Malware analysis https://massgrave.dev/ Malicious activity

Add for printing

URL:	https://massgrave.dev/
Full analysis:	https://app.any.run/tasks/1c0d29f7-96ca-4715-87ec-14d25be23142
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	January 16, 2025, 11:11:33
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	reflection loader
Indicators:
MD5:	5C95876F594CFFB1178B8861F8C741E0
SHA1:	4F3DD1555BACB0851AD877F9B40BD8DCC884A71D
SHA256:	6019AF861964CFB41AE5A5FE576ACA4521AFBA41255E5C636B1F53DFA0B6BE7F
SSDEEP:	3:N8a0Kn:2a0K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Gets or sets the security protocol (POWERSHELL)
  - powershell.exe (PID: 6012)
- Executing commands from ".cmd" file
  - powershell.exe (PID: 6012)
  - cmd.exe (PID: 7204)
  - powershell.exe (PID: 6076)
  - cmd.exe (PID: 3848)
  - powershell.exe (PID: 5628)
  - cmd.exe (PID: 7516)
- Starts CMD.EXE for commands execution
  - powershell.exe (PID: 6012)
  - cmd.exe (PID: 5092)
  - cmd.exe (PID: 7204)
  - powershell.exe (PID: 6076)
  - cmd.exe (PID: 1796)
  - cmd.exe (PID: 3848)
  - powershell.exe (PID: 5628)
  - cmd.exe (PID: 7332)
  - cmd.exe (PID: 7516)
- Gets content of a file (POWERSHELL)
  - powershell.exe (PID: 6012)
  - powershell.exe (PID: 4708)
  - powershell.exe (PID: 7296)
  - powershell.exe (PID: 8000)
  - powershell.exe (PID: 4076)
  - powershell.exe (PID: 8056)
  - powershell.exe (PID: 5028)
  - powershell.exe (PID: 3832)
- Uses base64 encoding (POWERSHELL)
  - powershell.exe (PID: 6012)
  - powershell.exe (PID: 4708)
  - powershell.exe (PID: 7296)
  - powershell.exe (PID: 8000)
  - powershell.exe (PID: 4076)
  - powershell.exe (PID: 8056)
  - powershell.exe (PID: 5028)
  - powershell.exe (PID: 3832)
- Windows service management via SC.EXE
  - sc.exe (PID: 7364)
  - sc.exe (PID: 4528)
  - sc.exe (PID: 3508)
  - sc.exe (PID: 8068)
  - sc.exe (PID: 6972)
  - sc.exe (PID: 5532)
  - sc.exe (PID: 7544)
  - sc.exe (PID: 7484)
  - sc.exe (PID: 7368)
  - sc.exe (PID: 4804)
  - sc.exe (PID: 8000)
  - sc.exe (PID: 4824)
  - sc.exe (PID: 4076)
  - sc.exe (PID: 7736)
  - sc.exe (PID: 7704)
  - sc.exe (PID: 2992)
  - sc.exe (PID: 7088)
  - sc.exe (PID: 6972)
  - sc.exe (PID: 2136)
  - sc.exe (PID: 7104)
  - sc.exe (PID: 3896)
  - sc.exe (PID: 7720)
  - sc.exe (PID: 3888)
- Creates new GUID (POWERSHELL)
  - powershell.exe (PID: 6012)
- Using 'findstr.exe' to search for text patterns in files and output
  - cmd.exe (PID: 7204)
  - cmd.exe (PID: 3848)
  - cmd.exe (PID: 7516)
  - cmd.exe (PID: 3060)
  - cmd.exe (PID: 7568)
  - cmd.exe (PID: 6216)
  - cmd.exe (PID: 1448)
  - cmd.exe (PID: 836)
  - cmd.exe (PID: 4716)
- Starts SC.EXE for service management
  - cmd.exe (PID: 7204)
  - cmd.exe (PID: 3848)
  - cmd.exe (PID: 7516)
- Application launched itself
  - cmd.exe (PID: 7204)
  - cmd.exe (PID: 5092)
  - cmd.exe (PID: 3848)
  - cmd.exe (PID: 1796)
  - cmd.exe (PID: 7332)
  - cmd.exe (PID: 7516)
  - powershell.exe (PID: 7316)
  - powershell.exe (PID: 7144)
  - powershell.exe (PID: 7932)
  - powershell.exe (PID: 1016)
- Probably obfuscated PowerShell command line is found
  - cmd.exe (PID: 8060)
  - cmd.exe (PID: 3208)
  - cmd.exe (PID: 5200)
  - cmd.exe (PID: 7516)
  - cmd.exe (PID: 5592)
  - cmd.exe (PID: 7332)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 8060)
  - cmd.exe (PID: 7204)
  - cmd.exe (PID: 3208)
  - cmd.exe (PID: 3848)
  - cmd.exe (PID: 5200)
  - cmd.exe (PID: 7516)
  - cmd.exe (PID: 5268)
  - cmd.exe (PID: 7948)
  - cmd.exe (PID: 4716)
  - powershell.exe (PID: 7144)
  - cmd.exe (PID: 5592)
  - cmd.exe (PID: 7436)
  - cmd.exe (PID: 5192)
  - cmd.exe (PID: 8060)
  - cmd.exe (PID: 7332)
  - powershell.exe (PID: 7316)
  - cmd.exe (PID: 7136)
  - powershell.exe (PID: 7932)
  - cmd.exe (PID: 4076)
  - cmd.exe (PID: 2756)
  - cmd.exe (PID: 1616)
  - cmd.exe (PID: 4628)
  - cmd.exe (PID: 624)
  - cmd.exe (PID: 1620)
  - cmd.exe (PID: 6372)
  - cmd.exe (PID: 7552)
  - cmd.exe (PID: 7116)
  - cmd.exe (PID: 5964)
  - cmd.exe (PID: 7892)
  - cmd.exe (PID: 7840)
  - cmd.exe (PID: 5080)
  - cmd.exe (PID: 3080)
  - cmd.exe (PID: 5848)
  - powershell.exe (PID: 1016)
- Possibly malicious use of IEX has been detected
  - cmd.exe (PID: 8060)
  - cmd.exe (PID: 3208)
  - cmd.exe (PID: 5200)
  - cmd.exe (PID: 7516)
  - cmd.exe (PID: 5592)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 7516)
  - cmd.exe (PID: 7568)
- Uses WMIC.EXE to obtain computer system information
  - cmd.exe (PID: 3560)
  - cmd.exe (PID: 4308)
  - cmd.exe (PID: 7516)
  - cmd.exe (PID: 6252)
  - cmd.exe (PID: 7612)
- Hides command output
  - cmd.exe (PID: 5696)
  - cmd.exe (PID: 1760)
  - cmd.exe (PID: 3060)
  - cmd.exe (PID: 5592)
  - cmd.exe (PID: 5028)
  - cmd.exe (PID: 4128)
  - cmd.exe (PID: 7436)
  - cmd.exe (PID: 2408)
  - cmd.exe (PID: 2232)
  - cmd.exe (PID: 3816)
  - cmd.exe (PID: 5192)
  - cmd.exe (PID: 5092)
  - cmd.exe (PID: 3688)
  - cmd.exe (PID: 8180)
  - cmd.exe (PID: 7032)
  - cmd.exe (PID: 8168)
  - cmd.exe (PID: 7528)
  - cmd.exe (PID: 3656)
  - cmd.exe (PID: 8060)
  - cmd.exe (PID: 1616)
  - cmd.exe (PID: 8072)
  - cmd.exe (PID: 4624)
  - cmd.exe (PID: 3552)
  - cmd.exe (PID: 7408)
  - cmd.exe (PID: 1876)
  - cmd.exe (PID: 7568)
  - cmd.exe (PID: 7148)
  - cmd.exe (PID: 6776)
  - cmd.exe (PID: 7332)
  - cmd.exe (PID: 1356)
  - cmd.exe (PID: 4392)
  - cmd.exe (PID: 7032)
  - cmd.exe (PID: 7792)
  - cmd.exe (PID: 3816)
  - cmd.exe (PID: 3832)
  - cmd.exe (PID: 7472)
  - cmd.exe (PID: 7136)
  - cmd.exe (PID: 7716)
  - cmd.exe (PID: 6216)
  - cmd.exe (PID: 4264)
  - cmd.exe (PID: 1228)
  - cmd.exe (PID: 7648)
  - cmd.exe (PID: 6056)
  - cmd.exe (PID: 5684)
  - cmd.exe (PID: 1348)
  - cmd.exe (PID: 5544)
  - cmd.exe (PID: 5588)
  - cmd.exe (PID: 904)
  - cmd.exe (PID: 6256)
  - cmd.exe (PID: 5004)
  - cmd.exe (PID: 3544)
  - cmd.exe (PID: 4640)
  - cmd.exe (PID: 2356)
  - cmd.exe (PID: 1192)
  - cmd.exe (PID: 7488)
  - cmd.exe (PID: 836)
  - cmd.exe (PID: 7876)
  - cmd.exe (PID: 7308)
  - cmd.exe (PID: 7748)
  - cmd.exe (PID: 4156)
  - cmd.exe (PID: 5788)
  - cmd.exe (PID: 7932)
  - cmd.exe (PID: 7520)
  - cmd.exe (PID: 4716)
  - cmd.exe (PID: 6056)
  - cmd.exe (PID: 3060)
  - cmd.exe (PID: 1328)
- Uses WMIC.EXE to obtain operating system information
  - cmd.exe (PID: 5696)
- Detects reflection assembly loader (YARA)
  - powershell.exe (PID: 5628)
- The process hides Powershell's copyright startup banner
  - powershell.exe (PID: 7316)
  - powershell.exe (PID: 7144)
  - powershell.exe (PID: 7932)
  - powershell.exe (PID: 1016)
- The process bypasses the loading of PowerShell profile settings
  - powershell.exe (PID: 7316)
  - powershell.exe (PID: 7144)
  - powershell.exe (PID: 7932)
  - powershell.exe (PID: 1016)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 7516)
  - cmd.exe (PID: 2408)
  - cmd.exe (PID: 8168)
  - cmd.exe (PID: 1616)
  - cmd.exe (PID: 3832)
  - cmd.exe (PID: 1228)
  - cmd.exe (PID: 7648)
  - cmd.exe (PID: 5544)
- Get information on the list of running processes
  - cmd.exe (PID: 3060)
  - cmd.exe (PID: 7516)
- Uses WMIC.EXE to obtain service application data
  - cmd.exe (PID: 7516)
- Writes data into a file (POWERSHELL)
  - powershell.exe (PID: 5028)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 5028)
  - Dism.exe (PID: 3208)
  - Dism.exe (PID: 3640)
- Returns all items found within a container (POWERSHELL)
  - powershell.exe (PID: 7468)
- Starts a Microsoft application from unusual location
  - DismHost.exe (PID: 8108)
  - DismHost.exe (PID: 7560)
INFO
- Manual execution by a user
  - powershell.exe (PID: 6012)
- Gets a random number, or selects objects randomly from a collection (POWERSHELL)
  - powershell.exe (PID: 6012)
  - powershell.exe (PID: 4708)
  - powershell.exe (PID: 7296)
  - powershell.exe (PID: 8000)
  - powershell.exe (PID: 4076)
  - powershell.exe (PID: 8056)
  - powershell.exe (PID: 5028)
  - powershell.exe (PID: 3832)
- Reads the computer name
  - identity_helper.exe (PID: 7948)
- Checks whether the specified file exists (POWERSHELL)
  - powershell.exe (PID: 6012)
  - powershell.exe (PID: 4708)
  - powershell.exe (PID: 7296)
  - powershell.exe (PID: 8000)
  - powershell.exe (PID: 4076)
  - powershell.exe (PID: 8056)
  - powershell.exe (PID: 5028)
  - powershell.exe (PID: 3832)
- Converts byte array into ASCII string (POWERSHELL)
  - powershell.exe (PID: 6012)
  - powershell.exe (PID: 4708)
  - powershell.exe (PID: 7296)
  - powershell.exe (PID: 8000)
  - powershell.exe (PID: 4076)
  - powershell.exe (PID: 8056)
  - powershell.exe (PID: 5028)
  - powershell.exe (PID: 3832)
- Checks current location (POWERSHELL)
  - powershell.exe (PID: 6012)
- Checks operating system version
  - cmd.exe (PID: 7204)
  - cmd.exe (PID: 3848)
  - cmd.exe (PID: 7516)
- Application launched itself
  - msedge.exe (PID: 5464)
- Starts MODE.COM to configure console settings
  - mode.com (PID: 8108)
  - mode.com (PID: 7028)
  - mode.com (PID: 5028)
  - mode.com (PID: 8044)
  - mode.com (PID: 7776)
  - mode.com (PID: 4120)
  - mode.com (PID: 7976)
  - mode.com (PID: 7488)
  - mode.com (PID: 4120)
  - mode.com (PID: 2804)
  - mode.com (PID: 7808)
  - mode.com (PID: 1796)
  - mode.com (PID: 5916)
  - mode.com (PID: 1792)
- Checks supported languages
  - mode.com (PID: 8108)
  - identity_helper.exe (PID: 7948)
  - mode.com (PID: 5028)
  - mode.com (PID: 8044)
- Reads security settings of Internet Explorer
  - WMIC.exe (PID: 8036)
- Reads Environment values
  - identity_helper.exe (PID: 7948)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 5880)
- The sample compiled with english language support
  - powershell.exe (PID: 5028)
  - msedge.exe (PID: 3724)
  - Dism.exe (PID: 3208)
  - Dism.exe (PID: 3640)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 3724)
- Returns hidden items found within a container (POWERSHELL)
  - conhost.exe (PID: 7780)
  - conhost.exe (PID: 8068)
- Sends debugging messages
  - DismHost.exe (PID: 8108)
  - DismHost.exe (PID: 7560)
  - Dism.exe (PID: 3640)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 7216)
  - powershell.exe (PID: 1916)
  - powershell.exe (PID: 648)
  - powershell.exe (PID: 8020)
  - powershell.exe (PID: 5404)
  - powershell.exe (PID: 7148)
  - powershell.exe (PID: 3152)
  - powershell.exe (PID: 4708)
  - powershell.exe (PID: 4128)
  - powershell.exe (PID: 7404)
  - powershell.exe (PID: 7720)
  - powershell.exe (PID: 7684)
  - powershell.exe (PID: 8140)
  - powershell.exe (PID: 3680)
  - powershell.exe (PID: 8120)
- Converts byte array into Unicode string (POWERSHELL)
  - powershell.exe (PID: 1916)
  - powershell.exe (PID: 8020)
  - powershell.exe (PID: 7148)
  - powershell.exe (PID: 4128)
  - powershell.exe (PID: 3152)
  - powershell.exe (PID: 7720)
  - powershell.exe (PID: 8140)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

1 129

Monitored processes

982

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

C:\WINDOWS\System32\cmd.exe /S /D /c" echo "-Professional2019Retail- " "

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

236

find /i "-PersonalPipcRetail-"

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

236

C:\WINDOWS\System32\cmd.exe /S /D /c" echo "-Professional2019Retail- " "

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

308

cmd /c exit /b 0

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

308

find /i "436366de-5579-4f24-96db-3893e4400030"

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

440

C:\WINDOWS\System32\cmd.exe /S /D /c" echo "0" "

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

520

C:\WINDOWS\System32\cmd.exe /S /D /c" echo "-Professional2019Retail- " "

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

520

C:\WINDOWS\System32\cmd.exe /S /D /c" echo " ProfessionalEducation ProfessionalWorkstation Education ProfessionalCountrySpecific ProfessionalSingleLanguage ServerRdsh IoTEnterprise Enterprise " "

C:\Windows\System32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll

520

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5656 --field-trial-handle=2364,i,6719803875575739907,14745645754763322564,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

524

find /i "-ProPlus2021Volume-"

C:\Windows\System32\find.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Find String (grep) Utility

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll

Add for printing

Total events

253 527

Read events

253 495

Write events

Delete events

Modification events


(PID) Process:	(5464) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(5464) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(5464) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(5464) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(5464) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 03561B24678A2F00
(PID) Process:	(5464) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: A6B02324678A2F00
(PID) Process:	(5464) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262916
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {D688B358-B4A0-495D-9DBD-20141D2C6464}
(PID) Process:	(5464) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262916
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {6434148F-1120-4704-9D73-BA7AD6757D2D}
(PID) Process:	(5464) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262916
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {6DDD882A-7B8C-42FD-8900-B94775D60E39}
(PID) Process:	(5464) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\262916
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {9BE948A4-2712-446A-8DE9-958ED7296240}

Add for printing

Executable files

112

Suspicious files

525

Text files

213

Unknown types

Dropped files

PID	Process	Filename		Type
5464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF135084.TMP		—
		MD5:—	SHA256:—
5464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF135094.TMP		—
		MD5:—	SHA256:—
5464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
5464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
5464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF135084.TMP		—
		MD5:—	SHA256:—
5464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1350a4.TMP		—
		MD5:—	SHA256:—
5464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
5464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1350a4.TMP		—
		MD5:—	SHA256:—
5464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—
5464	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5892	svchost.exe	GET	200	23.48.23.177:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5892	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2496	backgroundTaskHost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D	unknown	—	—	whitelisted
5536	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7900	svchost.exe	HEAD	200	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1737475196&P2=404&P3=2&P4=BaUhM1iys0GHIFUt8vjA%2bNDhoASehIVlfjqmA3%2frWR9LSPO%2ftCx2pBtuLcYPdFhn8KrG6gy1sD%2fzjhcfk8MT%2bQ%3d%3d	unknown	—	—	whitelisted
5536	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7900	svchost.exe	GET	206	199.232.214.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/9b9f8fb4-8a65-41e4-bda3-5416858f0aeb?P1=1737475196&P2=404&P3=2&P4=BaUhM1iys0GHIFUt8vjA%2bNDhoASehIVlfjqmA3%2frWR9LSPO%2ftCx2pBtuLcYPdFhn8KrG6gy1sD%2fzjhcfk8MT%2bQ%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5892	svchost.exe	23.48.23.177:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5892	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5064	SearchApp.exe	2.23.227.215:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
5064	SearchApp.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
5464	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6468	msedge.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158 4.231.128.59	whitelisted
crl.microsoft.com	23.48.23.177 23.48.23.167 23.48.23.194	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
google.com	142.250.184.238	whitelisted
www.bing.com	2.23.227.215 2.23.227.221 2.23.227.208	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
massgrave.dev	172.67.201.171 104.21.22.3	unknown
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted

Threats

No threats detected

Add for printing

Process	Message
Dism.exe	PID=3208 TID=7300 Initializing a provider store for the LOCAL session type. - CDISMProviderStore::Final_OnConnect
Dism.exe	PID=3208 TID=7300 Instantiating the Provider Store. - CDISMImageSession::get_ProviderStore
Dism.exe	PID=3208 TID=7300 Provider has not previously been encountered. Attempting to initialize the provider. - CDISMProviderStore::Internal_GetProvider
Dism.exe	PID=3208 TID=7300 Loading Provider from location C:\Windows\System32\Dism\LogProvider.dll - CDISMProviderStore::Internal_GetProvider
Dism.exe	PID=3208 TID=7300 Attempting to initialize the logger from the Image Session. - CDISMProviderStore::Final_OnConnect
Dism.exe	PID=3208 TID=7300 Connecting to the provider located at C:\Windows\System32\Dism\LogProvider.dll. - CDISMProviderStore::Internal_LoadProvider
DismHost.exe	PID=8108 TID=536 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider
DismHost.exe	PID=8108 TID=536 Disconnecting Provider: DISMLogger - CDISMProviderStore::Internal_DisconnectProvider
DismHost.exe	PID=8108 TID=536 Disconnecting the provider store - CDISMImageSession::Final_OnDisconnect
Dism.exe	PID=3208 TID=7300 Encountered a loaded provider DISMLogger. - CDISMProviderStore::Internal_DisconnectProvider

General Info

https://massgrave.dev/

5C95876F594CFFB1178B8861F8C741E0

4F3DD1555BACB0851AD877F9B40BD8DCC884A71D

6019AF861964CFB41AE5A5FE576ACA4521AFBA41255E5C636B1F53DFA0B6BE7F

3:N8a0Kn:2a0K

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Gets or sets the security protocol (POWERSHELL)

Executing commands from ".cmd" file

Starts CMD.EXE for commands execution

Gets content of a file (POWERSHELL)

Uses base64 encoding (POWERSHELL)

Windows service management via SC.EXE

Creates new GUID (POWERSHELL)

Using 'findstr.exe' to search for text patterns in files and output

Starts SC.EXE for service management

Application launched itself

Probably obfuscated PowerShell command line is found

Starts POWERSHELL.EXE for commands execution

Possibly malicious use of IEX has been detected

Uses REG/REGEDIT.EXE to modify registry

Uses WMIC.EXE to obtain computer system information

Hides command output

Uses WMIC.EXE to obtain operating system information

Detects reflection assembly loader (YARA)

The process hides Powershell's copyright startup banner

The process bypasses the loading of PowerShell profile settings

Uses WMIC.EXE to obtain Windows Installer data

Get information on the list of running processes

Uses WMIC.EXE to obtain service application data

Writes data into a file (POWERSHELL)

Executable content was dropped or overwritten

Returns all items found within a container (POWERSHELL)

Starts a Microsoft application from unusual location

INFO

Manual execution by a user

Gets a random number, or selects objects randomly from a collection (POWERSHELL)

Reads the computer name

Checks whether the specified file exists (POWERSHELL)

Converts byte array into ASCII string (POWERSHELL)

Checks current location (POWERSHELL)

Checks operating system version

Application launched itself

Starts MODE.COM to configure console settings

Checks supported languages

Reads security settings of Internet Explorer

Reads Environment values

Checks if a key exists in the options dictionary (POWERSHELL)

The sample compiled with english language support

Executable content was dropped or overwritten

Returns hidden items found within a container (POWERSHELL)

Sends debugging messages

Script raised an exception (POWERSHELL)

Converts byte array into Unicode string (POWERSHELL)

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information