zloader | 9ecd96e90def2fa42b060d64290129903115d7410b2c2008e8d4b928c4b5846a

Analysis

max time kernel
149s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Beaker Browser.exe
Size

67.8MB
MD5

a79d31e8a93a6d2e5efbba69fd9c647e
SHA1

37da53b97478f8ab8af3bed446dcf01e265602d9
SHA256

4e6bc9ca74561f98769257e2a1ebffb985a0c48b506d8cbbf995886ba8886d0f
SHA512

104d332f3d503903ac17e9c7f6f234bcb9dbd07c2f6137874c1cbe4a16e1b7d32ffbb37cf324abb52286509bbb44950a45c4643d61bcc541eb3e1d7eda4ac766
SSDEEP

393216:e18D8SMWJfEJNT1VPHuXb6B4u5wgq439gFvYqehzxmtj5iKGMlQrrNOtXGTi7zR+:0HOlYSjSjjBpmD2EqZPEytx

Score

10^/10

zloader botnet trojan

Malware Config

Signatures

Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Beaker Browser.exeBeaker Browser.exeBeaker Browser.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Beaker Browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Beaker Browser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Beaker Browser.exe

Loads dropped DLL 3 IoCs

Processes:

Beaker Browser.exe

pid process

2840 Beaker Browser.exe
2840 Beaker Browser.exe
2840 Beaker Browser.exe

pid	process
2840	Beaker Browser.exe
2840	Beaker Browser.exe
2840	Beaker Browser.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Beaker Browser.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Beaker Browser.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Beaker Browser.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Beaker Browser.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

wmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3560	wmic.exe
Token: SeSecurityPrivilege	3560	wmic.exe
Token: SeTakeOwnershipPrivilege	3560	wmic.exe
Token: SeLoadDriverPrivilege	3560	wmic.exe
Token: SeSystemProfilePrivilege	3560	wmic.exe
Token: SeSystemtimePrivilege	3560	wmic.exe
Token: SeProfSingleProcessPrivilege	3560	wmic.exe
Token: SeIncBasePriorityPrivilege	3560	wmic.exe
Token: SeCreatePagefilePrivilege	3560	wmic.exe
Token: SeBackupPrivilege	3560	wmic.exe
Token: SeRestorePrivilege	3560	wmic.exe
Token: SeShutdownPrivilege	3560	wmic.exe
Token: SeDebugPrivilege	3560	wmic.exe
Token: SeSystemEnvironmentPrivilege	3560	wmic.exe
Token: SeRemoteShutdownPrivilege	3560	wmic.exe
Token: SeUndockPrivilege	3560	wmic.exe
Token: SeManageVolumePrivilege	3560	wmic.exe
Token: 33	3560	wmic.exe
Token: 34	3560	wmic.exe
Token: 35	3560	wmic.exe
Token: 36	3560	wmic.exe
Token: SeIncreaseQuotaPrivilege	3560	wmic.exe
Token: SeSecurityPrivilege	3560	wmic.exe
Token: SeTakeOwnershipPrivilege	3560	wmic.exe
Token: SeLoadDriverPrivilege	3560	wmic.exe
Token: SeSystemProfilePrivilege	3560	wmic.exe
Token: SeSystemtimePrivilege	3560	wmic.exe
Token: SeProfSingleProcessPrivilege	3560	wmic.exe
Token: SeIncBasePriorityPrivilege	3560	wmic.exe
Token: SeCreatePagefilePrivilege	3560	wmic.exe
Token: SeBackupPrivilege	3560	wmic.exe
Token: SeRestorePrivilege	3560	wmic.exe
Token: SeShutdownPrivilege	3560	wmic.exe
Token: SeDebugPrivilege	3560	wmic.exe
Token: SeSystemEnvironmentPrivilege	3560	wmic.exe
Token: SeRemoteShutdownPrivilege	3560	wmic.exe
Token: SeUndockPrivilege	3560	wmic.exe
Token: SeManageVolumePrivilege	3560	wmic.exe
Token: 33	3560	wmic.exe
Token: 34	3560	wmic.exe
Token: 35	3560	wmic.exe
Token: 36	3560	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Beaker Browser.exe

description	pid	process	target process
PID 2840 wrote to memory of 3560	2840	Beaker Browser.exe	wmic.exe
PID 2840 wrote to memory of 3560	2840	Beaker Browser.exe	wmic.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2060	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2900	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 2900	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe
PID 2840 wrote to memory of 4064	2840	Beaker Browser.exe	Beaker Browser.exe

C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe
"C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\System32\Wbem\wmic.exe
  wmic os get locale
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe" --type=gpu-process --enable-features=FixAltGraph --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=A3250542140C8BE15D934818870FD6FA --mojo-platform-channel-handle=1500 --ignored=" --type=renderer " /prefetch:2
  2⤵
  PID:2060
- C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe" --type=renderer --enable-features=FixAltGraph --service-pipe-token=20C2AED025F8F5D114EC99FA19BDA52E --lang=en-US --standard-schemes=dat,beaker,beaker-hidden-window --secure-schemes=dat,beaker,beaker-hidden-window --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration=true --webview-tag=true --no-sandbox --background-color=#fff --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-compositor-image-animations --service-request-channel-token=20C2AED025F8F5D114EC99FA19BDA52E --renderer-client-id=4 --mojo-platform-channel-handle=2108 /prefetch:1
  2⤵
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe" --type=gpu-process --enable-features=FixAltGraph --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --service-request-channel-token=6926B5031A26EE87DE3185B4544BF7AF --mojo-platform-channel-handle=2356 --ignored=" --type=renderer " /prefetch:2
  2⤵
  PID:4064
- C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe" --type=renderer --enable-features=FixAltGraph --disable-gpu-compositing --service-pipe-token=3A470E4BDA87D75E3BC069CE07440D58 --lang=en-US --standard-schemes=dat,beaker,beaker-hidden-window --secure-schemes=dat,beaker,beaker-hidden-window --register-service-worker-schemes=dat --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration=true --webview-tag=true --enable-sandbox --native-window-open --preload="C:\Users\Admin\AppData\Local\Temp\resources\app.asar\shell-window.build.js" --background-color=#ddd --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-compositor-image-animations --service-request-channel-token=3A470E4BDA87D75E3BC069CE07440D58 --renderer-client-id=7 --mojo-platform-channel-handle=2160 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe" --type=renderer --enable-features=FixAltGraph --disable-gpu-compositing --service-pipe-token=68D52DFF38264BBFB804BF9F8E64CD7F --lang=en-US --standard-schemes=dat,beaker,beaker-hidden-window --secure-schemes=dat,beaker,beaker-hidden-window --register-service-worker-schemes=dat --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration=false --webview-tag=true --enable-sandbox --native-window-open --preload="C:\Users\Admin\AppData\Local\Temp\resources\app.asar\webview-preload.build.js" --background-color=#fff --guest-instance-id=1 --enable-blink-features --disable-blink-features --hidden-page --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-compositor-image-animations --service-request-channel-token=68D52DFF38264BBFB804BF9F8E64CD7F --renderer-client-id=8 --mojo-platform-channel-handle=2604 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:3156
- C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe
  "C:\Users\Admin\AppData\Local\Temp\Beaker Browser.exe" --type=renderer --enable-features=FixAltGraph --disable-gpu-compositing --service-pipe-token=E3D06574DC784E9FE2427E903B7864B8 --lang=en-US --standard-schemes=dat,beaker,beaker-hidden-window --secure-schemes=dat,beaker,beaker-hidden-window --register-service-worker-schemes=dat --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --node-integration=false --webview-tag=true --enable-sandbox --native-window-open --preload="C:\Users\Admin\AppData\Local\Temp\resources\app.asar\webview-preload.build.js" --background-color=#fff --guest-instance-id=1 --enable-blink-features --disable-blink-features --hidden-page --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-compositor-image-animations --service-request-channel-token=E3D06574DC784E9FE2427E903B7864B8 --renderer-client-id=9 --mojo-platform-channel-handle=2584 /prefetch:1
  2⤵
  - Checks computer location settings
  PID:4960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2a5710db-9b58-46c6-b8fa-1f2312e6f8aa.tmp.node

Filesize
483KB

MD5
49c8147e24e495a73f6644235e1367f1

SHA1
a7a44c431aed3db65133c62af097567fa202348f

SHA256
e74a7aba6b9b907af16140b23417067685364f5703ef9e6d866cecb17ba5df02

SHA512
967689af160680fa39a1135ad5dfa9ccebafbb5431d83502a24a1c216fa47eca941f9a18f491334fd8439e184753d30293559370370fd4a009f6a260186ea2e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a9ab686-3f62-41d1-9459-369a52fdbaab.tmp.node

Filesize
1.2MB

MD5
749dd8266b93415b162f6c14926c62af

SHA1
54515ccf7e99e65bf46a15d41560c9abb29e76c8

SHA256
3291be88bd810eb662183264854d71e18c1672e1eac97c9788d1cf20864d3c5f

SHA512
e8e428016665ccf6fe2807d16bca42bbb176f32c47a94e7b95ee413294a3f5b23b1e96d5b387591f17614ac29462ae2a09dd86f3d51c186a25a867a78d69fad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4957c6d6-7607-4076-8ee9-a6a284b696dd.tmp.node

Filesize
199KB

MD5
d8fe84b018d92e8f4043be038dd64d33

SHA1
54a64366c2cd1b45b344930474db9712d8a89011

SHA256
853b30ec29e360a06038720c5526b05f9f4fee6a8e9e7b0ed12cdb86054f42c1

SHA512
7deb35043319bd0a09fd8acf3cd627ad6ee4e7a01104da10445aba91305c772a7cbef22c37e077f8044a15c60913ab23d8cac8560a1c8cbf72957f11d99f1302

Download Submit
memory/1504-149-0x00007FFCE6B20000-0x00007FFCE6B21000-memory.dmp

Filesize
4KB

Download
memory/1504-191-0x00000274ECAC0000-0x00000274ECB15000-memory.dmp

Filesize
340KB

Download
memory/1504-192-0x00000274ECB20000-0x00000274ECBED000-memory.dmp

Filesize
820KB

Download
memory/1504-152-0x00007FF621440000-0x00007FF625889000-memory.dmp

Filesize
68.3MB

Download
memory/1504-148-0x00007FFCE6B10000-0x00007FFCE6B11000-memory.dmp

Filesize
4KB

Download
memory/2060-16-0x00007FF621440000-0x00007FF625889000-memory.dmp

Filesize
68.3MB

Download
memory/2060-23-0x000002329F100000-0x000002329F155000-memory.dmp

Filesize
340KB

Download
memory/2060-15-0x00007FFCE7590000-0x00007FFCE7591000-memory.dmp

Filesize
4KB

Download
memory/2840-0-0x00007FF621440000-0x00007FF625889000-memory.dmp

Filesize
68.3MB

Download
memory/2900-22-0x00007FF621440000-0x00007FF625889000-memory.dmp

Filesize
68.3MB

Download
memory/3156-169-0x00007FF621440000-0x00007FF625889000-memory.dmp

Filesize
68.3MB

Download
memory/3156-182-0x000001C3B82A0000-0x000001C3B82F5000-memory.dmp

Filesize
340KB

Download
memory/3156-183-0x000001C3B84D0000-0x000001C3B859D000-memory.dmp

Filesize
820KB

Download
memory/4064-29-0x00000209ACD70000-0x00000209ACDC5000-memory.dmp

Filesize
340KB

Download
memory/4064-27-0x00007FF621440000-0x00007FF625889000-memory.dmp

Filesize
68.3MB

Download
memory/4960-172-0x00007FF621440000-0x00007FF625889000-memory.dmp

Filesize
68.3MB

Download
memory/4960-194-0x0000022FA7790000-0x0000022FA785D000-memory.dmp

Filesize
820KB

Download
memory/4960-193-0x0000022FA7730000-0x0000022FA7785000-memory.dmp

Filesize
340KB

Download