healer | 99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe
Size

1.8MB
MD5

10cd3ebe6be3397f2c4b391d682692a5
SHA1

02e5bbe848b94b8d2cf406ac83490aa32ee33520
SHA256

99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3
SHA512

42a7f0cdd08e2d8be5d74ec53d61e346ef9c377890dc08e96941c94797e0aa26dfbd1536e3286486265e5a365886e35ee17c7c94adec2485f8541b3beb493624
SSDEEP

24576:ClHxk5TzGRg8UYRJm1AdT1omYW4q+ESaFuGN3t3LDDJKgw/40JlkQUi+5RGL/Df+:eW5mRg32VShqXDFuut7a40TWudT4

Score

10^/10

healer defense_evasion discovery dropper spyware stealer

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 4 IoCs

resource	yara_rule
behavioral2/memory/3492-45-0x00000000062A0000-0x0000000006544000-memory.dmp	healer
behavioral2/memory/3492-43-0x00000000062A0000-0x0000000006544000-memory.dmp	healer
behavioral2/memory/3492-46-0x00000000062A0000-0x0000000006544000-memory.dmp	healer
behavioral2/memory/3492-135-0x00000000062A0000-0x0000000006544000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
26	3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Wine	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe
3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe
3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe
3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe
3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe
3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe
3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe
3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe
3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe
384	msedge.exe
384	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
4136	identity_helper.exe
4136	identity_helper.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 5056	3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe	89
PID 3492 wrote to memory of 5056	3492	99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe	89
PID 5056 wrote to memory of 4472	5056	msedge.exe	90
PID 5056 wrote to memory of 4472	5056	msedge.exe	90
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 4028	5056	msedge.exe	91
PID 5056 wrote to memory of 384	5056	msedge.exe	92
PID 5056 wrote to memory of 384	5056	msedge.exe	92
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93
PID 5056 wrote to memory of 4404	5056	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe
"C:\Users\Admin\AppData\Local\Temp\99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Downloads MZ/PE file
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1b0046f8,0x7ffa1b004708,0x7ffa1b004718
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:4028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
    3⤵
    PID:4404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:4896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
    3⤵
    PID:4700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
    3⤵
    PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
    3⤵
    PID:4656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
    3⤵
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
    3⤵
    PID:4932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
    3⤵
    PID:3112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
    3⤵
    PID:3980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
    3⤵
    PID:5168
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6764767835049076746,14962064492422365371,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4832 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=99f157621c990c39d06dc382f4755360c55eab77bb1a192e50aeaa18d1da6ea3.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
  2⤵
  PID:2896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1b0046f8,0x7ffa1b004708,0x7ffa1b004718
    3⤵
    PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
8198a40258a02bb7c0b94911364e7366

SHA1
c62c3f51f635630e65182988ad79f2faa32d4add

SHA256
fde57f663a9bb69b906bea31b98e12dc9a19ca7dd2b8abd70b8f2919ffedddba

SHA512
7f40f5de65ba7a6fe58caa2440b13bc6fd6ef90530648617fefee67076c261871985ef80a6aef8d180ff48bad8369296128dd24649b5708a5854d0df5623dce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34dc196031d8b852920cbd0b786baec4

SHA1
4926da0d56af2f073198582d634574e176d7aa63

SHA256
461e075faaebcc58455a605007256ce890c4da0c98727048c418fdd41ca6d491

SHA512
0c5f0c531cd86d3f556badaf33a936b11f016f3e07cca0b6ab58f7d41571695471c9ff9dd19f649d682e32b32e1c139fa47fe525454fefd3bccd7f7aa1184b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d855e21d66edc266e103999f9e3e4bbc

SHA1
e8cac034f37b5c890c8a1e62e138cff9ae4d50f4

SHA256
ad9d87c2339527a2ccdde8fb7240ae3ad5dad8d1fa9416373ec1d8ec2ae02e15

SHA512
c08b161b26d13fa41c1648cb8c7441f9277df8ff44d0d56e212087632eb6723d5e147f201d6e2e0057193c7fabab9bce2dee357351cee1e652a18b5915807f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7c0e1970177c3afce6a32bbfa6516c7f

SHA1
c7806b09e4c727394ed645e72512417d4519a579

SHA256
379e99069ad949ae1718bc015a47f9033d02362f1ab3e2fb1129c86f1c0a997f

SHA512
5085394bcc78bb06322999c16880d9469e89072f475efe1a1e93e4458c0006a5adfdac0274856c2724ec0ef70ad62f1688484b887f1023a3f40691a6672fb80e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
22bc2a0cbdfbb4d0920f370a40fb0ba2

SHA1
5ea5eea4fe16a13db118f153bad2d6860061f517

SHA256
6d58a65033d9c1f5917f64cf702f3ab684f3ff153cf25c6084adeea57bf855b7

SHA512
cca2254bcf638fe45f93a01d9cf6ee5b083dabdd12af911f6d78f4077e2dda45026496952de9e1a699c9e9eb0b913ed8de39f060eabc886b669bc6726d4d7eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581e22.TMP

Filesize
371B

MD5
003bb0372ce14105f31f8e6839e0579f

SHA1
bcfd707ac7899438ff1480ade5b4eb5e6dea46e3

SHA256
90e26c4721e5506b1441a01af795f1e1da3daa266370aa91ecddcc739abee8a7

SHA512
9307cf478c3790cd0e85f1315abd4821fc2de169f905a0c21eb0ef0ba83aa521aa161210ee93abf02535f2f0fda4f758d6df12df53de52e8fa75ccfcb005b972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
58d13ee934992e1a18c97de7b10183a9

SHA1
800c7a5376a15a438db286ff6facfddf7e3cca91

SHA256
c31beb917a8cc14bcf3821df3c604f704571e583d950c65b50544a28c2167060

SHA512
7b28d151ffb0f0f20c6627c706f74ce4f42cc54e6b3e191b96eebde9763e452972f693045182c3cc3fd503602d7cc6aacceb491c402a6e47c2cea1f22b481038

Download Submit
memory/3492-38-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-19-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-28-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-0-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-41-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-40-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-39-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-37-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-36-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-35-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-44-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-45-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-43-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-42-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-34-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-33-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-31-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-30-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-29-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-26-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-25-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-24-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-23-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-21-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-20-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-27-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-32-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-22-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-18-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-46-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-17-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-10-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-11-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-58-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-9-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-82-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-8-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-104-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-107-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-7-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-117-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-6-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-159-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-135-0x00000000062A0000-0x0000000006544000-memory.dmp

Filesize
2.6MB

Download
memory/3492-5-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-4-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-3-0x0000000000880000-0x0000000000D1F000-memory.dmp

Filesize
4.6MB

Download
memory/3492-2-0x0000000000881000-0x00000000008AA000-memory.dmp

Filesize
164KB

Download
memory/3492-1-0x0000000077D24000-0x0000000077D26000-memory.dmp

Filesize
8KB

Download