46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

Analysis

max time kernel
62s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4.exe
Size

3.6MB
MD5

f96eb2236970fb3ea97101b923af4228
SHA1

e0eed80f1054acbf5389a7b8860a4503dd3e184a
SHA256

46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172
SHA512

2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7
SSDEEP

98304:z7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6Ko:e+y4ihkl/Wo/afHPb

Score

9^/10

defense_evasion discovery persistence privilege_escalation themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6184	netsh.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 62004f00350048005300200020002d002000640000000000	4.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3384-0-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp	themida
behavioral2/memory/3384-4-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp	themida
behavioral2/memory/3384-3-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp	themida
behavioral2/memory/3384-2-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp	themida
behavioral2/memory/3384-5-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp	themida
behavioral2/memory/3384-6-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp	themida
behavioral2/memory/3384-591-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
6356	cmd.exe
6376	ARP.EXE

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3384	4.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4856	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	4.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	4.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "8ec19e0a-e99ea053-c"	4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "d13ddcfa-ac48bef7-3"	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5372	ipconfig.exe
6084	ipconfig.exe
4708	ipconfig.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
4008	taskkill.exe
4480	taskkill.exe
3392	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133876314920833354"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3218366390-1258052702-4267193707-1000\{289B9EE4-7C97-4E8F-A400-E4711E0606D1}	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3384	4.exe
3384	4.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	3392	taskkill.exe
Token: SeIncreaseQuotaPrivilege	6440	WMIC.exe
Token: SeSecurityPrivilege	6440	WMIC.exe
Token: SeTakeOwnershipPrivilege	6440	WMIC.exe
Token: SeLoadDriverPrivilege	6440	WMIC.exe
Token: SeSystemProfilePrivilege	6440	WMIC.exe
Token: SeSystemtimePrivilege	6440	WMIC.exe
Token: SeProfSingleProcessPrivilege	6440	WMIC.exe
Token: SeIncBasePriorityPrivilege	6440	WMIC.exe
Token: SeCreatePagefilePrivilege	6440	WMIC.exe
Token: SeBackupPrivilege	6440	WMIC.exe
Token: SeRestorePrivilege	6440	WMIC.exe
Token: SeShutdownPrivilege	6440	WMIC.exe
Token: SeDebugPrivilege	6440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6440	WMIC.exe
Token: SeRemoteShutdownPrivilege	6440	WMIC.exe
Token: SeUndockPrivilege	6440	WMIC.exe
Token: SeManageVolumePrivilege	6440	WMIC.exe
Token: 33	6440	WMIC.exe
Token: 34	6440	WMIC.exe
Token: 35	6440	WMIC.exe
Token: 36	6440	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6440	WMIC.exe
Token: SeSecurityPrivilege	6440	WMIC.exe
Token: SeTakeOwnershipPrivilege	6440	WMIC.exe
Token: SeLoadDriverPrivilege	6440	WMIC.exe
Token: SeSystemProfilePrivilege	6440	WMIC.exe
Token: SeSystemtimePrivilege	6440	WMIC.exe
Token: SeProfSingleProcessPrivilege	6440	WMIC.exe
Token: SeIncBasePriorityPrivilege	6440	WMIC.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3412	msedge.exe
3412	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 2324	3384	4.exe	92
PID 3384 wrote to memory of 2324	3384	4.exe	92
PID 2324 wrote to memory of 4008	2324	cmd.exe	93
PID 2324 wrote to memory of 4008	2324	cmd.exe	93
PID 3384 wrote to memory of 4856	3384	4.exe	95
PID 3384 wrote to memory of 4856	3384	4.exe	95
PID 4856 wrote to memory of 4480	4856	cmd.exe	96
PID 4856 wrote to memory of 4480	4856	cmd.exe	96
PID 3384 wrote to memory of 1828	3384	4.exe	97
PID 3384 wrote to memory of 1828	3384	4.exe	97
PID 1828 wrote to memory of 3392	1828	cmd.exe	98
PID 1828 wrote to memory of 3392	1828	cmd.exe	98
PID 3384 wrote to memory of 4008	3384	4.exe	109
PID 3384 wrote to memory of 4008	3384	4.exe	109
PID 4008 wrote to memory of 3708	4008	cmd.exe	110
PID 4008 wrote to memory of 3708	4008	cmd.exe	110
PID 3708 wrote to memory of 3412	3708	msedge.exe	112
PID 3708 wrote to memory of 3412	3708	msedge.exe	112
PID 3412 wrote to memory of 3928	3412	msedge.exe	113
PID 3412 wrote to memory of 3928	3412	msedge.exe	113
PID 3412 wrote to memory of 2592	3412	msedge.exe	114
PID 3412 wrote to memory of 2592	3412	msedge.exe	114
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115
PID 3412 wrote to memory of 400	3412	msedge.exe	115

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im Battle.net.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://applecheats.cc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://applecheats.cc/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument https://applecheats.cc/
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ffe3c0af208,0x7ffe3c0af214,0x7ffe3c0af220
        5⤵
        
        PID:3928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=2324 /prefetch:3
        5⤵
        
        PID:2592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2292,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=2288 /prefetch:2
        5⤵
        
        PID:400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2584,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:8
        5⤵
        
        PID:5036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3528,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
        5⤵
        
        PID:2380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3508,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
        5⤵
        
        PID:684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4268,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:1
        5⤵
        
        PID:3764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4248,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:2
        5⤵
        
        PID:4756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4340,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:1
        5⤵
        
        PID:2296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=4348,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=4528 /prefetch:2
        5⤵
        
        PID:4864
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=4264,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=4580 /prefetch:1
        5⤵
        
        PID:3276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=4448,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=4596 /prefetch:2
        5⤵
        
        PID:3356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=4468,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=4836 /prefetch:1
        5⤵
        
        PID:8
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=4456,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:2
        5⤵
        
        PID:3484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=4516,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:1
        5⤵
        
        PID:2528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=4584,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=4472 /prefetch:2
        5⤵
        
        PID:3328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=5524,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=5712 /prefetch:1
        5⤵
        
        PID:5572
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=5532,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:1
        5⤵
        
        PID:5856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=3468,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:1
        5⤵
        
        PID:6104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:8
        5⤵
        
        PID:5180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4708,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:8
        5⤵
        
        PID:2708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6988,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=7016 /prefetch:8
        5⤵
        
        PID:5508
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6988,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=7016 /prefetch:8
        5⤵
        
        PID:5496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7280,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=7216 /prefetch:8
        5⤵
        
        PID:2324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7528,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=7224 /prefetch:8
        5⤵
        
        PID:860
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7212,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=7436 /prefetch:8
        5⤵
        
        PID:5996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7712,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=7300 /prefetch:8
        5⤵
        
        PID:3800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7716,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=7564 /prefetch:8
        5⤵
        
        PID:5952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7760,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=7724 /prefetch:8
        5⤵
        
        PID:5380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7768,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=7780 /prefetch:8
        5⤵
        
        PID:5824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7772,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=7936 /prefetch:8
        5⤵
        
        PID:6064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7444,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=7456 /prefetch:8
        5⤵
        
        PID:4848
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8064,i,3561898584422128205,4957794850466386989,262144 --variations-seed-version --mojo-platform-channel-handle=8076 /prefetch:8
        5⤵
        
        PID:5988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:5556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:7112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NETSH WINSOCK RESET >nul 2>&1
  2⤵
  PID:7128
- - C:\Windows\system32\netsh.exe
    NETSH WINSOCK RESET
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:7144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NETSH INT IP RESET >nul 2>&1
  2⤵
  PID:6248
- - C:\Windows\system32\netsh.exe
    NETSH INT IP RESET
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:6232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall reset >nul 2>&1
  2⤵
  PID:6196
- - C:\Windows\system32\netsh.exe
    netsh advfirewall reset
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV4 RESET >nul 2>&1
  2⤵
  PID:5708
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE IPV4 RESET
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NETSH INTERFACE IPV6 RESET >nul 2>&1
  2⤵
  PID:6064
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE IPV6 RESET
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NETSH INTERFACE TCP RESET >nul 2>&1
  2⤵
  PID:5672
- - C:\Windows\system32\netsh.exe
    NETSH INTERFACE TCP RESET
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NETSH INT RESET ALL >nul 2>&1
  2⤵
  PID:3572
- - C:\Windows\system32\netsh.exe
    NETSH INT RESET ALL
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:5480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
  2⤵
  PID:5440
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /RELEASE
    3⤵
    - Gathers network information
    PID:5372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c IPCONFIG /RELEASE >nul 2>&1
  2⤵
  PID:6124
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /RELEASE
    3⤵
    - Gathers network information
    PID:6084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c IPCONFIG /FLUSHDNS >nul 2>&1
  2⤵
  PID:5988
- - C:\Windows\system32\ipconfig.exe
    IPCONFIG /FLUSHDNS
    3⤵
    - Gathers network information
    PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NBTSTAT -R >nul 2>&1
  2⤵
  PID:6296
- - C:\Windows\system32\nbtstat.exe
    NBTSTAT -R
    3⤵
    PID:6312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c NBTSTAT -RR >nul 2>&1
  2⤵
  PID:6324
- - C:\Windows\system32\nbtstat.exe
    NBTSTAT -RR
    3⤵
    PID:6344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c arp -a >nul 2>&1
  2⤵
  - Network Service Discovery
  PID:6356
- - C:\Windows\system32\ARP.EXE
    arp -a
    3⤵
    - Network Service Discovery
    PID:6376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c arp -d >nul 2>&1
  2⤵
  PID:6392
- - C:\Windows\system32\ARP.EXE
    arp -d
    3⤵
    PID:6404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE >nul 2>&1
  2⤵
  PID:6424
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC PATH WIN32_NETWORKADAPTER WHERE PHYSICALADAPTER=TRUE CALL DISABLE
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6440

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
fed4ab68611c6ce720965bcb5dfbf546

SHA1
af33fc71721625645993be6fcba5c5852e210864

SHA256
c41acdf5d0a01d5e9720ef9f6d503099950791b6f975ba698ccd013c4defa8c4

SHA512
f9ab23b3b4052f7fda6c9a3e8cd68056f21da5d0fcf28061331900cac6f31ef081705804d9a9d4103ee7d9c9bdb6aa4237987b7e821d2d96cd52da24219e55ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4013ebc7b496bf70ecf9f6824832d4ae

SHA1
cfdcdac5d8c939976c11525cf5e79c6a491c272a

SHA256
fb1a67bdc2761f1f9e72bbc41b6fc0bf89c068205ffd0689e4f7e2c34264b22a

SHA512
96822252f121fb358aa43d490bb5f5ce3a81c65c8de773c170f1d0e91da1e6beb83cb1fb9d4d656230344cd31c3dca51a6c421fda8e55598c364092232e0ad22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
f871aad1631d9b032239425aea598a1f

SHA1
d059cf27481229c6c9e89bb139752ff891f65d41

SHA256
c477347243cbc1ca7d44f7ddb1b333c470ba6c28b89c711134143d747c345bd2

SHA512
07350729965945e3b0d64721408ddb47a1e91449999ae3b6109c2fcc93e6398b667905a6457a8bf3de9540371fac12c39aeb62c1577b8abdc6c9e526abea1751

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
b94e4c9ea14fc6e757b4c8a3bf11ea7b

SHA1
575bfbffc32a1bffb066051277d9d19ddc6db329

SHA256
a56ea20f3a6fa162df22fb25f35cefcbed841a89b4776ba6beb287e1b5a877d2

SHA512
72fc5587a221f4b8d0df15ae0fded6352776c52d21749389f920646df634c243ab9ec20f74cc92530a11ca315afe8dbe166cfd4eb33a26cf7ad335c0c2751c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
33KB

MD5
21e8649fc4e81f33506bbb76e0b4c7e5

SHA1
b4a9c1a4102dd9ae0998d76e2515a5837e09d952

SHA256
c2adb8a1edb95cc37ce64f1944cc3a2878c301ad112b1564a4a8c2bb677ce54b

SHA512
545f2badc5d96625ace0513510d6485a0fe2810d3dbbab6d69b71e876c50253839ac955ab6b7458f6c61f42dfc25e9e59437f54818c2d67bc7740978cb28664b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
a362b184be6fc1035543e47af28cb5a1

SHA1
7b9946553df2a75ff2cc4d200476cef80ae7324b

SHA256
ed4a7f28c23e87b91be3b3b06148b89f96817fbe6aba07d8acaba91064087b66

SHA512
d6c22738273da90d9b9154ce4a24a5dc18b7877795f891dbcabeef8a7b5be0798533c86aec8d898ba023de922f61e953b9ddf818e4e9e0444bda944596f46870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
d4bb7db4d5c61c27fd88a21f393b5708

SHA1
473f7c546b4a619ab0f9079548995b7b9134798c

SHA256
d7a237edf1bdf876b76ee258d80069f872d1bccd41fba122d9cc25264f578d48

SHA512
a45f95f478cdf5227c4470e19d5e12ec04618ab67900a4a637e56091a436e8e7e3c85bc74a7da54679656b5f8fd1d8c71b17b7924c514b4e4d28a12c08827cfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
23b49fd18941a4e6ccc41047fd958fd2

SHA1
5844c78671bbeee3af9c7f4f2690d1dfe559f171

SHA256
b4347c19d917085f6551ebd9cb1f08f0ad4a0ff4fb955847df2e056cbbf44edb

SHA512
e1260c3a3391cdc9ab91e71b219fca09e4446db7c7d8faff682818aef5787728a4c9ecd450a3c07469500ecee7d58621c2cc7e221ac3cc858cf6e38581a3c1f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
2aa326444a9c44890a450ee31e0b8f2b

SHA1
3da4a4ce2e7701c7d4032756d398a00a3494895b

SHA256
969b5be5810cd893429dd1704b9252af426ca5dd2c11f1c1b8dacaef57e4e6ce

SHA512
d1e2843dd07e97373c23cb0f226b8d2aa988fbe628f1290f3b2fbdb81cf72affe6464972a8d96020596abefdade95c7ca1baf25c6075042fde906278a79b2e4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
7012e6002f7c324db790c6059c027968

SHA1
64604982e2f31acd5f78e07eabd257ef7adf3324

SHA256
4f5ef12f3f255b23b6f435e789f3892fda2cdc25ba3ef85e79120b889a8d125f

SHA512
7a2b7de3985564c6dc430668e1c404f96e689a23540d9fa1531eca4404ab624b7fec8cc77a318e59325d3654806a065bdf04ee6a290df645851a893aec33b19b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
f8d4e34edb1c9b0e3bc1fcbd022a4750

SHA1
19eda01f4b57af032c5362a7318ecf01d4dd278b

SHA256
4fdc5c130f28a613af2af9da5a6084dd6fabe35bd793c28f25390502018b7e87

SHA512
7e98637ad33ff3c57cf1fcf29429d25200668194f8fb3b9aec84d1cc217f64659096c341ad16534ae7b988231a3e33d2b13d76e7a1611bc8339a5dd2caae7a43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
0e0f925c282ea0ef140a400eab76d293

SHA1
4ab87847998d99f19a763007b650d1b679659877

SHA256
eca519edfbd7332dc780ddd5290cec26b774d1138b94e105aa3758d220849856

SHA512
c8026274297f0d8a9340119308428d3368427caa3b5cdb040cb73e28d0e3a3002ddb4aefe9e4a03ec9e15ac38e58229dc8f6214c3f0c9601d9c4594ddd87f2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\44a77166-d179-4952-a263-87e5362a2604.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\6692b251-a1a9-4358-ad60-2ea8b1b50e8c.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3412_778307457\c5d82d50-5def-4261-a589-7e7f3ed68818.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
memory/3384-0-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp

Filesize
9.6MB

Download
memory/3384-591-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp

Filesize
9.6MB

Download
memory/3384-6-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp

Filesize
9.6MB

Download
memory/3384-5-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp

Filesize
9.6MB

Download
memory/3384-2-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp

Filesize
9.6MB

Download
memory/3384-3-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp

Filesize
9.6MB

Download
memory/3384-4-0x00007FF6401C0000-0x00007FF640B62000-memory.dmp

Filesize
9.6MB

Download
memory/3384-1-0x00007FFE5B050000-0x00007FFE5B052000-memory.dmp

Filesize
8KB

Download