Woofer.exe	132
PID 624 wrote to memory of 60	624	Fruit Cleener.exe	134
PID 624 wrote to memory of 60	624	Fruit Cleener.exe	134
PID 60 wrote to memory of 4600	60	cmd.exe	135
PID 60 wrote to memory of 4600	60	cmd.exe	135
PID 624 wrote to memory of 3204	624	Fruit Cleener.exe	136
PID 624 wrote to memory of 3204	624	Fruit Cleener.exe	136
PID 3204 wrote to memory of 3916	3204	cmd.exe	137
PID 3204 wrote to memory of 3916	3204	cmd.exe	137
PID 624 wrote to memory of 752	624	Fruit Cleener.exe	138
PID 624 wrote to memory of 752	624	Fruit Cleener.exe	138

C:\Users\Admin\AppData\Local\Temp\Immortal Woofer.exe
"C:\Users\Admin\AppData\Local\Temp\Immortal Woofer.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe" C:\Users\Admin\AppData\Local\Temp\gay.sys
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe" C:\Users\Admin\AppData\Local\Temp\gay.sys
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe" C:\Users\Admin\AppData\Local\Temp\gay.sys
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\IME\serial_checker.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get model, serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:752
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:4736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:2616
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:4884
- C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe" C:\Users\Admin\AppData\Local\Temp\gay.sys
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\IME\serial_checker.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get model, serialnumber
    3⤵
    PID:2172
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    PID:2308
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:4552
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:3784
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:3032
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:1724
- C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe" C:\Users\Admin\AppData\Local\Temp\gay.sys
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\IME\serial_checker.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic diskdrive get model, serialnumber
    3⤵
    PID:3736
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get serialnumber
    3⤵
    PID:1088
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic bios get serialnumber
    3⤵
    PID:1156
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic baseboard get serialnumber
    3⤵
    PID:2328
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_computersystemproduct get uuid
    3⤵
    PID:3132
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:1168
- C:\Windows\IME\Fruit Cleener.exe
  "C:\Windows\IME\Fruit Cleener.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3204
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
    3⤵
    PID:752
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im Battle.net.exe
      4⤵
      Kills process with taskkill
      PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://applecheats.cc
    3⤵
    PID:4576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdda3646f8,0x7ffdda364708,0x7ffdda364718
        5⤵
        
        PID:532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,16724601437665095495,761915560612883764,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        5⤵
        
        PID:4552
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,16724601437665095495,761915560612883764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,16724601437665095495,761915560612883764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
        5⤵
        
        PID:2884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16724601437665095495,761915560612883764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        5⤵
        
        PID:4296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16724601437665095495,761915560612883764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
        5⤵
        
        PID:3004
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16724601437665095495,761915560612883764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
        5⤵
        
        PID:4120
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16724601437665095495,761915560612883764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
        5⤵
        
        PID:4688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,16724601437665095495,761915560612883764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
        5⤵
        
        PID:2840
- C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe
  "C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe" C:\Users\Admin\AppData\Local\Temp\gay.sys
  2⤵
  - Executes dropped EXE
  PID:2876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\24b20339-1a68-4940-8cc6-8db719221c41.tmp

Filesize
6KB

MD5
eca512287fd3ab5cf0ffca5675ad4234

SHA1
bb47466fb5cc0ecf507ceaf344dab64a7ec0e52d

SHA256
ee966a12a0d62c4018637d4b73fb86209309896ceb887a8b70641866dc4cf6cc

SHA512
bbb896befc248e8ed17bd791843474ac4f1ec9bd1808c0b8caa0dd86a5fe77bf27005917d57a18b2365ffe38e05e9477421126252e15d836cbaa696c6e0b1fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
d4271d87e32005eac810dacfde09c37f

SHA1
e7c4afc3d1f4abb0c0daa6901a82fc71c656177d

SHA256
18f50988ff74586ecf680f84082b2ce186a728f6177516149d9fc2407179964e

SHA512
7036a1d4dfce2740f80d0237a50177d6635f121951ec1ff7ff7e77c44c8bf59544ad5d6e7f329cbb917881d31776a4a39a437223231b511a1df88210c722feb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
554B

MD5
94d19104456f85e1c2d13c926e3d7f28

SHA1
b311688fe9d7b4781c7dd516381ceef9b442a519

SHA256
c5a122a4de81552cf7da5c79b054790a5f5f60b268960b3a15dfa00c1178d220

SHA512
24b1d0c6ab5c80da06535142854571a972b4a4084629dce26ff268d5f74fbe2bd1cd7d21a950bab77eb38c2ab502ee18afea9e596cd936b044e86e7e6c67965e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
79be9afaf375e6ccddba777cb3476a30

SHA1
169c214354d94894bc66b0cff574cf0787675d7e

SHA256
f4190ee2345de1bd15b959b546b0469d26f40214b59d989c8c29c1ab58ce1787

SHA512
7995bf98044101c75c7ccb469ea5c303308527db48cb001edd241a90f37ae125ef93f6aa0ef94f7c7806e1077e41bc627b6bcda1b39bbd51eadb34f670419be8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1c30a3b9d30411f116d03e8297cac62f

SHA1
c15a547ea7248739811207efd004784bbefbc095

SHA256
bf92868f1c635f91d392364523723dde8d0c9ed0f52baa639930c5ba1726cd04

SHA512
22264dbe99230c09d06b6222b2a8aec8d21e1a1d59f83f50b9114e70d5402768b5ef1a9886afe72c08e89dfc746c95e1853e79ee2d7cee3612cd5db0ab2bc14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOADER_HERE.exe

Filesize
534KB

MD5
cd4d08af76e7614f46bc853cf82cebc6

SHA1
94e75dac14976227c1c33ae48866e820db52aa1a

SHA256
f03d6b156974af96b66b3913bbcdf49609720f37f2e69c4222c2d0920f442f58

SHA512
b24396f3973156d8aef58203a0bcf1d542362e8591509e054488d6562fcf60e3cd628db0252a45ead220b4c7e82f065092e8a6145fcbfc399b4ca86f17084d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\gay.sys

Filesize
395KB

MD5
2959f922ba8d59cfa184e35a44ec73d9

SHA1
ec7708ec31dc0365d7e81f65233db60ff952ada2

SHA256
a6b866b8ec1ebe078e172256a0117ed810555027c6272cf6bf889d8c84af6a9a

SHA512
51616df121692d5d08e298a0e4b94491153cf336e4efbc3e7e02f2bacd4623da660dad415b0f7379eeda293429c71b7250689ae1a08d37bf07e1829eccc5b33a

Download Submit
C:\Windows\IME\Fruit Cleener.exe

Filesize
3.6MB

MD5
5d55189c4f5b49069859724f34597158

SHA1
c79a67cc70d2a8994d1c1480114c1890ae550f15

SHA256
027d32bf28bf27f41e1a4a883cedf922d0ea1928f5c8024b2702eb70cee6710a

SHA512
bae030f2075d6cdef0ba02533dbd0f5a5ea05a75634af7a7e231c836978e7512e8b237fb6197634b39278383927eec7410b437c52e926623164c3a17b643d00e

Download Submit
C:\Windows\IME\serial_checker.bat

Filesize
456B

MD5
cafc57aca6d10f9dcdc9d3aec9a35b72

SHA1
2e0e30ac79878b3d4d326f00735aaa7ff4b4a3df

SHA256
1c63492020872da13d2b35aa8eb02517376e1a7391bfaa1584d828bd5aa916ad

SHA512
d0e14f1eb2077b455f0a42a60b37c625badae4084734ce0e050e992a7b759d969c6d86e2be49ae20712c70c2453cb9efd3de8cb8124f0b489826f8f80f93fb95

Download Submit
memory/624-55-0x00007FF7F3C50000-0x00007FF7F45EB000-memory.dmp

Filesize
9.6MB

Download
memory/624-56-0x00007FF7F3C50000-0x00007FF7F45EB000-memory.dmp

Filesize
9.6MB

Download
memory/624-54-0x00007FF7F3C50000-0x00007FF7F45EB000-memory.dmp

Filesize
9.6MB

Download
memory/624-57-0x00007FF7F3C50000-0x00007FF7F45EB000-memory.dmp

Filesize
9.6MB

Download
memory/624-59-0x00007FF7F3C50000-0x00007FF7F45EB000-memory.dmp

Filesize
9.6MB

Download
memory/624-52-0x00007FF7F3C50000-0x00007FF7F45EB000-memory.dmp

Filesize
9.6MB

Download
memory/1940-42-0x00007FF609920000-0x00007FF6099D3000-memory.dmp

Filesize
716KB

Download
memory/1940-43-0x00007FF609920000-0x00007FF6099D3000-memory.dmp

Filesize
716KB

Download
memory/2876-180-0x00007FF7805F0000-0x00007FF7806A3000-memory.dmp

Filesize
716KB

Download
memory/3176-7-0x00007FF764460000-0x00007FF764513000-memory.dmp

Filesize
716KB

Download
memory/4328-32-0x00007FF77D8D0000-0x00007FF77D983000-memory.dmp

Filesize
716KB

Download
memory/4328-31-0x00007FF77D8D0000-0x00007FF77D983000-memory.dmp

Filesize
716KB

Download
memory/4588-14-0x00007FF68AE90000-0x00007FF68AF43000-memory.dmp

Filesize
716KB

Download
memory/4644-21-0x00007FF72C600000-0x00007FF72C6B3000-memory.dmp

Filesize
716KB

Download