ea8779bb436427af92289d75ee7510e1784bf6772729091abcc350cdf773058c

Resubmissions

22/09/2024, 09:23

240922-lcmh6ssclm 9

21/09/2024, 08:10

21/09/2024, 07:38

28/07/2024, 17:11

18/06/2024, 14:08

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2024, 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WZAgent.exe
Size

26.2MB
MD5

4cf978f2749291d8d9a722cf8bd9d9ea
SHA1

2580a9be8bc6994987cc4951a4690efd7077ea92
SHA256

ea8779bb436427af92289d75ee7510e1784bf6772729091abcc350cdf773058c
SHA512

d1ba2ea6a06cf5241bd26319b7bd2da7cb3ca0453496703fa66413cc56edf9893414a970dfb67451cfb85ef735305986958ba852287b3dc63b7cf28ab351d61d
SSDEEP

786432:Ov1EWULlsocwpd3XHEquH6rdEePFG/7vG43EY6:Ov1EWusor8j6r714

Score

9^/10

agilenet discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WZAgent.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WZAgent.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WZAgent.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WZAgent.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	ZipExtractor.exe

Executes dropped EXE 2 IoCs

pid	Process
452	ZipExtractor.exe
1476	WZAgent.exe

Loads dropped DLL 2 IoCs

pid	Process
2180	WZAgent.exe
1476	WZAgent.exe

Obfuscated with Agile.Net obfuscator 6 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/2180-8-0x0000000000400000-0x0000000002606000-memory.dmp	agile_net
behavioral2/memory/2180-9-0x0000000000400000-0x0000000002606000-memory.dmp	agile_net
behavioral2/memory/2180-53-0x0000000000400000-0x0000000002606000-memory.dmp	agile_net
behavioral2/memory/1476-73-0x0000000000400000-0x00000000027EC000-memory.dmp	agile_net
behavioral2/memory/1476-74-0x0000000000400000-0x00000000027EC000-memory.dmp	agile_net
behavioral2/memory/1476-96-0x0000000000400000-0x00000000027EC000-memory.dmp	agile_net

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2180-8-0x0000000000400000-0x0000000002606000-memory.dmp	themida
behavioral2/memory/2180-9-0x0000000000400000-0x0000000002606000-memory.dmp	themida
behavioral2/files/0x0007000000023456-14.dat	themida
behavioral2/memory/2180-17-0x00007FF8CC940000-0x00007FF8CD469000-memory.dmp	themida
behavioral2/memory/2180-19-0x00007FF8CC940000-0x00007FF8CD469000-memory.dmp	themida
behavioral2/memory/2180-32-0x00007FF8CC940000-0x00007FF8CD469000-memory.dmp	themida
behavioral2/memory/2180-49-0x00007FF8CC940000-0x00007FF8CD469000-memory.dmp	themida
behavioral2/memory/2180-53-0x0000000000400000-0x0000000002606000-memory.dmp	themida
behavioral2/files/0x0007000000023454-59.dat	themida
behavioral2/memory/1476-73-0x0000000000400000-0x00000000027EC000-memory.dmp	themida
behavioral2/memory/1476-74-0x0000000000400000-0x00000000027EC000-memory.dmp	themida
behavioral2/memory/1476-81-0x00007FF8CD5F0000-0x00007FF8CE119000-memory.dmp	themida
behavioral2/memory/1476-83-0x00007FF8CD5F0000-0x00007FF8CE119000-memory.dmp	themida
behavioral2/memory/1476-88-0x00007FF8CD5F0000-0x00007FF8CE119000-memory.dmp	themida
behavioral2/memory/1476-89-0x00007FF8CD5F0000-0x00007FF8CE119000-memory.dmp	themida
behavioral2/memory/1476-93-0x00007FF8CD5F0000-0x00007FF8CE119000-memory.dmp	themida
behavioral2/memory/1476-95-0x00007FF8CD5F0000-0x00007FF8CE119000-memory.dmp	themida
behavioral2/memory/1476-96-0x0000000000400000-0x00000000027EC000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WZAgent.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2180	WZAgent.exe
2180	WZAgent.exe
1476	WZAgent.exe
1476	WZAgent.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2180	WZAgent.exe
2180	WZAgent.exe
452	ZipExtractor.exe
4424	msedge.exe
4424	msedge.exe
4872	msedge.exe
4872	msedge.exe
2420	identity_helper.exe
2420	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	WZAgent.exe
Token: SeDebugPrivilege	452	ZipExtractor.exe
Token: SeDebugPrivilege	1476	WZAgent.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2180	WZAgent.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe
4872	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2544	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 452	2180	WZAgent.exe	87
PID 2180 wrote to memory of 452	2180	WZAgent.exe	87
PID 452 wrote to memory of 1476	452	ZipExtractor.exe	90
PID 452 wrote to memory of 1476	452	ZipExtractor.exe	90
PID 4872 wrote to memory of 2232	4872	msedge.exe	96
PID 4872 wrote to memory of 2232	4872	msedge.exe	96
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4560	4872	msedge.exe	97
PID 4872 wrote to memory of 4424	4872	msedge.exe	98
PID 4872 wrote to memory of 4424	4872	msedge.exe	98
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99
PID 4872 wrote to memory of 1844	4872	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\WZAgent.exe
"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe
  "C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe" --input C:\Users\Admin\AppData\Local\Temp\WZAgent.zip --output C:\Users\Admin\AppData\Local\Temp --current-exe C:\Users\Admin\AppData\Local\Temp\WZAgent.exe --updated-exe WZAgent.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\WZAgent.exe
    "C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:1476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8d0f546f8,0x7ff8d0f54708,0x7ff8d0f54718
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,15162997883064581444,969118356396052298,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,15162997883064581444,969118356396052298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,15162997883064581444,969118356396052298,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15162997883064581444,969118356396052298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15162997883064581444,969118356396052298,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15162997883064581444,969118356396052298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15162997883064581444,969118356396052298,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15162997883064581444,969118356396052298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,15162997883064581444,969118356396052298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15162997883064581444,969118356396052298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15162997883064581444,969118356396052298,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,15162997883064581444,969118356396052298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:3236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WZAgent.exe.log

Filesize
2KB

MD5
c8f9bb079b95f0f981f33f1ac3058078

SHA1
51c811e8e50c47fac5710f3282eed71614069b3b

SHA256
9128311603d540106ceede1f308e42360a43e6021fec575d2d5505365007b2fa

SHA512
c2b2c425812a6c3fe5886198e1d757a0ff706937847035f7ba99707946122f39717ea0eae3c41642632ca9d1ca2901ab5a04b7db26aa35a5d769a1f1e91669dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8775b24fb69d26c37b30fbd8b730e8af

SHA1
8c52cb43837080004d420eb6b57e151c4065f80c

SHA256
4213f8b8404cf4562adfd23e8223c56c144cc1525f5d95ea895b93719e87b417

SHA512
2c8fee5f7f764a54a3feeadf799af0415c848170e00363035b7d5e03872d274fe9223bd0cda3707e34f040e02a0eaf16b30341db520e32ef0224da3d2cd502a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
44b7398d4e80296c6701ad9ad0659780

SHA1
c576c571d767feb8c92f2b29c292590950edfb13

SHA256
73a9866a8cff7db018674aab183a84c00c340f2493165ecbe43304afaf5cb05b

SHA512
4cedeac8095c5c7766c6ea017629b805a5d1989dcf3d1f142dd21f2bd19bc25aabcb8bc362e6135543b79c957320f17aad83bd50ef66e532a412565aa7504826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fe02745fa0484b8d135c0efe88486149

SHA1
71c067975111e58b6acb21abd5dba05f7da8f90f

SHA256
d611e3dfd7c0c3e1d705c91fbeef3f46637b9b2deb6eed4df1885a800972b96d

SHA512
83cb72c068edfedd3a712d83a7c115601c459df01a137d84a57e0a1d355538bfeed71add4c9bf9dd6d4bae4b63cd3f82469fa964d82436a3216b58a794fb5cca

Download Submit
C:\Users\Admin\AppData\Local\Temp\883e7960-a7ed-4b7f-b414-8446eabbb7d5\AgileDotNetRT64.dll

Filesize
4.0MB

MD5
8e839b26c5efed6f41d6e854e5e97f5b

SHA1
5cb71374f72bf6a63ff65a6cda57ff66c3e54836

SHA256
1f2489fcd11f85db723f977f068988e81ed28581a4aec352ba4a2dc31419a011

SHA512
92446d7c2ccf41408d0a6be604b9aba3050192b40be887c2cee8f9aea0bd855503d6b827a8bdd554addd8d7c8ec947033f49060db493f756c3b2b70c04a17093

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZAgent.exe

Filesize
28.3MB

MD5
1b31864d1dd63f9ebb768da2cd340e9c

SHA1
2d56fff3f73bc880e614467341fdeab9474ffae7

SHA256
4b91eb1c4d27fee6d634c73e0d550024c144ca8eff9f64d03f87011fe35cd3eb

SHA512
4c9423460476835d15ec57d0571e35ad7551f11181063b1730d5f0ad88c841ad22aeda1f1311089335892e52456f322cf0ac5d1df86209cd9e6b6f004fe9b856

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZAgent.zip

Filesize
28.1MB

MD5
7908d2ae983310b8d30bd332c00189b4

SHA1
874b30d386ba1f6644ff1287e2eeb782d9a9e759

SHA256
15d8b52eb4181b1c4ab1b2ba78898f9eb50de78d1c22d5d6281cb07e6f6f91b8

SHA512
a6f9d4dd82c97afc6238c9408fa9c27dcaffca36f5dbf60efd8a32918a0e2ff42eb21fe0feb2c5de480bd8a9996d4ba21a9e47643faea0c41de3277a4d8d4b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe

Filesize
99KB

MD5
6c8a405b8243837682378cfbefa92001

SHA1
21a120c6fcca8aff536cb896586131376497bc86

SHA256
a76c4d20c78a6b0e563567a215e14a05525c316bf4eb92e7d11de7e24ae0b7c2

SHA512
12a75d7c4f9af4209a673c994609a15f464368e24eb61e8251a3f8c32a371825809f8197ea47428a150bc0c8ca7b5278c88c63cf9c20a7e60a95f4f98eea3de7

Download Submit
memory/452-51-0x0000013D4A590000-0x0000013D4A5A2000-memory.dmp

Filesize
72KB

Download
memory/452-52-0x0000013D49F80000-0x0000013D49F8A000-memory.dmp

Filesize
40KB

Download
memory/452-46-0x0000013D2EDC0000-0x0000013D2EDDE000-memory.dmp

Filesize
120KB

Download
memory/1476-88-0x00007FF8CD5F0000-0x00007FF8CE119000-memory.dmp

Filesize
11.2MB

Download
memory/1476-73-0x0000000000400000-0x00000000027EC000-memory.dmp

Filesize
35.9MB

Download
memory/1476-85-0x0000000020A00000-0x0000000021A60000-memory.dmp

Filesize
16.4MB

Download
memory/1476-84-0x00007FF8CF190000-0x00007FF8CF2DE000-memory.dmp

Filesize
1.3MB

Download
memory/1476-83-0x00007FF8CD5F0000-0x00007FF8CE119000-memory.dmp

Filesize
11.2MB

Download
memory/1476-81-0x00007FF8CD5F0000-0x00007FF8CE119000-memory.dmp

Filesize
11.2MB

Download
memory/1476-74-0x0000000000400000-0x00000000027EC000-memory.dmp

Filesize
35.9MB

Download
memory/1476-86-0x0000000000400000-0x00000000027EC000-memory.dmp

Filesize
35.9MB

Download
memory/1476-89-0x00007FF8CD5F0000-0x00007FF8CE119000-memory.dmp

Filesize
11.2MB

Download
memory/1476-68-0x0000000000400000-0x00000000027EC000-memory.dmp

Filesize
35.9MB

Download
memory/1476-90-0x000000002AA10000-0x000000002AAC2000-memory.dmp

Filesize
712KB

Download
memory/1476-91-0x000000002AB40000-0x000000002ABB6000-memory.dmp

Filesize
472KB

Download
memory/1476-93-0x00007FF8CD5F0000-0x00007FF8CE119000-memory.dmp

Filesize
11.2MB

Download
memory/1476-95-0x00007FF8CD5F0000-0x00007FF8CE119000-memory.dmp

Filesize
11.2MB

Download
memory/1476-96-0x0000000000400000-0x00000000027EC000-memory.dmp

Filesize
35.9MB

Download
memory/2180-21-0x00007FF8E01F0000-0x00007FF8E033E000-memory.dmp

Filesize
1.3MB

Download
memory/2180-53-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2180-50-0x00007FF8EC790000-0x00007FF8ECA59000-memory.dmp

Filesize
2.8MB

Download
memory/2180-49-0x00007FF8CC940000-0x00007FF8CD469000-memory.dmp

Filesize
11.2MB

Download
memory/2180-32-0x00007FF8CC940000-0x00007FF8CD469000-memory.dmp

Filesize
11.2MB

Download
memory/2180-30-0x00007FF8EC790000-0x00007FF8ECA59000-memory.dmp

Filesize
2.8MB

Download
memory/2180-29-0x00007FF8EC790000-0x00007FF8ECA59000-memory.dmp

Filesize
2.8MB

Download
memory/2180-28-0x00007FF8EC790000-0x00007FF8ECA59000-memory.dmp

Filesize
2.8MB

Download
memory/2180-27-0x00007FF8EC790000-0x00007FF8ECA59000-memory.dmp

Filesize
2.8MB

Download
memory/2180-26-0x00007FF8EC7F4000-0x00007FF8EC7F5000-memory.dmp

Filesize
4KB

Download
memory/2180-25-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2180-24-0x000000001FB40000-0x000000001FD32000-memory.dmp

Filesize
1.9MB

Download
memory/2180-23-0x000000001E2C0000-0x000000001E336000-memory.dmp

Filesize
472KB

Download
memory/2180-22-0x0000000020810000-0x0000000021668000-memory.dmp

Filesize
14.3MB

Download
memory/2180-1-0x00007FF8EC7F4000-0x00007FF8EC7F5000-memory.dmp

Filesize
4KB

Download
memory/2180-19-0x00007FF8CC940000-0x00007FF8CD469000-memory.dmp

Filesize
11.2MB

Download
memory/2180-20-0x00007FF8EC790000-0x00007FF8ECA59000-memory.dmp

Filesize
2.8MB

Download
memory/2180-17-0x00007FF8CC940000-0x00007FF8CD469000-memory.dmp

Filesize
11.2MB

Download
memory/2180-10-0x00007FF8EC790000-0x00007FF8ECA59000-memory.dmp

Filesize
2.8MB

Download
memory/2180-9-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2180-8-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2180-7-0x00007FF8EC790000-0x00007FF8ECA59000-memory.dmp

Filesize
2.8MB

Download
memory/2180-2-0x00007FF8EC790000-0x00007FF8ECA59000-memory.dmp

Filesize
2.8MB

Download
memory/2180-3-0x00007FF8EC790000-0x00007FF8ECA59000-memory.dmp

Filesize
2.8MB

Download
memory/2180-4-0x00007FF8EC790000-0x00007FF8ECA59000-memory.dmp

Filesize
2.8MB

Download
memory/2180-0-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download