Analysis
-
max time kernel
100s -
max time network
99s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
-
submitted
21/04/2025, 09:28
General
-
Target
SDK/Assemblies/ru/Microsoft.SqlServer.DmfSqlClrWrapper.xml
-
Size
1KB
-
MD5
cc99959805117ad3f6c38a7cd91d7779
-
SHA1
f4a49c09588cc0a0b0618fcb76f47cd082f0b59f
-
SHA256
a85e832209133d641ea1d4ab163a7e1e4d98af4bfeb2f87b8a1887835e3ec7c3
-
SHA512
c77f6ca0fb434f977099d9a5aad97ad60c533a2a03bb12057fce559375f28e34bb016baa746fc6cc0781ff3350bbb219c59cf2ad0e6ff38ba9dd63986989f156
Malware Config
Signatures
-
Drops file in Windows directory 11 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\SDK\Assemblies\ru\Microsoft.SqlServer.DmfSqlClrWrapper.xml"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\SDK\Assemblies\ru\Microsoft.SqlServer.DmfSqlClrWrapper.xml2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "file:///C:/Users/Admin/AppData/Local/Temp/SDK/Assemblies/ru/Microsoft.SqlServer.DmfSqlClrWrapper.xml"3⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x36c,0x7fff2dc3f208,0x7fff2dc3f214,0x7fff2dc3f2204⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1776,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:114⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2552,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=2704 /prefetch:134⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3376,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=3444 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3384,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=3460 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3352,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=4896 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3380,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=4924 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5640,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=5588 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5792,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:144⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=11325⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5848,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=5872 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5848,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=5872 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=732,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=6028 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5920,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5908,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5204,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=5024 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5580,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6272,i,6009472272788982664,6868782867746378651,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:144⤵
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5978d790ea9bbd3b3113b1d32773304fa
SHA161c9b3724e684c2a0507d7c9ae294e668e6c6e58
SHA25636c686a276e904607d2a18c2a2fc54467fb8dc1698607f5d5a6cefb75aa513c8
SHA512d50740255d20d2a5e6abdc78f4fe9ef6e832f2ffe9ecc200916a73db1e0dd37d67d88996b315e128bf5b77bb110e4e8c29905aa5d90b83019be2cc8127d0dfc5
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD52b66d93c82a06797cdfd9df96a09e74a
SHA15f7eb526ee8a0c519b5d86c845fea8afd15b0c28
SHA256d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954
SHA51295e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5
-
Filesize
2KB
MD54bda99eacc7940f10a535a50448094f6
SHA186375de5b59298a9434877ae4073b55b7347d635
SHA256fd327f987054aa2abfc2d40fa2f39de95a773771558963919f6de306cf528daa
SHA512eb62f52798a2e47a9fb609f275d4a6d4e95b103725ca7791d6b39acebcab92d27c5b1e111e63b015c6c0b914d9f16f3eb34e10956a1f53cbf63f99f657c0cb5e
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
15KB
MD5059972acc48ef5f76d3a3ed52cc10fc1
SHA13f2fedd49d6a7a68c84800df18f1a91d9677b784
SHA256b5767e9a08a35b4a16ad3c9b7a4e7f960b7240c11fce05035d45dbe456f42a77
SHA512e8427a79b52cdb297abc03cc86845db0c33ea63a04ef3c00cec9fdad8cd2c0d62863330b3f86485460ff1a34ef3364b29527a124963710471393365e30cf3a56
-
Filesize
37KB
MD553825a8ec65b1ae9500fbad5a9ba625a
SHA12859727c024ef294a56740baf7a38fd48b4473e3
SHA256fbc54a31a0eebed7a7a1fca3dbe6ef49f8c33c2c7988819b942a7d2e4c96d860
SHA5121cfda62b3c9dea1abce1b47a2472793b5658a0fd0a25119c3a4db5dd2bb945a910be13295d5149e18d60e2dee7139fa25ac0f60204fd3ce926143d9030c66707
-
Filesize
22KB
MD5520f7183a8b60f6b1342ea567d46f514
SHA1286521855fd5ee940e3a9d52fd8fc53eae846b45
SHA2566730b3d753d9a4e3d93e6ee330aa1b22092182efe984de56ebff14bf3ff5f6ab
SHA512da05732c0ba370fe772203fa670883e1a78b421622b428f023aab69da1f3a0a88a6500576df9f93b4f61e41aedeae68891d0302f373169edd49dbba9638fb793
-
Filesize
467B
MD57762e417ff2f43bad1f7bd5e7e2a2749
SHA16b4ba69953f7280ce4aefd0a7ee94a736a051342
SHA2565b9f6cfcfb04bf241895742f294a5a571a7213f3315daf2a8f4e00abba46ef0d
SHA5129c3b80d7f25e9cc323546a846588746f7d3533b06636508818a88ee65de9314797708c1cfbac53e4bf9aa4575bec0bec0df16f130973f1733181b4baf122bbff
-
Filesize
20KB
MD500bcc5b583ad09f5b7b50781f2264442
SHA1aa31025a9374fd07bfb5c10a5873bdcdd6599ed6
SHA2562fe8216ab0658ec0a71309586961edc9afab595410cb17a0050043bfc2a0ec3a
SHA5120fc647f05f68c8ca056f3fca0d064ef043a906b942f0c205d98582811308f0a203e0108fbb694d6b53f8c4f40145fd4690d154a1c16954b9aedcedeaa90d11f6
-
Filesize
900B
MD551256729202dca76bdec3cd49e2a15c0
SHA19178c765a086504fcfc5370aa8bba6071474da9d
SHA256fcecb56d21bd4680cf0030c18968b0cb9a45e5e77247d37717b072ba6707695d
SHA5124b97c286011cb21477095796e7c47bfa917ce2f927998d6dc594ff6173294934c7022087a5c934d5255b29003dd99cc84a2a4517ebf3ca2910b90217d2676b48
-
Filesize
22KB
MD53f8927c365639daa9b2c270898e3cf9d
SHA1c8da31c97c56671c910d28010f754319f1d90fa6
SHA256fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2
SHA512d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72
-
Filesize
40KB
MD5f768c5efc8d7c78bb796fa13f8677f4e
SHA1400bfdc4e5705064c240d3d0d2ce3b79d26716c2
SHA256a57bfafacc6f800063c4d303c2cb8f4c2b6761c3e21e560b7861f9959621932b
SHA512bc83b51fb629948fe68e7beb8e59a45d83d5465e2a1eb7e349058e4b1dc85eb04b3194be1683bff1810b35f8d50c4865c2b4fc93c0e5bcdac188c7592b0195c6
-
Filesize
49KB
MD597773a1a8df7d56963482a307a3c4684
SHA1690fa18c01cc8531f42b4e5eebdb42f26b980606
SHA25675725fc7155d168e8632b44b460e522f64df5227fdf4413c1f70276cc4554e08
SHA512951905dbb4a901726f26c0743e6b4d3978eeb5c5284933a5c87639292e51a83a048e4ec2405bd51fd964c68efd3809e9fddb7ba0b8a3d3fec240d5707e7e0a18
-
Filesize
49KB
MD506aa41723fddf6ebeee98acaa132d085
SHA1fac4c9b670dc0e81723b6c0e7cd9c25fdd7a847c
SHA2560f1a95cbf29939e9d7688a4cc7595736ebd50ad8bfab69a07ec1de32f42806b1
SHA5129876101af6c9f245b663911df35a4be9a26393e00aece4d6adc880aaf9cfb6795ca20e36b108ac0030b4553febec0c25d762f068891c9737094112d5338c15c6
-
Filesize
54KB
MD569541e0c72957da094239db78716a0e9
SHA108109f6180c85abbc4a63ecd89251da405ac24e1
SHA2569a43132e9325f1d150ee05802c521eba5979e2f5d49f0134c81a8de14375e75a
SHA5126308f50145182ea0d2ceee3936d399a07fbb530a407d41401783f15199c608b41eb82b563ddb83fb4917c697239c7e29f3bc1a8d2efea54c15c5eef7fea4307a
-
Filesize
12B
MD5085a334bdb7c8e27b7d925a596bfc19a
SHA11e4ad53dc335af5c6a8da2e4b4a175f37fafe2f2
SHA256f51a7acfffec56d6751561966d947d3fd199b74528c07dabdcf5fcb33d5b2e85
SHA512c883cb43c97a136825c6fd143f539210c234c66f9b76dfd8431f6ff014094e20b9410d7462aadee2344df8ca158def6b9a807e7cadbdfa947f6f8592e7283e34
-
Filesize
176B
MD56607494855f7b5c0348eecd49ef7ce46
SHA12c844dd9ea648efec08776757bc376b5a6f9eb71
SHA25637c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd
SHA5128cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB