Analysis
-
max time kernel
107s -
max time network
111s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
-
submitted
21/04/2025, 09:28
General
-
Target
SDK/Assemblies/ru/Microsoft.SqlServer.Management.Collector.xml
-
Size
75KB
-
MD5
af5f85be422b5b0552d5a484039a521d
-
SHA1
50ee75d16eb1f3cf49c285bfd632d6445b769e9e
-
SHA256
7a5a288d52896d3a0dc0cb042053ff9fe2a78004e3e43c4ccdb01dcbff7fbb14
-
SHA512
4081df501f27392d1a3c8186345e9a482f09c9cc4e834a7ac0b4bf64fb873c5e14fd078a92f98a1459fc0b8b1a25f0ea122bbab88befb5782e2e8f95f2692abe
-
SSDEEP
384:lHt8VMjPLDHWva72+yggjXVpV349xZ9VE8i:lN5LW2i
Malware Config
Signatures
-
Drops file in Windows directory 11 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 29 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\SDK\Assemblies\ru\Microsoft.SqlServer.Management.Collector.xml"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\SDK\Assemblies\ru\Microsoft.SqlServer.Management.Collector.xml2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "file:///C:/Users/Admin/AppData/Local/Temp/SDK/Assemblies/ru/Microsoft.SqlServer.Management.Collector.xml"3⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2e0,0x2f4,0x7ffaf70cf208,0x7ffaf70cf214,0x7ffaf70cf2204⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1832,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=2220 /prefetch:114⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2456,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=1412 /prefetch:134⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3416,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=3368 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=2720,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3408,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=4744 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4716,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=4912 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5536,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:144⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.execookie_exporter.exe --cookie-json=11285⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5692,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=5716 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5692,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=5716 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5720,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=5744 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5704,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5712,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=5996 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5820,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=5980 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5588,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=3248 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4992,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:144⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5896,i,6867309914897441796,5137753631795636408,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:144⤵
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start2⤵
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD59e4597d6e9951c90f605fa4a330843b2
SHA1c9a4c72aba3b9584e03d0db43aee91e51094c369
SHA256272d838982199dc905b6eea7f57fc331c216efacab7d865cf427fa4972aff009
SHA512adbf3948d11ce019ee5a0e8971b7b08567c7a3de742e03274ae0bd868f64f4d09e93e91e38681b34eb017af7d4708e5484b776b9b3828715d05f35621423fe05
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
107KB
MD52b66d93c82a06797cdfd9df96a09e74a
SHA15f7eb526ee8a0c519b5d86c845fea8afd15b0c28
SHA256d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954
SHA51295e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5
-
Filesize
2KB
MD5822fdc9d131b99612027597f89d1ce54
SHA1ee560ebdace16ba587f5ea51d139eefad7bf8201
SHA256aa419e7a47c0a4b3efc752005eafc1ce06818a7b6bf4db52c5a66b2986b8eb6a
SHA51225c01186f30ca5b6b5403115c7170553781f9f0063e9aaaa3a0af8de8c549081922a97ac17e0075b58b067f5553a6c925dc8a9066a996ee2c5d919d6cfe1fbd2
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
Filesize
15KB
MD53da1abe0e0cfce85976d55cdcb82cded
SHA12df5c44b8cdb447d955691364e396c2ac255a21a
SHA256f72336ceebd5fc5a443b4d72cf08d297e122f2c377dd9494aca749810dbfb5cd
SHA512044a29fff4340fdff2f4ac38bbc95835c8517eddc6c215f7c1832bab573d624746bb01a3f88ae9d1c509823a889f5675b06f0e986448400d56449d748f6e2d9f
-
Filesize
37KB
MD5194a8cb9c9805397d1ef598da01e2f40
SHA1f1b2521be50faf88590ca062a051051bfc70c7e5
SHA256d5f6c11e3e4c1639319f5d7a11f26188fd5daf0215541b5a50550582915fd15e
SHA512d5f0df46e0609289fcd514085c6ac94cb7491a3da3ecfe870854958236da142c78c673a2434ae0f93653f8669bc4eaf366ed8d9a796673e7b47ff1f469d73dea
-
Filesize
22KB
MD5c52ef26fd5ff1287b0f06f87098c55a3
SHA1c2ca8ab108c645549c3d49afd692a9eaf8718214
SHA256a47177b68bfd0926095438679370512deb2e24224510bec7acd002230373301e
SHA5123e26d81f1f8ea79cfe60d9420a98be14c53db8db2264bc19a50a4edc68569e6e5eed6a4b4adba5302203583318135c553928651cb83d993e72e75e7b583eb7da
-
Filesize
467B
MD537cc641a992313c3d8f19855a4a0fc17
SHA1b799264f262845c3220606de5ee61086319e851a
SHA256e2d3ae15d095fcbb0575663d0d15268d85a0ec5ff1b2cd417b3b8ccc4201786e
SHA5123158b38f0c55e7f3ac7400e2309e0aafc2c398b7aafd0a0f05865e70f82a2bcabdbd05991df0a0144f4df3fc43f6378377103e9c35d40426a5d578828e28ee5c
-
Filesize
900B
MD599a688aaeae8d076128be0d4cde58bec
SHA1e2ba69761b1ad64b213f5c7762ba18883730eef7
SHA2564891f9bb238b97c497e34e3efb8c583159388f3c16a8fe24cf56c3076c051d59
SHA512b4d1f146ac2bcfb22e1f45fbe3fa75f547a1d0ac3eaad256aa3cc2ea2129154f760e107be2523cc8030f646303919e0c39982b706280919ed1014206535044a1
-
Filesize
20KB
MD534f211c762262f9399ff3ec9b4873b8d
SHA16c5f27a5ed3ebe94c1079191ac477afd31432f2f
SHA256cf8fe21123ec032146ec5f80ec42b35dd0068e292c97dfda331285f58c7ce2bc
SHA512dbef5a4593ccf3d37c9e55f296bc3dd0f845e5d00b83957b4f7cec3eb66f7e39b6136c0c2e0febbbb1e656cc06444596c9bc5c798398c1fe01af1deea3edac58
-
Filesize
22KB
MD53f8927c365639daa9b2c270898e3cf9d
SHA1c8da31c97c56671c910d28010f754319f1d90fa6
SHA256fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2
SHA512d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72
-
Filesize
40KB
MD5fc38b608e0db7b5181890f410d3bb65d
SHA1b37f9393d895ab5084e70fe91a43f85fe3ef043f
SHA256e5ad7d980a93d9498fe38952ebff49e514d2b586c39b8879434e88b3040c3fdd
SHA512e487cafcf4d5bac75ecfe27a6e7d946aac8aec4fed82a459d1a86f8862b58966ab70639769722dae98b9c9fe54919cc47a02c3a0c02f3b8719236a8bfa2ed402
-
Filesize
41KB
MD580c4bde2d024b8fef9ea1ee334628416
SHA15e990f56975e60b030f725ccac0c6fc18bdd6208
SHA256caf08c38750771440559e7b9fa9f5799f8681598fb48bc8c7f4cf3649f16c833
SHA5120011e4a28df7f5c424e32f8318d07b49745b881254c089fb610d7ebbcc1ba6296e8be19e7bb2fc0f45152edc64f09e7625ccae9fd9c7d3325b7c3e8cfc4e5cf5
-
Filesize
49KB
MD52709349d16c4621535d78137c3045980
SHA17c3ee5af1f0ddbda724bb29efd8d2ef4ce5e07d5
SHA256eacc4e91412ab131fc854a613a5b6576ac2cc56cb04f2e97ddb0f8f4f797cc06
SHA5121e6fdb5957781f011e8bf408458822cebe84cde893be86bbbb272dd28d5d642efe31615993263614c011519384cc96dc44c161fdeef296681836e84cb580896a
-
Filesize
54KB
MD5ac88a45151cc7274ffdf7a3113aeec9c
SHA18fdc03f29bd5a887ce672463fba86ea814179c58
SHA256585f83cb10e566da842149bd83238f2d76a571cd6781f3f15a6b2e0e8ee6a686
SHA5122217a958ff10979d68b269d45315096685db27b570dfe8dd1bdfc5e70088154a6fb2a8f10077208c400a6dc8be67865d7c9c1b4a1b8a1e91612d6d3570a3fc65
-
Filesize
176B
MD56607494855f7b5c0348eecd49ef7ce46
SHA12c844dd9ea648efec08776757bc376b5a6f9eb71
SHA25637c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd
SHA5128cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a
-
Filesize
1KB
MD5ee002cb9e51bb8dfa89640a406a1090a
SHA149ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
SHA2563dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
SHA512d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c
-
Filesize
85B
MD5c3419069a1c30140b77045aba38f12cf
SHA111920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB