758e781daa9b78cddc8717d00815bb2244e85d9bdd0ddccb5248120f554d2994

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loaders.exe
Size

61.0MB
MD5

c317dc84cefc3d3b4213d1ff2ca17c44
SHA1

b2c89a5006d94b910f02a9bac49ba778e5d702c1
SHA256

758e781daa9b78cddc8717d00815bb2244e85d9bdd0ddccb5248120f554d2994
SHA512

8da10acbbdb3472a0c5d15a0d8dc19e5cd72966be5c5db5bd866afb1a9f15971314fea9300b19bcedf819b0d6938c0b7b1096094a1d18f4744f807022809df58
SSDEEP

1572864:/zYOEE5qpvRXHntzhHoQVT+atZumd+eAKGg:/0OEXvRXNdD5L

Score

6^/10

discovery

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
116	bcdedit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\hvax64.exe	loaders.exe
File created	C:\Windows\system32\hvax64.exe	loaders.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe
2860	loaders.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2860	loaders.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeBackupPrivilege	2860	loaders.exe
Token: SeRestorePrivilege	2860	loaders.exe
Token: SeTakeOwnershipPrivilege	2860	loaders.exe
Token: SeIncreaseQuotaPrivilege	3356	wmic.exe
Token: SeSecurityPrivilege	3356	wmic.exe
Token: SeTakeOwnershipPrivilege	3356	wmic.exe
Token: SeLoadDriverPrivilege	3356	wmic.exe
Token: SeSystemProfilePrivilege	3356	wmic.exe
Token: SeSystemtimePrivilege	3356	wmic.exe
Token: SeProfSingleProcessPrivilege	3356	wmic.exe
Token: SeIncBasePriorityPrivilege	3356	wmic.exe
Token: SeCreatePagefilePrivilege	3356	wmic.exe
Token: SeBackupPrivilege	3356	wmic.exe
Token: SeRestorePrivilege	3356	wmic.exe
Token: SeShutdownPrivilege	3356	wmic.exe
Token: SeDebugPrivilege	3356	wmic.exe
Token: SeSystemEnvironmentPrivilege	3356	wmic.exe
Token: SeRemoteShutdownPrivilege	3356	wmic.exe
Token: SeUndockPrivilege	3356	wmic.exe
Token: SeManageVolumePrivilege	3356	wmic.exe
Token: 33	3356	wmic.exe
Token: 34	3356	wmic.exe
Token: 35	3356	wmic.exe
Token: 36	3356	wmic.exe
Token: SeIncreaseQuotaPrivilege	3356	wmic.exe
Token: SeSecurityPrivilege	3356	wmic.exe
Token: SeTakeOwnershipPrivilege	3356	wmic.exe
Token: SeLoadDriverPrivilege	3356	wmic.exe
Token: SeSystemProfilePrivilege	3356	wmic.exe
Token: SeSystemtimePrivilege	3356	wmic.exe
Token: SeProfSingleProcessPrivilege	3356	wmic.exe
Token: SeIncBasePriorityPrivilege	3356	wmic.exe
Token: SeCreatePagefilePrivilege	3356	wmic.exe
Token: SeBackupPrivilege	3356	wmic.exe
Token: SeRestorePrivilege	3356	wmic.exe
Token: SeShutdownPrivilege	3356	wmic.exe
Token: SeDebugPrivilege	3356	wmic.exe
Token: SeSystemEnvironmentPrivilege	3356	wmic.exe
Token: SeRemoteShutdownPrivilege	3356	wmic.exe
Token: SeUndockPrivilege	3356	wmic.exe
Token: SeManageVolumePrivilege	3356	wmic.exe
Token: 33	3356	wmic.exe
Token: 34	3356	wmic.exe
Token: 35	3356	wmic.exe
Token: 36	3356	wmic.exe
Token: 33	1820	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1820	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 3356	2860	loaders.exe	91
PID 2860 wrote to memory of 3356	2860	loaders.exe	91
PID 2860 wrote to memory of 3728	2860	loaders.exe	93
PID 2860 wrote to memory of 3728	2860	loaders.exe	93
PID 3728 wrote to memory of 560	3728	cmd.exe	95
PID 3728 wrote to memory of 560	3728	cmd.exe	95
PID 2860 wrote to memory of 932	2860	loaders.exe	96
PID 2860 wrote to memory of 932	2860	loaders.exe	96
PID 932 wrote to memory of 116	932	cmd.exe	97
PID 932 wrote to memory of 116	932	cmd.exe	97
PID 2860 wrote to memory of 3180	2860	loaders.exe	98
PID 2860 wrote to memory of 3180	2860	loaders.exe	98
PID 3180 wrote to memory of 3836	3180	msedge.exe	99
PID 3180 wrote to memory of 3836	3180	msedge.exe	99
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 2732	3180	msedge.exe	101
PID 3180 wrote to memory of 968	3180	msedge.exe	102
PID 3180 wrote to memory of 968	3180	msedge.exe	102
PID 3180 wrote to memory of 4012	3180	msedge.exe	103
PID 3180 wrote to memory of 4012	3180	msedge.exe	103
PID 3180 wrote to memory of 4012	3180	msedge.exe	103
PID 3180 wrote to memory of 4012	3180	msedge.exe	103
PID 3180 wrote to memory of 4012	3180	msedge.exe	103
PID 3180 wrote to memory of 4012	3180	msedge.exe	103
PID 3180 wrote to memory of 4012	3180	msedge.exe	103
PID 3180 wrote to memory of 4012	3180	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\loaders.exe
"C:\Users\Admin\AppData\Local\Temp\loaders.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\System32\Wbem\wmic.exe
  wmic cpu get VirtualizationFirmwareEnabled
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3356
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c bcdedit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\system32\bcdedit.exe
    bcdedit
    3⤵
    PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c BCDEDIT /Set {current} hypervisorlaunchtype auto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\system32\bcdedit.exe
    BCDEDIT /Set {current} hypervisorlaunchtype auto
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/6yV5hAuBNYU
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff95ad46f8,0x7fff95ad4708,0x7fff95ad4718
    3⤵
    PID:3836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
    3⤵
    PID:2732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
    3⤵
    PID:968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
    3⤵
    PID:4012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:1800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:1020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
    3⤵
    PID:1072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
    3⤵
    PID:1400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4568 /prefetch:8
    3⤵
    PID:3104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
    3⤵
    PID:1656
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
    3⤵
    PID:1208
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:8
    3⤵
    PID:2456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
    3⤵
    PID:3644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
    3⤵
    PID:4972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
    3⤵
    PID:456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
    3⤵
    PID:4768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,340624390470728761,9045045090289756917,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:3008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4300

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x414 0x350
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
75c3a97dbfdf7900475601703cad9ad3

SHA1
7e39262e31ea9df598ab3b5a264a94ad3cee46ec

SHA256
bf22c29832ef0936d8492d27750b655e9358ca81363f0a651aca07e15d75d40e

SHA512
3e042b6db384761d3c03a73e9bcab084fb771a219f2023cc2f9930c330a63b71b18ce249b0473940a2c5e771eef4cdccea2024228f6ea56b47b44f5325ac62d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5701662848882ea0648439c77970b89e

SHA1
f3ebd03b02f16a00ba83199c8061f0d0f6c13765

SHA256
1ef802581e0e126dcbaa8080c85b385b3a29c98581cb111791cb2e03496b0b87

SHA512
ab5919bd7a9e4a113370ec35ac4a01e7a6f937d628e8130b8353e9a9bc476c28e68f19971d8e7ffc9ada76b56d7b2746a6577a9fb997e6f653a66fd907970f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
07c6765f35cbcbad42e8e2a0305c8a04

SHA1
6873a6679b67eabe427609f8a74d78d977dd5e63

SHA256
91391639c27f5eb3df1ff3b5ef82d885471025eec28e06bc4c40a6c395778f99

SHA512
82afaee4963ef4e2c08303480d1d63e5ba0d687385ef4ca92561348feaff0d418c8a49e6b12be5c1a77c8f69ef51ab2a2b8cfd5e3bdf81ff8a7dc0fcb7ed5ece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4cab1cb76bdc83761be068931bec2db

SHA1
6b024022720a267cfd3c56aec7e76a609226c542

SHA256
fe8630eb3259aaddf2453649935f11e78ce1f0557329d78c030cd4f36242adfe

SHA512
af8331281e9d2a8e50b7d568e530d545ca0576526efc77f609789e1c16ff71d9f0f1edaf6c61ec9b078a904bdd69bb6ce85db916de70e7d739430aec3813f959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\801f1105-727c-42a0-9b87-2993a9ae8398\index-dir\the-real-index

Filesize
504B

MD5
d8e8bc86bcc89e7aa87a8e1cebdd9019

SHA1
aab30598f72a88ae8733fc9b12e250d6621a8e8a

SHA256
807ca21b436ca4081609e2a09f5e9af81060470ec7ab89320bf3de5f4d4e95dc

SHA512
a9fda2cc739264d3e7ffd03b2608844dd37af0fa7cec2947a08a70c35ffce5dceee1ed3404aa873185deaee9601819a26f2b903ff2cba122c4b66577a7245abd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\801f1105-727c-42a0-9b87-2993a9ae8398\index-dir\the-real-index~RFe57c9c8.TMP

Filesize
48B

MD5
9356b5a867416b2ece82d9cdc5fd80a3

SHA1
3adfcbd1d7bfae00b97db324adfb5e0185d62124

SHA256
5d537e8d3e0798786430cafff2f3b5166ac4945716c607f45018f8686ddc6c59

SHA512
b83976cf387ad7c008c0c454f9a6079e2633b304a9c12af7bac228fc79e33caa145ba5f213bb7b748121fc6585788b91c0809755b26c0cfdf427e20b0c31638c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
b251d5c9579666b7e971c316d405b6c2

SHA1
395d81ebb5657efa14c3336b713b428bc14beb9e

SHA256
7ae7fd5ad7f491b3a241712ed0524027d76e2ab86509b76898d1bd78ffe8e96e

SHA512
4e4ff192b2800427dce6a53eaa3ee4e3fa61366717f5f7c27a0844a678485f00b14043700ac72dc7eab1065d66aa33690e4f543804625d474c6cf1fa88218475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
f5c957920e22c41e13acf4735189e649

SHA1
46f17c955f4b27299f57b85d203af2a207fdb113

SHA256
aef9ecc20b89d274fe8c448554c7bf4078351e9e05723dba39ae491ec7247727

SHA512
554c2baeb9126f23f6d617fa67483919780bb9b093aa4055c8a938a9191faa6ae94798ddfdd40f3506f4896085a21f4ac26d88a8fd2c0f494e80061559c1269a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
0a0ad5af8a0e7d46bf9938580c24f780

SHA1
3830e20cbe621a2678f3e62ba21b4a75a8f8b12d

SHA256
732aba64d1c07ca248d7351335481f2c0b3e6858591f2678fc2ad9c90f774859

SHA512
8a807e7928781154dbd82f933ca1e2013436a5d45f5085825ba403f39a2e59a8e02ca9f9c7bf0528fcec18cd0e0204a01e58b9281e93f8d95d8dd5514debc7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57bd74.TMP

Filesize
89B

MD5
c6a94459e4453e315a7dd972810c4401

SHA1
d334ee6e8a7baf44eb65de3419b0ae72052dd1f6

SHA256
a7bbbff80bc8a88437096b29f1ec8fc5dab551c5f34a2c50696177c4c443cab6

SHA512
955426c90c6c134fd5bb0cc54e6ff057251c64ba868c472a99fdbe6a74d166f0e103d99655161fd6088a75a8b46c33ef69d7d352bfcd25349ba63662d2454bba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
885da95d96195c874269ff28e83577c7

SHA1
8b140a2b1fc461627aa0f3e944864b0fae187e7d

SHA256
da15328bf2ffa88ffee0f5f24301b64fa92293db78c22a740234b9718e321d03

SHA512
418d995ac89df8721782325c8da719e9d52e612cad1528df37c0c2cf5239aa069d1884654e853e5ff21c72aa60e52ca2066f339ed74709d45660ac6b5495047b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5817e8.TMP

Filesize
48B

MD5
d1aa2ee581641be0e07b36d833b9eb05

SHA1
3aa5af9cbbdaf12467e37aea2c11cdb4e7abf468

SHA256
a4c1164b040448264cc391f4b3a67fa16832d673b290ccbd9465217079829843

SHA512
c5af2ecc129cac7aeca5c05ba7463631bc41dafcc95f7a4b312cc5293b33f5a8c47c1881358fce30bd6bfb02c18add70c07624d05a467d065073c642b1cc094e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
68dd4c9afb675c7484145b21a63723b0

SHA1
1cc8e5452c2f31d79d582e87f135ad6227c699f3

SHA256
8d94957ac6a753caaf03cdd888c128daa4ce8e0ee83f1a1a8c8a5904d3ad0f01

SHA512
44b1674dd3c9addbffa9c860c60a54c2e5824d6d2701ba0d4a10bbab199de18efb5222df55f50941e4af34940b4ab03bcadb86ee61a0325ce624616a9b90aec0

Download Submit
memory/2860-0-0x00000001409B1000-0x0000000142F42000-memory.dmp

Filesize
37.6MB

Download
memory/2860-17-0x00000001409B1000-0x0000000142F42000-memory.dmp

Filesize
37.6MB

Download
memory/2860-8-0x0000000140000000-0x0000000141000000-memory.dmp

Filesize
16.0MB

Download
memory/2860-3-0x0000000140000000-0x0000000141000000-memory.dmp

Filesize
16.0MB

Download
memory/2860-2-0x00007FFFB3FE0000-0x00007FFFB3FE2000-memory.dmp

Filesize
8KB

Download
memory/2860-1-0x00007FFFB3FD0000-0x00007FFFB3FD2000-memory.dmp

Filesize
8KB

Download