neshta | fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e

Analysis

max time kernel
153s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
Size

585KB
MD5

56c44a91fe7f49e34b5cbaf49bfd8cc6
SHA1

3ba26ecca8b59d065400b60e39f32d04b63212fd
SHA256

fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e
SHA512

5ef1d05d9d3190904aee533dd02eb794b39eb6032459dd659cf1d54921ef3bb2cf85970cdd48849403e014e72c05aacabf054f57d47e328a3c3f137c917146f6
SSDEEP

12288:/EnU4T/vjL0IzZ9K4SfBUOUymZw1ZeDoLqoLG:snU4TDL0IN9KZpbnf0lL

Score

10^/10

neshta persistence spyware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Executes dropped EXE 1 IoCs

Processes:

fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

pid process

4952 fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

Drops file in Program Files directory 64 IoCs

Processes:

fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpshare.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wab.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MI391D~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~4.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ExtExport.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmlaunch.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\wabmig.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\WI8A19~1\ImagingDevices.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13169~1.31\MICROS~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~3.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\MICROS~1\EDGEUP~1\13169~1.31\MICROS~2.EXE	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

Drops file in Windows directory 4 IoCs

Processes:

fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exefc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.com	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\Windows\assembly	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File created	C:\Windows\assembly\Desktop.ini	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

pid	process
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1876 msedge.exe
1876 msedge.exe
1876 msedge.exe
1876 msedge.exe
1876 msedge.exe
1876 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

description pid process

Token: SeDebugPrivilege 4952 fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msedge.exe

pid process

1876 msedge.exe

pid	process
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe

description	pid	process
Token: SeDebugPrivilege	4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe

pid	process
1876	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exefc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 1532 wrote to memory of 4952	1532	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
PID 1532 wrote to memory of 4952	1532	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
PID 1532 wrote to memory of 4952	1532	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
PID 4952 wrote to memory of 1876	4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe	msedge.exe
PID 4952 wrote to memory of 1876	4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe	msedge.exe
PID 4952 wrote to memory of 4668	4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe	msedge.exe
PID 4952 wrote to memory of 4668	4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe	msedge.exe
PID 4952 wrote to memory of 3344	4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe	msedge.exe
PID 4952 wrote to memory of 3344	4952	fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe	msedge.exe
PID 3344 wrote to memory of 4376	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 4376	3344	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2816	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2816	1876	msedge.exe	msedge.exe
PID 4668 wrote to memory of 860	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 860	4668	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 3344 wrote to memory of 1828	3344	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe
PID 1876 wrote to memory of 2900	1876	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
"C:\Users\Admin\AppData\Local\Temp\fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe"
1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\3582-490\fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe"
2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.vk.com/mp_2014
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe08f846f8,0x7ffe08f84708,0x7ffe08f84718
4⤵
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,8236691806504580236,11382889695476362248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
4⤵
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,8236691806504580236,11382889695476362248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
4⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,8236691806504580236,11382889695476362248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
4⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,8236691806504580236,11382889695476362248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1
4⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,8236691806504580236,11382889695476362248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
4⤵
PID:312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,8236691806504580236,11382889695476362248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
4⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,8236691806504580236,11382889695476362248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
4⤵
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,8236691806504580236,11382889695476362248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
4⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,8236691806504580236,11382889695476362248,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
4⤵
PID:508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.vk.com/kyk_hack
3⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe08f846f8,0x7ffe08f84708,0x7ffe08f84718
4⤵
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7946539228761430175,14509236445328742656,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
4⤵
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,7946539228761430175,14509236445328742656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
4⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.best-hack.ru/
3⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe08f846f8,0x7ffe08f84708,0x7ffe08f84718
4⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,4202287529471490556,5647405747138145447,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
4⤵
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,4202287529471490556,5647405747138145447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
4⤵
PID:3156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3024

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
471B

MD5
f7144a5599e49b5b444b035a0ca0bab6

SHA1
9f3c1f837c2c41200e9208ea05aad06a0778db00

SHA256
ccde0ee17579835a9d49f814563dd83df8f4ba58ca66e15deba8507d38f08cda

SHA512
c5ebc5174027bc89bf0aac590738d2bc857285207f17062f97f5e0f1e2a280bc8a8a2c9321b2bea8a6b4da09522299d73f38c3aaf351d7a8586406ab02c3042f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
471B

MD5
f7144a5599e49b5b444b035a0ca0bab6

SHA1
9f3c1f837c2c41200e9208ea05aad06a0778db00

SHA256
ccde0ee17579835a9d49f814563dd83df8f4ba58ca66e15deba8507d38f08cda

SHA512
c5ebc5174027bc89bf0aac590738d2bc857285207f17062f97f5e0f1e2a280bc8a8a2c9321b2bea8a6b4da09522299d73f38c3aaf351d7a8586406ab02c3042f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
442B

MD5
2fb49dfcc25d183a7064be8702c57df8

SHA1
aa413da6feaac0bf8a8a2230ef9c4b240e37991a

SHA256
69341728de1438784185bdac0f7e2d12683677c628d63cae6bfa281ccc8ed10b

SHA512
7ca551982854254aca58c4978830e89c7b4a89937277d3bb81b514e6e16c66db5c7201bcdde6abbe5db94622f8125562a0de11bcb3bd18f67d829d8a9d708be2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177
Filesize
442B

MD5
2fb49dfcc25d183a7064be8702c57df8

SHA1
aa413da6feaac0bf8a8a2230ef9c4b240e37991a

SHA256
69341728de1438784185bdac0f7e2d12683677c628d63cae6bfa281ccc8ed10b

SHA512
7ca551982854254aca58c4978830e89c7b4a89937277d3bb81b514e6e16c66db5c7201bcdde6abbe5db94622f8125562a0de11bcb3bd18f67d829d8a9d708be2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d492567d4611438b2f936ddcaa9544ef

SHA1
ae88af380bbeb5e05a0446163a5434d70710f853

SHA256
0cba2ccfcfff09f076de767bf8df52485a8ac4b29cd3d14d53b23fdad2da3645

SHA512
150794b8598594ac00f827996e62d84b9331f1e35386e908485181204e823e8e5802fa543b53aca4d3046d176eaf4ee1dcb4df211589ea2fedac46170f162f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
18ad3a99cbd5ddc6b806e98374137f92

SHA1
03b6e4402a81fc0585430539a6d4a208b6ca9020

SHA256
b4f8afdb8ec7975ab4f4bff3a5c1fcab389dee2b9eb38b9603099d500457145f

SHA512
faabf3e957ee6516f8e66a1decfb2279e3923f63d0bc3f4f6aa5082b84feba57e48d0c631800b962567313b26d6cb92192a29eef6faf7b0be01894233b4929b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
b2515487230b2d00e6ff46b73ae14fce

SHA1
b54b438118fd3c6f311fe88b45d72f32fb976a88

SHA256
9b961657e6aaaad161b146d33e588561bcf77db8e4788da2e04b05fa31bbbe43

SHA512
88f8ab73c9bf3c302e0144e61b3bbb250ab5a8bfea74d7c92b715c59cb3e47c01e64be1597adc2c3a92e39b0dee4a14a652cc89592dd5950d8ca2a105786aaee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
3KB

MD5
cfd72c1175d1604af5220ece00bac52d

SHA1
715cf253f519a3b055d7fd924caf5bc6937827fc

SHA256
4e418dd6bd74a3329b8819f0802361819b6791f22c82748ff4819abc73641a23

SHA512
66c1b22032b185bae397cb2c25d17beee23e2c20929196921ef130ee771058bffa28720bcdcc0613e08a0dcb2d422688f01fbbd88f3c8a1a60c30c753e04f0d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
477009bf9650ca3cc1a4897201b56b60

SHA1
ab352b92956eeef2fb8237d60a8b4ecbab5a5f72

SHA256
f28af94ba76a8251997c3692f2937baffe92411dfd84b5a8bdfca840dae0960e

SHA512
3d33c9496af3eefd20f0055adfe7069b44ffac248aeaa7359f4e279b65523daf7c2608cf0e4e462bd0a274b342024dba1a1f3a8b24af7d426d9a234b4e589184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
477009bf9650ca3cc1a4897201b56b60

SHA1
ab352b92956eeef2fb8237d60a8b4ecbab5a5f72

SHA256
f28af94ba76a8251997c3692f2937baffe92411dfd84b5a8bdfca840dae0960e

SHA512
3d33c9496af3eefd20f0055adfe7069b44ffac248aeaa7359f4e279b65523daf7c2608cf0e4e462bd0a274b342024dba1a1f3a8b24af7d426d9a234b4e589184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
2KB

MD5
b2515487230b2d00e6ff46b73ae14fce

SHA1
b54b438118fd3c6f311fe88b45d72f32fb976a88

SHA256
9b961657e6aaaad161b146d33e588561bcf77db8e4788da2e04b05fa31bbbe43

SHA512
88f8ab73c9bf3c302e0144e61b3bbb250ab5a8bfea74d7c92b715c59cb3e47c01e64be1597adc2c3a92e39b0dee4a14a652cc89592dd5950d8ca2a105786aaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
Filesize
545KB

MD5
52b127d5eb0003cabfca562ff4415066

SHA1
ec60fd01f5dd8feebd1133efb6c811eeb6c29e82

SHA256
5f5ce21e8058185f09d4c73001cea5575a631a09d32657ea0b6d1a5c241b587c

SHA512
01bd360068d5d3794f5a025fed0800132a9b77cb16b77351201533319d9b51375a4372ed3686e4a2281881fc82546a0d9d80407655e57597e97b1e73f6507332

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\fc766c0232047ebddbd7368a3f6f45a9f49fd955b4278efd17c9ccd7de0a4e5e.exe
Filesize
545KB

MD5
52b127d5eb0003cabfca562ff4415066

SHA1
ec60fd01f5dd8feebd1133efb6c811eeb6c29e82

SHA256
5f5ce21e8058185f09d4c73001cea5575a631a09d32657ea0b6d1a5c241b587c

SHA512
01bd360068d5d3794f5a025fed0800132a9b77cb16b77351201533319d9b51375a4372ed3686e4a2281881fc82546a0d9d80407655e57597e97b1e73f6507332

Download Submit
\??\pipe\LOCAL\crashpad_1876_GXXOUVRRDXIVCAEE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3344_QKVFRONTMULTEDCA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_4668_GJTTADTFHQEJWBQX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/312-180-0x0000000000000000-mapping.dmp

Download
memory/508-188-0x0000000000000000-mapping.dmp

Download
memory/860-142-0x0000000000000000-mapping.dmp

Download
memory/1460-184-0x0000000000000000-mapping.dmp

Download
memory/1472-160-0x0000000000000000-mapping.dmp

Download
memory/1828-155-0x0000000000000000-mapping.dmp

Download
memory/1876-137-0x0000000000000000-mapping.dmp

Download
memory/2416-186-0x0000000000000000-mapping.dmp

Download
memory/2816-141-0x0000000000000000-mapping.dmp

Download
memory/2900-157-0x0000000000000000-mapping.dmp

Download
memory/3156-159-0x0000000000000000-mapping.dmp

Download
memory/3344-139-0x0000000000000000-mapping.dmp

Download
memory/3744-158-0x0000000000000000-mapping.dmp

Download
memory/4376-140-0x0000000000000000-mapping.dmp

Download
memory/4668-138-0x0000000000000000-mapping.dmp

Download
memory/4772-178-0x0000000000000000-mapping.dmp

Download
memory/4776-182-0x0000000000000000-mapping.dmp

Download
memory/4836-163-0x0000000000000000-mapping.dmp

Download
memory/4952-143-0x00000000025BC000-0x00000000025BF000-memory.dmp

Filesize
12KB

Download
memory/4952-132-0x0000000000000000-mapping.dmp

Download
memory/4952-150-0x00000000025BC000-0x00000000025BF000-memory.dmp

Filesize
12KB

Download
memory/4952-136-0x0000000073AC0000-0x0000000074071000-memory.dmp

Filesize
5.7MB

Download
memory/4952-135-0x0000000073AC0000-0x0000000074071000-memory.dmp

Filesize
5.7MB

Download
memory/5004-164-0x0000000000000000-mapping.dmp

Download