Malware Analysis Report

2024-12-07 10:20

Sample ID 241112-3qmvjasmas
Target aQrxX.exe
SHA256 52d2425bc2248e6608d05b1e56ba7054fd45f908e8986794ad72f7b5d6821339
Tags
themida evasion ransomware trojan discovery
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

52d2425bc2248e6608d05b1e56ba7054fd45f908e8986794ad72f7b5d6821339

Threat Level: Likely malicious

The file aQrxX.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion ransomware trojan discovery

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies boot configuration data using bcdedit

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Browser Information Discovery

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 23:43

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 23:43

Reported

2024-11-12 23:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aQrxX.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe C:\Windows\SYSTEM32\cmd.exe
PID 2412 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe C:\Windows\SYSTEM32\cmd.exe
PID 208 wrote to memory of 468 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 208 wrote to memory of 468 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aQrxX.exe

"C:\Users\Admin\AppData\Local\Temp\aQrxX.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C bcdedit /set hypervisorlaunchtype off

C:\Windows\system32\bcdedit.exe

bcdedit /set hypervisorlaunchtype off

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 machocheats.com udp
US 104.21.0.136:443 machocheats.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 136.0.21.104.in-addr.arpa udp
N/A 127.0.0.1:52702 tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/2412-0-0x00007FF7D68E0000-0x00007FF7DC803000-memory.dmp

memory/2412-1-0x00007FF8DA254000-0x00007FF8DA255000-memory.dmp

memory/2412-2-0x00007FF8DA1F0000-0x00007FF8DA4B9000-memory.dmp

memory/2412-3-0x0000000180000000-0x000000018003E000-memory.dmp

memory/2412-5-0x0000015009000000-0x0000015009240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\233ecf48.dll

MD5 e9220227f57e64dfc6e5491437461943
SHA1 ade5ca8c79862ff7cc3069be96d7b08701db7bb8
SHA256 4b2763e236905ef34b0aeca3a41de959ba2157a7cd8749dc09a06658a52bb0fe
SHA512 1847b2c4f39e061bca854a05c3e9523728157e6447531f7f14fe66dc4f294f374b3159e123fbf91fd2aee918ed68816c4fa3ead437844731d9e7a68012f6551b

memory/2412-4-0x0000015009000000-0x0000015009240000-memory.dmp

memory/2412-16-0x000001500C280000-0x000001500F32D000-memory.dmp

memory/2412-26-0x0000015008DD0000-0x0000015008E43000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\233ecf49.dll

MD5 859881314c10268848aeb1186fd82d6c
SHA1 aa4d7edf9638c6b65d711adbc49b3c35555a36a3
SHA256 b83f2a2c0a1d84bac1f58b3f1a4a801714c275df697ee546c634c43b11d2cc1b
SHA512 222c5629542629454ae17f19613a0261703ebd4050b3490bd42c87260c933fd469c361ab095caaa182486587fc25c717779396ee38c0d02f636ad142f40e7c5d

memory/2412-27-0x0000015008DD0000-0x0000015008E43000-memory.dmp

memory/2412-37-0x0000000180000000-0x000000018003E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\233ecf4a.dll

MD5 252688103f035a1dfd918460c9cffda5
SHA1 1e170a6196891b72f141b3a00ef7dbd542a68cca
SHA256 b7396573978fa80211d80d5e5b539d52c57138b00fc2a347dd5216a45c29b302
SHA512 d7e126e672f0fadd9f7a3ba4da479e5521d254a0a43d0296a610c3c7725b4af568b386f4cc5067cb3ed600eb140ed7e8fadacb3f60e45e815c30431f35851f63

memory/2412-43-0x00007FF7D68E0000-0x00007FF7DC803000-memory.dmp

memory/2412-44-0x00007FF7D68E0000-0x00007FF7DC803000-memory.dmp

memory/2412-46-0x00007FF8DA1F0000-0x00007FF8DA4B9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 23:43

Reported

2024-11-12 23:46

Platform

win10ltsc2021-20241023-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aQrxX.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe C:\Windows\SYSTEM32\cmd.exe
PID 4932 wrote to memory of 476 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe C:\Windows\SYSTEM32\cmd.exe
PID 476 wrote to memory of 3020 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 476 wrote to memory of 3020 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aQrxX.exe

"C:\Users\Admin\AppData\Local\Temp\aQrxX.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C bcdedit /set hypervisorlaunchtype off

C:\Windows\system32\bcdedit.exe

bcdedit /set hypervisorlaunchtype off

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 66.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 machocheats.com udp
US 104.21.0.136:443 machocheats.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
N/A 127.0.0.1:49821 tcp
US 8.8.8.8:53 136.0.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.36.55:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4932-0-0x00007FF7AF180000-0x00007FF7B50A3000-memory.dmp

memory/4932-1-0x00007FF9E44B0000-0x00007FF9E46A8000-memory.dmp

memory/4932-2-0x0000000180000000-0x000000018003E000-memory.dmp

memory/4932-4-0x0000025570980000-0x0000025570BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\233ecf48.dll

MD5 e9220227f57e64dfc6e5491437461943
SHA1 ade5ca8c79862ff7cc3069be96d7b08701db7bb8
SHA256 4b2763e236905ef34b0aeca3a41de959ba2157a7cd8749dc09a06658a52bb0fe
SHA512 1847b2c4f39e061bca854a05c3e9523728157e6447531f7f14fe66dc4f294f374b3159e123fbf91fd2aee918ed68816c4fa3ead437844731d9e7a68012f6551b

memory/4932-3-0x0000025570980000-0x0000025570BC0000-memory.dmp

memory/4932-15-0x0000025573C00000-0x0000025576CAD000-memory.dmp

memory/4932-25-0x00000255707D0000-0x0000025570843000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\233ecf49.dll

MD5 598d0d21e75382fd49880ea460ef7f55
SHA1 4ff1b6aa7757131817eb115d3c08d624418f3f0e
SHA256 e0d1b81bd04378e5d9cbf44ae9731fbd49c8aa02ff397c1a45e92475fef4a7a1
SHA512 03e3557f0eb2424b41bd269055d1a1790ff2897bb1bffcd6e414e3737e85a06ed3c1dc493985fe1bf5a3f4111d0901fb00ab507d758acdcbe459b1848b334112

C:\Users\Admin\AppData\Local\Temp\233ecf4a.dll

MD5 7e770bc24e0a574d4e7d1822bf2f119b
SHA1 0753377316658726591ee2849edef7f46bcab157
SHA256 62d0dafe189de1d3d7274f86308e4d403a809bef26508b13bcecfc9e6272947e
SHA512 9aa58eabbc410ebbb87615677edf0cdcf6083e9069a5422f7a87e0f1cd0fcb9f513e9ff59a1e88acbce107037220a88eb2ffdece92ad797ba00ea4e1c89a3577

memory/4932-26-0x00000255707D0000-0x0000025570843000-memory.dmp

memory/4932-36-0x0000000180000000-0x000000018003E000-memory.dmp

memory/4932-42-0x00007FF7AF180000-0x00007FF7B50A3000-memory.dmp

memory/4932-44-0x00007FF7AF180000-0x00007FF7B50A3000-memory.dmp

memory/4932-43-0x00007FF7AF180000-0x00007FF7B50A3000-memory.dmp

memory/4932-45-0x00007FF9E44B0000-0x00007FF9E46A8000-memory.dmp

memory/4932-46-0x00007FF9E44B0000-0x00007FF9E46A8000-memory.dmp

memory/4932-47-0x00007FF7AF180000-0x00007FF7B50A3000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-12 23:43

Reported

2024-11-12 23:46

Platform

win11-20241007-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aQrxX.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3672 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe C:\Windows\SYSTEM32\cmd.exe
PID 3672 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\aQrxX.exe C:\Windows\SYSTEM32\cmd.exe
PID 1956 wrote to memory of 4648 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1956 wrote to memory of 4648 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4380 wrote to memory of 4160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 4160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4380 wrote to memory of 1880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aQrxX.exe

"C:\Users\Admin\AppData\Local\Temp\aQrxX.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C bcdedit /set hypervisorlaunchtype off

C:\Windows\system32\bcdedit.exe

bcdedit /set hypervisorlaunchtype off

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb55ed3cb8,0x7ffb55ed3cc8,0x7ffb55ed3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1828 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,4384251862818810449,6483178555938758417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1

Network

Country Destination Domain Proto
N/A 127.0.0.1:49776 tcp
US 8.8.8.8:53 machocheats.com udp
US 104.21.0.136:443 machocheats.com tcp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 136.0.21.104.in-addr.arpa udp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
GB 92.123.128.142:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
GB 92.123.128.170:443 r.bing.com tcp
GB 92.123.128.170:443 r.bing.com tcp
GB 92.123.128.174:443 th.bing.com tcp
GB 92.123.128.174:443 th.bing.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
US 66.254.114.41:443 www.pornhub.com tcp
GB 64.210.156.19:443 static.trafficjunky.com tcp
GB 64.210.156.19:443 static.trafficjunky.com tcp
GB 64.210.156.19:443 static.trafficjunky.com tcp
GB 64.210.156.19:443 static.trafficjunky.com tcp
GB 64.210.156.19:443 static.trafficjunky.com tcp
GB 64.210.156.19:443 static.trafficjunky.com tcp
GB 64.210.156.18:443 static.trafficjunky.com tcp
GB 64.210.156.18:443 static.trafficjunky.com tcp
US 66.254.114.156:443 cdn1-smallimg.phncdn.com tcp
GB 64.210.156.18:443 static.trafficjunky.com tcp
GB 64.210.156.19:443 static.trafficjunky.com tcp
US 8.8.8.8:53 156.114.254.66.in-addr.arpa udp
US 8.8.8.8:53 200.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 66.254.114.171:443 a.adtng.com tcp
US 66.254.114.171:443 a.adtng.com tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 64.210.156.23:443 ht-cdn2.adtng.com tcp
GB 64.210.156.1:443 hw-cdn2.adtng.com tcp
GB 64.210.156.1:443 hw-cdn2.adtng.com tcp
GB 64.210.156.1:443 hw-cdn2.adtng.com tcp
GB 142.250.178.27:443 storage.googleapis.com tcp
US 216.239.32.36:443 region1.google-analytics.com udp
GB 216.58.204.67:443 www.google.co.uk tcp
BE 66.102.1.155:443 stats.g.doubleclick.net tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com udp

Files

memory/3672-0-0x00007FF7E9D60000-0x00007FF7EFC83000-memory.dmp

memory/3672-1-0x00007FFB63EDA000-0x00007FFB63EDB000-memory.dmp

memory/3672-2-0x00007FFB63EC0000-0x00007FFB63F7D000-memory.dmp

memory/3672-3-0x0000000180000000-0x000000018003E000-memory.dmp

memory/3672-4-0x0000028B82F50000-0x0000028B83190000-memory.dmp

memory/3672-5-0x0000028B82F50000-0x0000028B83190000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\233ecf48.dll

MD5 e9220227f57e64dfc6e5491437461943
SHA1 ade5ca8c79862ff7cc3069be96d7b08701db7bb8
SHA256 4b2763e236905ef34b0aeca3a41de959ba2157a7cd8749dc09a06658a52bb0fe
SHA512 1847b2c4f39e061bca854a05c3e9523728157e6447531f7f14fe66dc4f294f374b3159e123fbf91fd2aee918ed68816c4fa3ead437844731d9e7a68012f6551b

memory/3672-16-0x0000028B861D0000-0x0000028B8927D000-memory.dmp

memory/3672-26-0x0000028B82D20000-0x0000028B82D93000-memory.dmp

memory/3672-27-0x0000028B82D20000-0x0000028B82D93000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\233ecf49.dll

MD5 8892946ed3a3f3ed98704b8c0174c668
SHA1 7ebc9310eeda8bc844d9eeb1bb35695d847ea0c9
SHA256 37c4ece6cbb475b45187d2bfa16115b3022fbdc3d4bcca338a0cc889c1242da7
SHA512 eaefb0cc567e4105db25c37cb2fee05d033a86f7b445ef09cf1077aac925b95eee374545335c24394f354c209b658b2c9e8c365a3cec8f279ad354895fabced4

C:\Users\Admin\AppData\Local\Temp\233ecf4a.dll

MD5 ecdc9b79f273bec04be94fc42fc605cf
SHA1 6fb9503aa8bbdbd81656f593aa916ca8e7bc197f
SHA256 bca13cc458c102b8b15ea3234e9a95a661f1cfe4bdac0a3d95b6962e25c79b87
SHA512 457acdcc8a1fc4cc9562fe1d4a96dc8da1f1c489fb4de473e5e2c515bd95c86b909b7a62e97afe83796c8c768af1e96ebe0096ab7c932c4481ea1beb22cee359

memory/3672-37-0x0000000180000000-0x000000018003E000-memory.dmp

memory/3672-43-0x00007FF7E9D60000-0x00007FF7EFC83000-memory.dmp

memory/3672-44-0x00007FF7E9D60000-0x00007FF7EFC83000-memory.dmp

memory/3672-46-0x00007FFB63EC0000-0x00007FFB63F7D000-memory.dmp

C:\Users\Admin\Desktop\EditSelect.ini

MD5 9439086f6a8767634c381d5c69ed1e69
SHA1 cb25d00bb8daa6e004649736019acaed91f67e16
SHA256 dc8d98e93c04fc4db45a39143e4d261a3e965ee5efda455204e256134aff6229
SHA512 98438cf8dcf3e2243d80ae50e351c13d1055f0a051c6be68201cfecd30f1473cd67ce708166a7ca80601758143d899629a6cce5719006685c236706f7a9d62b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e11c77d0fa99af6b1b282a22dcb1cf4a
SHA1 2593a41a6a63143d837700d01aa27b1817d17a4d
SHA256 d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0
SHA512 c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

\??\pipe\LOCAL\crashpad_4380_ZFLCWKQJSZAHNEDI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c0a1774f8079fe496e694f35dfdcf8bc
SHA1 da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3
SHA256 c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb
SHA512 60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 51203d566de0fcf85c421575c281b9bf
SHA1 f6b240f6573ab05f85414ac39f099dcbc14e9c3d
SHA256 ca713a05f890839677a9ffc94350cef1be2f6125abc8ad8adeef4575facb4a2c
SHA512 7f4e0f0fac1cda3728ddbb83885d50742109e24aa8f936c5b7530b57735a5c8edab33af00b72cae8f28907f05f3f1d1300b82197845d6649e0a276fada120440

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d94ad84781027ed8e466838ef93d0678
SHA1 587e16ee45c8f196483edb968a19d0cc02188319
SHA256 d09f0ca737f3c83d9313aa3cd4ff8a972704dc33ee601ef1352b9c5fa7596ac1
SHA512 f47c06c49a5c1c4f5614d1329ab809cf2056ce7003c1f4ef552887cffba1e23ad7c58dfbbc80b581c7dfc22d775d556f5cb3c46b43e2e7d3978132ff230dad5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8e1ca6e10b4280faa260c4e6e83e2b35
SHA1 260607340a49208aef7c47eeaa4d7468937a5d0a
SHA256 75b619076b44ae66aed30f81aeb69c04e5249e8003f9e8d3b1c42df9cff9c36e
SHA512 b58a76848b5a960f157d9be34541db5365263b46bf9067485fc7d8ab8c9d2eb39bab33e148427437ed92dfed5d0e09496f7289e640f5494b4af7b9bb98371c57

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d58d7baae787009d5d111dbae1dd46fc
SHA1 e0aca9ca4382756ab80a6c45cc7ee8ab08a6b1b2
SHA256 b618ba0e3b665afb143124254395e43b809c3bfc9ac2d3c4f974e96673f109f6
SHA512 d2954d5041c3f6b057ea31a6b0ceff1fdd559bb952d481008a3afda64ac6f819ae3d4a2cf5c9132452945bd7149bbee2b577b4de99b1ded37d3c443dcc233e86

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 97ab3a7b8839025432328daf93f2e226
SHA1 a90da51946061d497c1df97ebd32c36b88b397ba
SHA256 33cd0cc7e8b57c225a329919f67517cd49590f0c1d5d7e3e41b35c4d7729fb0b
SHA512 8c9b949e059cefe28b45b8ef6cb9f2dc8b599ca480ddc17f4b1e849299508047a2086ba05df21bbbb3f24d0e852f315a1e159ca81e7ff86a480cb0d67a02ab2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 293a19867eb6a2f01feff00d9a23500b
SHA1 1f55d91e5f86ea6f60ebceb55bcd0081c3fad995
SHA256 585b96c708fdd669ad2addace416779a7476ac32143ba42b2b1b6cc66d36810d
SHA512 1cd08ad6a20774b483e0cce3cbcd760da10fbfea60950545445781051eaeae23cbc77e5660798fd2124c3199515701600175bffa5377691c0eed5d120c6ef11f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c9a93681b2e2dad3a443d39c7a7f9da8
SHA1 724d58d6124c5642965dae2c056bd6e363b53066
SHA256 061c64b260c744fb1032c84e346b7afb5ffb09f2611672484ce045f0366e1503
SHA512 314f88cf8e1ffcc8e8fd1d6f880936875f6ae1064b02686c18f79964dcd2e5e232bdf75ca47c7f959c1b5aa414e6d67c558b92f62304c36337a530b92e9df68e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe599198.TMP

MD5 75108db8f0d5b7618809f0bc6af95af0
SHA1 aa83a1f476ff618519ee314d9fd0280bdf7c1921
SHA256 b9bb7c142ed381ecda1149a1d2468029c7e372290e04481a7d6700c44ed9fec0
SHA512 f62dea20ddbcf5859062941dc0e074df1b3f870cd109d844b0799ea78cf8b6e75fa7b28eb81163a28aef46a14921c0e32611fe144f09a0bc6ec975ba3a63cb78

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 c3ed591ce380de6c552d09f8dc04a0a7
SHA1 ffc83cc76c1e9975164f59149506b466a2b4d0b5
SHA256 963e8478faeb6fb42618bc51348a40c6fa8d8c59788fa4135b0e717671a4e1ef
SHA512 dc16a2833045ce2ad2de2845cae9cdf9b727ab45620c70db1c17012a7f49c935484836932f604f0e3e69c47a8029907e40340f7604a8dd4a28d406c9dc4e36f2