d779b5de8ad366452553d0ebcd89df3a6ab477773dfa540db0a09f828ef25ca9

Analysis

max time kernel
51s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2022, 15:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b300dc0c32e532403bb837b0191eed3.exe
Size

1.9MB
MD5

5b300dc0c32e532403bb837b0191eed3
SHA1

4c43517b9cc87e2f77ea66565ccc632a38e1225f
SHA256

d779b5de8ad366452553d0ebcd89df3a6ab477773dfa540db0a09f828ef25ca9
SHA512

ee52571308db81c09a1df6f0a4caf0025e3d7c7788aff9cfd21d88250a1353fcccc827c4c91fd89881de2a24a22d29e7cad08dd510cb12cb2500212d8f4ef575
SSDEEP

24576:E15J6FsxG/3/DAhWGupqf/4RCQrSQKXdUFUj33RUs3H:E15J6ex8PDb9G/vi7K2ijRUs

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2376	Decoder.exe
3764	wfyoot.exe
1932	wfyoot.exe
4608	wfyoot.exe
4332	wfyoot.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Decoder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wfyoot.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5b300dc0c32e532403bb837b0191eed3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5b300dc0c32e532403bb837b0191eed3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2376	Decoder.exe
3764	wfyoot.exe
4332	wfyoot.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3764 set thread context of 1932	3764	wfyoot.exe	94
PID 3764 set thread context of 4608	3764	wfyoot.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2376	Decoder.exe
2376	Decoder.exe
3764	wfyoot.exe
3764	wfyoot.exe
4332	wfyoot.exe
4332	wfyoot.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 2376	5080	5b300dc0c32e532403bb837b0191eed3.exe	83
PID 5080 wrote to memory of 2376	5080	5b300dc0c32e532403bb837b0191eed3.exe	83
PID 5080 wrote to memory of 2376	5080	5b300dc0c32e532403bb837b0191eed3.exe	83
PID 2376 wrote to memory of 3764	2376	Decoder.exe	88
PID 2376 wrote to memory of 3764	2376	Decoder.exe	88
PID 2376 wrote to memory of 3764	2376	Decoder.exe	88
PID 3764 wrote to memory of 3436	3764	wfyoot.exe	92
PID 3764 wrote to memory of 3436	3764	wfyoot.exe	92
PID 3764 wrote to memory of 3436	3764	wfyoot.exe	92
PID 3764 wrote to memory of 1932	3764	wfyoot.exe	94
PID 3764 wrote to memory of 1932	3764	wfyoot.exe	94
PID 3764 wrote to memory of 1932	3764	wfyoot.exe	94
PID 3764 wrote to memory of 1932	3764	wfyoot.exe	94
PID 3764 wrote to memory of 1932	3764	wfyoot.exe	94
PID 3764 wrote to memory of 1932	3764	wfyoot.exe	94
PID 3764 wrote to memory of 1932	3764	wfyoot.exe	94
PID 3764 wrote to memory of 1932	3764	wfyoot.exe	94
PID 3764 wrote to memory of 4608	3764	wfyoot.exe	95
PID 3764 wrote to memory of 4608	3764	wfyoot.exe	95
PID 3764 wrote to memory of 4608	3764	wfyoot.exe	95
PID 3764 wrote to memory of 4608	3764	wfyoot.exe	95
PID 3764 wrote to memory of 4608	3764	wfyoot.exe	95
PID 3764 wrote to memory of 4608	3764	wfyoot.exe	95
PID 3764 wrote to memory of 4608	3764	wfyoot.exe	95
PID 3764 wrote to memory of 4608	3764	wfyoot.exe	95
PID 4608 wrote to memory of 3560	4608	wfyoot.exe	97
PID 4608 wrote to memory of 3560	4608	wfyoot.exe	97
PID 3560 wrote to memory of 904	3560	msedge.exe	98
PID 3560 wrote to memory of 904	3560	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\5b300dc0c32e532403bb837b0191eed3.exe
"C:\Users\Admin\AppData\Local\Temp\5b300dc0c32e532403bb837b0191eed3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe
    "C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN wfyoot.exe /TR "C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3436
  - - C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe
      "C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe"
      4⤵
      Executes dropped EXE
      PID:1932
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wfyoot.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        
        PID:3828
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9489746f8,0x7ff948974708,0x7ff948974718
        6⤵
        
        PID:4344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wfyoot.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        
        PID:5080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff9489746f8,0x7ff948974708,0x7ff948974718
        6⤵
        
        PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe
      "C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wfyoot.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9489746f8,0x7ff948974708,0x7ff948974718
        6⤵
        
        PID:904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        6⤵
        
        PID:3708
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        6⤵
        
        PID:2412
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
        6⤵
        
        PID:900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
        6⤵
        
        PID:1340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
        6⤵
        
        PID:2888
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
        6⤵
        
        PID:3400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5160 /prefetch:8
        6⤵
        
        PID:4620
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
        6⤵
        
        PID:1492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
        6⤵
        
        PID:4312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
        6⤵
        
        PID:1580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
        6⤵
        
        PID:3604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
        6⤵
        
        PID:3584
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
        6⤵
        
        PID:1964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7004 /prefetch:8
        6⤵
        
        PID:3672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1380 /prefetch:1
        6⤵
        
        PID:3388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1856 /prefetch:1
        6⤵
        
        PID:1280
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7576 /prefetch:8
        6⤵
        
        PID:3820
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        6⤵
        
        PID:704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff728a65460,0x7ff728a65470,0x7ff728a65480
        7⤵
        
        PID:4672
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,11021304146063686634,7398135469938377516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7576 /prefetch:8
        6⤵
        
        PID:1960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=wfyoot.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        5⤵
        
        PID:1884
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9489746f8,0x7ff948974708,0x7ff948974718
        6⤵
        
        PID:1856

C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe
C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe
C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe
1⤵
PID:4572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F

Filesize
1KB

MD5
fccdd7010386f27bc94a82bba6081813

SHA1
ddb3dea502e7f46d3119b82e0e89d3317c0eb4c9

SHA256
d8b3ab356ebba0c37a2a6ed07119c722eadcc78f5eb7b0938665f239f3243499

SHA512
5b02a8c2aae22cd918fbe7006b4ddddd7638a828254e0d12b07e2092052b3f0f428ce8fc24018828115d9fdb790042788074d8cd77323e084f19a817022b25b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
1KB

MD5
c5d3e4a040397ee19a488ca066000682

SHA1
7b2bd5e84c90b861017b63f39cd602ca2672f41e

SHA256
fc2f1d4a9b4252d17d8ab3786741a283d3b24f6dd2344a67648a500c7c4ab768

SHA512
1f27b36c70ed12e83663636936299136bd59145574ac4e274039af57c24447903d98fe0de856ac29c59d34975b1d4a7be8bceea672a03db73d46cc35b91a6e8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
07de4b03dac47fe7ec3a2a1657bdfbc9

SHA1
d268e681f257fa11d70c9700ed9c598af02ec80c

SHA256
482f51e720d68a0b65502d4ae3dce666a5ed12b4328ff9c0bedd2cb76e1498b4

SHA512
2dc6622502b0a743e3e8eca1638813a02591891f8e705a87fbc312b090d36d366c55493da7512d1f040c9bf215c0d7d2ec14f249dc8ed953cd2ba7a966d05815

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F

Filesize
442B

MD5
1c47ae4c2c6f158b3ca5f421ffb9aee2

SHA1
f58a47da1e109bf807d6c703e2fef7a61ca1f4c9

SHA256
ade8a891ecead2e5060f2f5dcbe9651885b1b8111dc06041c34130f9406cede1

SHA512
d9e10505c465a5434e7074686a277388f849d9e0f2c7358f3eb64bf2e41c602681cc603db36ecbd8cb14b2133c7e48e23351a7ac2d68d4cc603c7ba8fec1f82f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
4cc612f6cf4c859bae292c1e72ee4551

SHA1
c5a61a476b91743b552584cc9075124c6b75ffbe

SHA256
3dbce0ec02f18ba5c7eb490bfc72cd55456af9dae25e32f447af0d7f8d5f5f6f

SHA512
d4dc325b74da1b7c84657bf26724fc7d310cb8a80d2c3393a13609615e59906220da092ac5e6d14d568c1f7583c79c1c8ff6ef4c013eed2ca57daa4e2b34905e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
8e87fdf15e190af25c6b2b01eecbd239

SHA1
4795e74b75db74dca351e5ed1c2063bc13a762b9

SHA256
a8bf96b6e2724c677d14ce425706ef71c74d52857a31e8917d7df28da1d186ce

SHA512
6a4285cbf8da3202b9b105c09a779413d478835a523f8c16819bfe7205305c21aa0e71998b14fe6f07c242929dfe7ad2640fc29981bf327b682a33c66a0aab1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1aa7e0f203b5b0b2f753567d77fbe2d9

SHA1
443937fd906e3a356a6689181b29a9e849f54209

SHA256
27f1577aa081b2222b6549e74de58ef60bf0a054c7b2a345366e6ebbf44fab8c

SHA512
ce2fff1ddfab2e82f4e8ec6b3d04405f9fb2ad07dccfdde404411de9bbc66033610ad1689316173878be9758bb822612d4a931901e1ed4bbbd41199c2885debf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66bc9611dd085dd5e1366c94b84456cd

SHA1
613339f5891bf2c9e54ef565c54eb18be42d65fb

SHA256
27b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22

SHA512
196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66bc9611dd085dd5e1366c94b84456cd

SHA1
613339f5891bf2c9e54ef565c54eb18be42d65fb

SHA256
27b4949b239ca2e2ce7812dd455868d97ce9c4851bb46eb0d7d5827285dd6c22

SHA512
196973df9961ef3c91af4836cabe58b6e7df8aa410867ec6769b1407eea99532faf7c6efd351d4ef81f0ab12527756fd146fbe02220c93b9ced8368bd0488be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe

Filesize
228.9MB

MD5
19c8acfcd3e9de1c9bdc53fccd467b23

SHA1
afa9df1bd9462c3927e66760c0b8ab6b7c2904e9

SHA256
7f937d2d9b176ea04a493d64168fbda7623fe2bf8c4d6779795022066e8cb731

SHA512
086d17a0d6021b2716f8daacf947db02169fc3ef4383d4a736687c7627a4859602e87f4cf49541797c5c12cfe6420fad20d3aaf915e250a5250b878def4bf833

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe

Filesize
228.6MB

MD5
6723665cc56067d4cc0369ea8dcc60f6

SHA1
9b479e31ed01dd21552c12005ac9a6354f32ad65

SHA256
dbb84130f1b51c73a1e7135654fefb0ed40a2b4dbe9fe25adfe63fccaec0f064

SHA512
a1a577b552af6af49c31edcbcc58bb6fa6d5d7a951b1d8f9e2351c3bfe87ecc3aa7fc78c79cce1bcd49b1d3f6acd3dc7e3de3884d24c797f309b2e3890bf938b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe

Filesize
209.6MB

MD5
9a5bd794a95bec4c6f05cd465be5c840

SHA1
6f7cfae84baf5045d0c2b6927954c246259b6a9f

SHA256
c1ba3a9efab787a6e216a8bffaf7a54ebb2983ae6cf22b6b74fe521f6fa89999

SHA512
8e1614717d1b03ddec9459bbe5e4acb9e9bba1cc208d48b2b29632a701b874065b75b04d0e0a44fa2cb69bf4a7ee31440f6349e57d1d5f01ccde1cc5ca528ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe

Filesize
203.4MB

MD5
032f8b7b963326728765c53fc94ffcfd

SHA1
60b98593c3214dafec9419fb0d87fd004f3e3b89

SHA256
88b578f843da333cd7c145a671bc580828fe20755fb5fed2e1fb127b20fffd6b

SHA512
316ebc44a45f71d45245e5ca937ff8014d6cc56242518e67be681cbc9f84facf4fa18da50c01b77a33028408d24d6cfeadcb63f6f71b832243b954eb1a797d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe

Filesize
188.1MB

MD5
ee884e857d63d7332e8909834dd3df44

SHA1
ee2e8ee7d8d064dbeac05eefeb56c54ae2b861b0

SHA256
0ece97a298c7b19d746866c6d431e0901a09893c4d53bed8b29439548dc89e89

SHA512
6a307a0a883c33cf15081fd163c240ffeae90aff5356311ee16cda5a2b079b393d08090bd1b1066b631b6eb0d02872ede4d0e71fe41d9a4c06a82156ffb27c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f2924b480\wfyoot.exe

Filesize
76.4MB

MD5
c864a50c9dc64b4d6ea15aa73ec1965b

SHA1
dd78a6fa4d4e1ee9dea07b28dffbd9406ba91de6

SHA256
81dd0205348b2dafca9dd0b14629687a6f07415013e0388d1dab19b60b648613

SHA512
83acf97777a3b61e703c717c402927d7dfbdfabf42d79d5e0b2b0d6d21f1b1f59edde89e56fa4bebef82e312f75b26cbf0c9dcf67131f70f6df6da7ec042dfcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe

Filesize
361.0MB

MD5
9d0ed6a221becc03d2444cec2fd6453b

SHA1
b86f0e71be558fa94437c013f13e358d2fd05d4e

SHA256
11b44200e53a37b74c64fb1e033adf4e6d09d7246e9e196ac681d7858a5dc175

SHA512
628291ee23924f3efcc41a37cdc1945ddb63a2fe5db691dfc223055247438c08330364d8b98ed9e37c4c14a522e3018ff4472a22f19a85f0ebd1b4d7e1c4bbe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Decoder.exe

Filesize
362.0MB

MD5
a1ea83d4da9fce72ae62256d5eb54653

SHA1
b61ea8eed2bd703516a84dd8bba573a02acd138b

SHA256
8400c4f6e407e9b13d3027cb40dd11dd2f543dff11a0ba5e3c5741e8540fc380

SHA512
4dea3fd4efd65440df5dbf7b5e9ed227144f047c315b52822c1e1ccf22abc08b2e8b8ee6b2cda816f3b33b4973dbcf48b9f9a0cb9419aa56c6ac837c01287471

Download Submit
memory/1932-166-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/1932-164-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2376-141-0x0000000076660000-0x0000000076875000-memory.dmp

Filesize
2.1MB

Download
memory/2376-150-0x0000000000900000-0x0000000000946000-memory.dmp

Filesize
280KB

Download
memory/2376-135-0x0000000000C70000-0x0000000000D44000-memory.dmp

Filesize
848KB

Download
memory/2376-142-0x0000000000C70000-0x0000000000D44000-memory.dmp

Filesize
848KB

Download
memory/2376-143-0x0000000000C70000-0x0000000000D44000-memory.dmp

Filesize
848KB

Download
memory/2376-136-0x0000000000900000-0x0000000000946000-memory.dmp

Filesize
280KB

Download
memory/2376-140-0x0000000000C70000-0x0000000000D44000-memory.dmp

Filesize
848KB

Download
memory/2376-137-0x0000000000C70000-0x0000000000D44000-memory.dmp

Filesize
848KB

Download
memory/2376-149-0x0000000000C70000-0x0000000000D44000-memory.dmp

Filesize
848KB

Download
memory/2376-144-0x0000000000900000-0x0000000000946000-memory.dmp

Filesize
280KB

Download
memory/2376-138-0x0000000000C70000-0x0000000000D44000-memory.dmp

Filesize
848KB

Download
memory/2376-145-0x0000000000C70000-0x0000000000D44000-memory.dmp

Filesize
848KB

Download
memory/2376-139-0x0000000000C70000-0x0000000000D44000-memory.dmp

Filesize
848KB

Download
memory/3764-155-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/3764-159-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/3764-151-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/3764-152-0x0000000000B40000-0x0000000000B86000-memory.dmp

Filesize
280KB

Download
memory/3764-153-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/3764-154-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/3764-157-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/3764-158-0x0000000076660000-0x0000000076875000-memory.dmp

Filesize
2.1MB

Download
memory/3764-183-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/3764-160-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/3764-162-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/3764-170-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/3764-171-0x0000000000B40000-0x0000000000B86000-memory.dmp

Filesize
280KB

Download
memory/3764-172-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/4332-177-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/4332-178-0x0000000076660000-0x0000000076875000-memory.dmp

Filesize
2.1MB

Download
memory/4332-176-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/4332-174-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/4332-175-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/4332-179-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/4332-180-0x0000000002190000-0x00000000021D6000-memory.dmp

Filesize
280KB

Download
memory/4572-228-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/4572-227-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/4572-229-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/4572-233-0x00000000020E0000-0x0000000002126000-memory.dmp

Filesize
280KB

Download
memory/4572-232-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/4572-231-0x0000000076660000-0x0000000076875000-memory.dmp

Filesize
2.1MB

Download
memory/4572-230-0x00000000005C0000-0x0000000000694000-memory.dmp

Filesize
848KB

Download
memory/4608-168-0x0000000000400000-0x00000000005BC000-memory.dmp

Filesize
1.7MB

Download