eab5f974ec202f9576335f50646b1a7e6725557b1227b8f96ecc889c15498905

Analysis

max time kernel
100s
max time network
125s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-02-2025 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HVCI/MbixMY.exe
Size

19.7MB
MD5

09e04205ee2e4b53e2bbaa249baf2598
SHA1

05da5d90f8bbca7fc3999da1bd9e2b0e11de0197
SHA256

60afe971d2f46a4ccf942b83c666a2f8a88927fea173fa99f227348f65cadcb0
SHA512

d5393035d8507cf51168873970ae76da51113f411bb3b1998ff73307d5ed4ea979fe4d61fd88db12d81c47ce815987f239762cc683b10dd749201c0c8c7ba2b5
SSDEEP

393216:lDahR5qGWQrGH+ipoatUWIDqBuH7iUFmO9BHq12s1T5oL34UMqt:lDapqGWe1bauqBXSmO7HQDtG0qt

Score

9^/10

defense_evasion discovery themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MbixMY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DN5nSj.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MbixMY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DN5nSj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DN5nSj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MbixMY.exe

Executes dropped EXE 1 IoCs

pid	Process
2100	DN5nSj.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral7/memory/4056-3-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral7/memory/4056-4-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral7/memory/4056-5-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral7/memory/4056-6-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral7/files/0x000d000000027bc8-9.dat	themida
behavioral7/memory/4056-11-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral7/memory/2100-14-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral7/memory/2100-13-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral7/memory/2100-15-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral7/memory/2100-16-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral7/memory/2100-17-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral7/memory/2100-45-0x0000000140000000-0x0000000143226000-memory.dmp	themida
behavioral7/memory/2100-48-0x0000000140000000-0x0000000143226000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MbixMY.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DN5nSj.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4056	MbixMY.exe
2100	DN5nSj.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4344	MicrosoftEdgeUpdate.exe
1752	MicrosoftEdgeUpdate.exe
3504	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
232	WMIC.exe
232	WMIC.exe
232	WMIC.exe
232	WMIC.exe
1868	WMIC.exe
1868	WMIC.exe
1868	WMIC.exe
1868	WMIC.exe
708	WMIC.exe
708	WMIC.exe
708	WMIC.exe
708	WMIC.exe
5036	WMIC.exe
5036	WMIC.exe
5036	WMIC.exe
5036	WMIC.exe
4892	WMIC.exe
4892	WMIC.exe
4892	WMIC.exe
4892	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	MbixMY.exe
Token: SeDebugPrivilege	2100	DN5nSj.exe
Token: SeIncreaseQuotaPrivilege	232	WMIC.exe
Token: SeSecurityPrivilege	232	WMIC.exe
Token: SeTakeOwnershipPrivilege	232	WMIC.exe
Token: SeLoadDriverPrivilege	232	WMIC.exe
Token: SeSystemProfilePrivilege	232	WMIC.exe
Token: SeSystemtimePrivilege	232	WMIC.exe
Token: SeProfSingleProcessPrivilege	232	WMIC.exe
Token: SeIncBasePriorityPrivilege	232	WMIC.exe
Token: SeCreatePagefilePrivilege	232	WMIC.exe
Token: SeBackupPrivilege	232	WMIC.exe
Token: SeRestorePrivilege	232	WMIC.exe
Token: SeShutdownPrivilege	232	WMIC.exe
Token: SeDebugPrivilege	232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	232	WMIC.exe
Token: SeRemoteShutdownPrivilege	232	WMIC.exe
Token: SeUndockPrivilege	232	WMIC.exe
Token: SeManageVolumePrivilege	232	WMIC.exe
Token: 33	232	WMIC.exe
Token: 34	232	WMIC.exe
Token: 35	232	WMIC.exe
Token: 36	232	WMIC.exe
Token: SeIncreaseQuotaPrivilege	232	WMIC.exe
Token: SeSecurityPrivilege	232	WMIC.exe
Token: SeTakeOwnershipPrivilege	232	WMIC.exe
Token: SeLoadDriverPrivilege	232	WMIC.exe
Token: SeSystemProfilePrivilege	232	WMIC.exe
Token: SeSystemtimePrivilege	232	WMIC.exe
Token: SeProfSingleProcessPrivilege	232	WMIC.exe
Token: SeIncBasePriorityPrivilege	232	WMIC.exe
Token: SeCreatePagefilePrivilege	232	WMIC.exe
Token: SeBackupPrivilege	232	WMIC.exe
Token: SeRestorePrivilege	232	WMIC.exe
Token: SeShutdownPrivilege	232	WMIC.exe
Token: SeDebugPrivilege	232	WMIC.exe
Token: SeSystemEnvironmentPrivilege	232	WMIC.exe
Token: SeRemoteShutdownPrivilege	232	WMIC.exe
Token: SeUndockPrivilege	232	WMIC.exe
Token: SeManageVolumePrivilege	232	WMIC.exe
Token: 33	232	WMIC.exe
Token: 34	232	WMIC.exe
Token: 35	232	WMIC.exe
Token: 36	232	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1868	WMIC.exe
Token: SeSecurityPrivilege	1868	WMIC.exe
Token: SeTakeOwnershipPrivilege	1868	WMIC.exe
Token: SeLoadDriverPrivilege	1868	WMIC.exe
Token: SeSystemProfilePrivilege	1868	WMIC.exe
Token: SeSystemtimePrivilege	1868	WMIC.exe
Token: SeProfSingleProcessPrivilege	1868	WMIC.exe
Token: SeIncBasePriorityPrivilege	1868	WMIC.exe
Token: SeCreatePagefilePrivilege	1868	WMIC.exe
Token: SeBackupPrivilege	1868	WMIC.exe
Token: SeRestorePrivilege	1868	WMIC.exe
Token: SeShutdownPrivilege	1868	WMIC.exe
Token: SeDebugPrivilege	1868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1868	WMIC.exe
Token: SeRemoteShutdownPrivilege	1868	WMIC.exe
Token: SeUndockPrivilege	1868	WMIC.exe
Token: SeManageVolumePrivilege	1868	WMIC.exe
Token: 33	1868	WMIC.exe
Token: 34	1868	WMIC.exe
Token: 35	1868	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 2100	4056	MbixMY.exe	86
PID 4056 wrote to memory of 2100	4056	MbixMY.exe	86
PID 4056 wrote to memory of 4820	4056	MbixMY.exe	87
PID 4056 wrote to memory of 4820	4056	MbixMY.exe	87
PID 4820 wrote to memory of 2372	4820	cmd.exe	89
PID 4820 wrote to memory of 2372	4820	cmd.exe	89
PID 2100 wrote to memory of 1888	2100	DN5nSj.exe	90
PID 2100 wrote to memory of 1888	2100	DN5nSj.exe	90
PID 1888 wrote to memory of 232	1888	cmd.exe	92
PID 1888 wrote to memory of 232	1888	cmd.exe	92
PID 2100 wrote to memory of 8	2100	DN5nSj.exe	94
PID 2100 wrote to memory of 8	2100	DN5nSj.exe	94
PID 8 wrote to memory of 1868	8	cmd.exe	96
PID 8 wrote to memory of 1868	8	cmd.exe	96
PID 2100 wrote to memory of 2480	2100	DN5nSj.exe	98
PID 2100 wrote to memory of 2480	2100	DN5nSj.exe	98
PID 2480 wrote to memory of 708	2480	cmd.exe	100
PID 2480 wrote to memory of 708	2480	cmd.exe	100
PID 2100 wrote to memory of 2736	2100	DN5nSj.exe	101
PID 2100 wrote to memory of 2736	2100	DN5nSj.exe	101
PID 2736 wrote to memory of 5036	2736	cmd.exe	103
PID 2736 wrote to memory of 5036	2736	cmd.exe	103
PID 2100 wrote to memory of 560	2100	DN5nSj.exe	105
PID 2100 wrote to memory of 560	2100	DN5nSj.exe	105
PID 560 wrote to memory of 4892	560	cmd.exe	107
PID 560 wrote to memory of 4892	560	cmd.exe	107

C:\Users\Admin\AppData\Local\Temp\HVCI\MbixMY.exe
"C:\Users\Admin\AppData\Local\Temp\HVCI\MbixMY.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Users\Admin\AppData\Local\Temp\HVCI\DN5nSj.exe
  "DN5nSj.exe" -R
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c wmic csproduct get uuid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:232
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c wmic BIOS get Manufacturer
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic BIOS get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1868
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c wmic BIOS get SMBIOSBIOSVersion
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic BIOS get SMBIOSBIOSVersion
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:708
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c wmic BIOS get ReleaseDate
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic BIOS get ReleaseDate
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5036
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c wmic BIOS get Version
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic BIOS get Version
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4892
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\HVCI\MbixMY.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:2372

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDk3NjBDQkEtMzIwMi00QUMxLTkwOUQtMDg2QTU1QkQyMzgxfSIgdXNlcmlkPSJ7NEY1NUEzODgtQjhDQy00RTlBLUJCQjgtNUI1N0FGMjBCN0U4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzFEQ0M3N0QtRkFDQS00ODU5LTg5NEMtNTQ2MENBMUJGQkY3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDk2IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NzUxNDQwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTAyNTUwODIzMSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4344

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2848" "1200" "1104" "1204" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:2516

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDk3NjBDQkEtMzIwMi00QUMxLTkwOUQtMDg2QTU1QkQyMzgxfSIgdXNlcmlkPSJ7NEY1NUEzODgtQjhDQy00RTlBLUJCQjgtNUI1N0FGMjBCN0U4fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntFNTc5RUE1MC03QzU4LTRGQUYtQUE0Qy1FNTIxQ0ZFOEIzRUN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjY3IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM0OTM0Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA0MTQ0NTgxMCIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1752

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDk3NjBDQkEtMzIwMi00QUMxLTkwOUQtMDg2QTU1QkQyMzgxfSIgdXNlcmlkPSJ7NEY1NUEzODgtQjhDQy00RTlBLUJCQjgtNUI1N0FGMjBCN0U4fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InswMDA4QkYyOS1CMjA1LTRCRDAtOTI5RC1FQkMxOUM2NjY0QkR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBjb2hvcnQ9InJyZkAwLjk1Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezYxOUNFRDFCLTUyNDEtNEY4Ni1CMkY3LTc4QUU4N0QwNjI0Q30iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMiIgY29ob3J0PSJycmZAMC45NiIgb29iZV9pbnN0YWxsX3RpbWU9IjE4NDQ2NzQ0MDczNzA5NTUxNjA2IiB1cGRhdGVfY291bnQ9IjEiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQxMzk1NTQ3Mjk2MjAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSIyIiByPSIyIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7NDY1NzAzRDUtOTkyMy00NTFCLUE2OEYtREUzREI5QzU0NDIzfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjIiIGluc3RhbGxkYXRlPSI2NjA4IiBjb2hvcnQ9InJyZkAwLjI2Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezE5QTExQUFCLTZBQTctNEQ3RS05RTJCLTQxOUU3ODFCMEJBOX0iLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
433KB

MD5
6ae0dc30979a953918e47707b14fa15e

SHA1
86c3f07dc84787bc32c416fdedcb788bc1086c09

SHA256
d1883361af145e166927086e71683a8658161802cf682ff3db5a169363ed8363

SHA512
f23ba3aa9614905f0a4831f4588c3b2880f04c65372b56c2c73675973ece897d1dd8ea87afa9c3776575fc3cb81c5df43a65ec5ff012e10c8e1f353a829d5688

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
458KB

MD5
0ef3e0dd8b0cdea70deb149d04b9e898

SHA1
5f88f278e6c7a4e9c822c393ff2d6af812403393

SHA256
abfc12a070c855e4f690f4673319f8f549d389b85bef8d3e431ae6f270edcc7f

SHA512
84d4c80425d49639cef60872cf5ffbf17d056f9db7e293b74d8ef4889432ebc4cc8bdcd468838f2dd008ebddd6be34bf4673ff3654d3324ecca5d0646c6a86b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVCI\Config.ini

Filesize
367B

MD5
7454df6cd0d28e81275ed4280bb78f3a

SHA1
2dcf07cabfd953c685fa6f2aae7d71eec33adee8

SHA256
767cba75d23ddcf7822abac7461053f3ddcc315ebe5974d31e7a2a8ac574c15f

SHA512
2bbb290f41909c1b0c4657cd385b896b0ae57041cd34e6204c6d3b61f0e42a49e2a72cd4d94296b93cd2ec49d2edf1ee2d2946045dceabdc58a8f293bca6378a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HVCI\DN5nSj.exe

Filesize
19.7MB

MD5
835d3dc34bf9c765945ce234e708e876

SHA1
7558eeb46601363632482e84572374943cd18990

SHA256
5f441e7a49faae14ccdc70bc571adaead7d109f9c75be2565747eda985888680

SHA512
9b744fc31f19f64aaeca217ddd1198b3a75b04002c4042fccd70d40dfbd44fe12f1604267522d74ca718b4e1884bc129adcedde2a19ebe6386b71188db325ba8

Download Submit
memory/2100-14-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/2100-17-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/2100-48-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/2100-45-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/2100-16-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/2100-15-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/2100-13-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4056-0-0x00007FF99021B000-0x00007FF99021C000-memory.dmp

Filesize
4KB

Download
memory/4056-11-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4056-12-0x00007FF990200000-0x00007FF9902BD000-memory.dmp

Filesize
756KB

Download
memory/4056-5-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4056-3-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4056-2-0x00007FF990200000-0x00007FF9902BD000-memory.dmp

Filesize
756KB

Download
memory/4056-4-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download
memory/4056-1-0x00007FF990200000-0x00007FF9902BD000-memory.dmp

Filesize
756KB

Download
memory/4056-6-0x0000000140000000-0x0000000143226000-memory.dmp

Filesize
50.1MB

Download