Overview
overview
10Static
static
87z2201-x64.exe
windows10-2004-x64
10Firefox Se....4.exe
windows10-2004-x64
8SumatraPDF...ll.exe
windows10-2004-x64
8TB_Free_In...00.exe
windows10-2004-x64
8XnViewMP-win-x64.exe
windows10-2004-x64
8avast_one_...us.exe
windows10-2004-x64
10torbrowser...US.exe
windows10-2004-x64
8vlc-3.0.17...32.exe
windows10-2004-x64
8Analysis
-
max time kernel
158s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-de -
resource tags
arch:x64arch:x86image:win10v2004-20220812-delocale:de-deos:windows10-2004-x64systemwindows -
submitted
03-11-2022 16:57
Behavioral task
behavioral1
Sample
7z2201-x64.exe
Resource
win10v2004-20220812-de
Behavioral task
behavioral2
Sample
Firefox Setup 106.0.4.exe
Resource
win10v2004-20220812-de
Behavioral task
behavioral3
Sample
SumatraPDF-3.4.6-64-install.exe
Resource
win10v2004-20220812-de
Behavioral task
behavioral4
Sample
TB_Free_Installer_20221103.100000.exe
Resource
win10v2004-20220812-de
Behavioral task
behavioral5
Sample
XnViewMP-win-x64.exe
Resource
win10v2004-20220812-de
Behavioral task
behavioral6
Sample
avast_one_free_antivirus.exe
Resource
win10v2004-20220812-de
Behavioral task
behavioral7
Sample
torbrowser-install-win64-11.5.6_en-US.exe
Resource
win10v2004-20220812-de
Behavioral task
behavioral8
Sample
vlc-3.0.17.4-win32.exe
Resource
win10v2004-20220812-de
General
-
Target
XnViewMP-win-x64.exe
-
Size
67.1MB
-
MD5
d4b3a362d7cc155027e24bd613147de5
-
SHA1
496fcd1b9384301cb182b308af741ea950cd0b7d
-
SHA256
2c272ab3bff4e10f12e2a1644be5526ebf98817f76762f5305eb8400edb25c3b
-
SHA512
0ea612d43097eeb3c01947c5c9532318e95448adbb9e78a8a87165a05a284ebccb4ce3742897e4adb8139839c177e6dcb76662dd3a18d31603b5bfbb6811b978
-
SSDEEP
1572864:ywAYNNlYmWK8FFHBbXcOaGh/P0Khw4JPIe1:PNdCbMM/PhhUe1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
XnViewMP-win-x64.tmppid process 2520 XnViewMP-win-x64.tmp -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
XnViewMP-win-x64.tmpsetup.exedescription ioc process File created C:\Program Files\XnViewMP\is-BGAEQ.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\Masks\is-A4I67.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-4CP7D.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-110GG.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-FNJUQ.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-HI24E.tmp XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\Qt5CoreXn.dll XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\plugins\libflif.dll XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\AddOn\exiftool.exe XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\is-V28EG.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\clut\is-C2KVH.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\language\is-DGETH.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\is-89GJQ.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-HBB0V.tmp XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\icuuc65.dll XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\api-ms-win-crt-private-l1-1-0.dll XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\Masks\is-39UID.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\plugins\is-DVJ8T.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-S0DLJ.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\is-2FEJR.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\is-J329L.tmp XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\api-ms-win-crt-math-l1-1-0.dll XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\is-TSNSS.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\is-A9Q3H.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\clut\is-93R8O.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\plugins\is-V92CL.tmp XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\Qt5MultimediaWidgetsXn.dll XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\api-ms-win-core-datetime-l1-1-0.dll XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-J5V44.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-8TJGQ.tmp XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\vcruntime140_1.dll XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\api-ms-win-crt-stdio-l1-1-0.dll XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\is-NCJKO.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\clut\is-913OP.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\clut\is-1VKVS.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\clut\is-673AH.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\language\is-QV2N1.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\is-IQ4H9.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\is-E1IK7.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\is-FI398.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\FileIcons\is-O1R0F.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\plugins\is-3DTP8.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-U2T9V.tmp XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\Qt5QmlModelsXn.dll XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\Masks\is-41GN6.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\is-KC6N6.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\clut\is-CPGRG.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\is-B8DIV.tmp XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\api-ms-win-core-errorhandling-l1-1-0.dll XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\is-9M202.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\Masks\is-TG8O9.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\language\is-6CULD.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-E31GK.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-35LKQ.tmp XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\vcruntime140.dll XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\is-0N9UE.tmp XnViewMP-win-x64.tmp File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2251f5bb-70f0-449c-8adf-f53c32e8fcbe.tmp setup.exe File opened for modification C:\Program Files\XnViewMP\plugins\mediaservice\dsengine.dll XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\plugins\libde265.dll XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-QT4PP.tmp XnViewMP-win-x64.tmp File opened for modification C:\Program Files\XnViewMP\api-ms-win-core-heap-l1-1-0.dll XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\clut\is-6BD2M.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\UI\icons-48\is-MTGDB.tmp XnViewMP-win-x64.tmp File created C:\Program Files\XnViewMP\AddOn\Masks\is-L7QLC.tmp XnViewMP-win-x64.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 64 IoCs
Processes:
XnViewMP-win-x64.tmpmsedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.jpg\shell XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.slide\DefaultIcon XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.tga\shell\open\command\ = "\"C:\\Program Files\\XnViewMP\\xnviewmp.exe\" \"%1\"" XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.tiff\shell\open\command XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.emf\shell\open XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.img\shell\open XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pcd\shell\open\command\ = "\"C:\\Program Files\\XnViewMP\\xnviewmp.exe\" \"%1\"" XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.png\shell XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.wmf\shell\open\command\ = "\"C:\\Program Files\\XnViewMP\\xnviewmp.exe\" \"%1\"" XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.xpm\DefaultIcon XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pcx\shell\open\command XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.tga\DefaultIcon\ = "C:\\Program Files\\XnViewMP\\FileIcons\\tga.ico" XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.tiff\shell\open XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.rle\shell\open XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.jpe\DefaultIcon\ = "C:\\Program Files\\XnViewMP\\FileIcons\\jpg.ico" XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.jpc\shell\open\command XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pcx XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pbm\shell\open XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.jp2\shell\open\command XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.psd\shell\open XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.raw\shell\open\command XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.iff\shell XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pbm\shell XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pgm\shell\open XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.nef\shell\open\command\ = "\"C:\\Program Files\\XnViewMP\\xnviewmp.exe\" \"%1\"" XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.ras\DefaultIcon XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.tga\shell\open\command XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.nef\shell\open XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.png\shell\open\command XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pgm\shell XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.xpm\shell XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.image\shell\open XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pcx\shell XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.cr2\DefaultIcon XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pic XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.image\DefaultIcon\ = "C:\\Program Files\\XnViewMP\\FileIcons\\generic.ico" XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.png\shell\open XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pcd\shell XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.rle\shell\open\command\ = "\"C:\\Program Files\\XnViewMP\\xnviewmp.exe\" \"%1\"" XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.image\shell XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.jpe XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.dds\shell\open XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pcd\shell\open XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.dds XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.dds\shell\open\command XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.bmp\shell\open XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.gif\DefaultIcon\ = "C:\\Program Files\\XnViewMP\\FileIcons\\gif.ico" XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.emf\shell\open\command\ = "\"C:\\Program Files\\XnViewMP\\xnviewmp.exe\" \"%1\"" XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.raw\shell XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.jp2\shell XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.png\DefaultIcon XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.tiff\DefaultIcon XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pbm\DefaultIcon\ = "C:\\Program Files\\XnViewMP\\FileIcons\\generic.ico" XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.image\DefaultIcon XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.bmp\DefaultIcon\ = "C:\\Program Files\\XnViewMP\\FileIcons\\bmp.ico" XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.raf\shell\open\command\ = "\"C:\\Program Files\\XnViewMP\\xnviewmp.exe\" \"%1\"" XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pic\shell\open\command XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.pgm\shell\open\command\ = "\"C:\\Program Files\\XnViewMP\\xnviewmp.exe\" \"%1\"" XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.image\shell\open\command XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.jpc\DefaultIcon XnViewMP-win-x64.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.jp2 XnViewMP-win-x64.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XnViewMP.cr2\shell\open\command\ = "\"C:\\Program Files\\XnViewMP\\xnviewmp.exe\" \"%1\"" XnViewMP-win-x64.tmp -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
XnViewMP-win-x64.tmpmsedge.exemsedge.exeidentity_helper.exepid process 2520 XnViewMP-win-x64.tmp 2520 XnViewMP-win-x64.tmp 1592 msedge.exe 1592 msedge.exe 5048 msedge.exe 5048 msedge.exe 2456 identity_helper.exe 2456 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
XnViewMP-win-x64.tmpmsedge.exepid process 2520 XnViewMP-win-x64.tmp 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
XnViewMP-win-x64.exeXnViewMP-win-x64.tmpmsedge.exedescription pid process target process PID 660 wrote to memory of 2520 660 XnViewMP-win-x64.exe XnViewMP-win-x64.tmp PID 660 wrote to memory of 2520 660 XnViewMP-win-x64.exe XnViewMP-win-x64.tmp PID 660 wrote to memory of 2520 660 XnViewMP-win-x64.exe XnViewMP-win-x64.tmp PID 2520 wrote to memory of 5048 2520 XnViewMP-win-x64.tmp msedge.exe PID 2520 wrote to memory of 5048 2520 XnViewMP-win-x64.tmp msedge.exe PID 5048 wrote to memory of 2320 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 2320 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4444 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1592 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 1592 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 3272 5048 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XnViewMP-win-x64.exe"C:\Users\Admin\AppData\Local\Temp\XnViewMP-win-x64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Local\Temp\is-63L72.tmp\XnViewMP-win-x64.tmp"C:\Users\Admin\AppData\Local\Temp\is-63L72.tmp\XnViewMP-win-x64.tmp" /SL5="$801FC,69459733,941568,C:\Users\Admin\AppData\Local\Temp\XnViewMP-win-x64.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.xnview.com/xnview_install.html3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb3b4d46f8,0x7ffb3b4d4708,0x7ffb3b4d47184⤵PID:2320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:24⤵PID:4444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1592 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --lang=de --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:84⤵PID:3272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:14⤵PID:2284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:14⤵PID:2596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --lang=de --service-sandbox-type=service --mojo-platform-channel-handle=5204 /prefetch:84⤵PID:3196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:14⤵PID:3752
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:14⤵PID:2456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:14⤵PID:4316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:14⤵PID:4760
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:14⤵PID:912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --lang=de --service-sandbox-type=service --mojo-platform-channel-handle=6120 /prefetch:84⤵PID:1680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:14⤵PID:1784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --disable-gpu-compositing --lang=de --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:14⤵PID:4176
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6732 /prefetch:84⤵PID:4436
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
PID:5112 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6aa825460,0x7ff6aa825470,0x7ff6aa8254805⤵PID:1208
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,17322131336440280307,4103978839340156113,131072 --lang=de --service-sandbox-type=none --mojo-platform-channel-handle=6732 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD56b4c95df1cc881ec1e6a2b764ba360ec
SHA1e285e696015c837aa905f3aca19c8576849642c9
SHA25633e8bb1c4b2c3e8609f54258ee2f28bf68279dccae48db1515eea0571e6a0a55
SHA5128d1586d92a836af6dc33b602f48add219835953838ed0214a93fdd0e9cab0ac3ee3b0a0f958d86b257028814cf2646713d4b551d561a94e7b38f0d1a7c6b21a0
-
Filesize
2.6MB
MD56b4c95df1cc881ec1e6a2b764ba360ec
SHA1e285e696015c837aa905f3aca19c8576849642c9
SHA25633e8bb1c4b2c3e8609f54258ee2f28bf68279dccae48db1515eea0571e6a0a55
SHA5128d1586d92a836af6dc33b602f48add219835953838ed0214a93fdd0e9cab0ac3ee3b0a0f958d86b257028814cf2646713d4b551d561a94e7b38f0d1a7c6b21a0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e