Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 13:04
Behavioral task
behavioral1
Sample
67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe
Resource
win10v2004-20220812-en
General
-
Target
67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe
-
Size
5.8MB
-
MD5
92d102b09864103c6cad122c76f1fea6
-
SHA1
cd28994ab158fd357aeb71d0b33ed2312d4194ce
-
SHA256
67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee
-
SHA512
4e117e464521c41d2020cb565f157b4b2b266e60dffcb5d73371b9770044c14b5df184a7752455e2836ac9dc7aad4e0f6d5ad31416238e205c3f8cddb5e4ed31
-
SSDEEP
98304:5lXMjBFx2i0ro9+bkcC79cUpRgoC2BVZQUEnpaAV4f6PE4OmiuO3vh:5lXMjBFAi0ro0bkcEmxcv/+paAV4faLK
Malware Config
Signatures
-
Detect Neshta payload 26 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\LocalPPiXazGYJv.exe family_neshta C:\Users\Admin\AppData\LocalPPiXazGYJv.exe family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\cookie_exporter.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\BHO\ie_to_edge_stub.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\elevation_service.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\identity_helper.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\INSTAL~1\setup.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\pwahelper.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\notification_helper.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_pwa_launcher.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_proxy.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedgewebview2.exe family_neshta C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge.exe family_neshta C:\PROGRA~2\MOZILL~1\UNINST~1.EXE family_neshta C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE family_neshta C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe family_neshta C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
LocalPPiXazGYJv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LocalPPiXazGYJv.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 5 IoCs
Processes:
LocalPPiXazGYJv.exeLocalM_GXZGkpRk.exeLocalPPiXazGYJv.exesvchost.comyahoo.exepid process 3036 LocalPPiXazGYJv.exe 2296 LocalM_GXZGkpRk.exe 5016 LocalPPiXazGYJv.exe 4648 svchost.com 1800 yahoo.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exeLocalPPiXazGYJv.exeLocalPPiXazGYJv.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation LocalPPiXazGYJv.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation LocalPPiXazGYJv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
yahoo.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8ef6e5fbcf93c20a9c240921a52d8776 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\yahoo.exe\" .." yahoo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8ef6e5fbcf93c20a9c240921a52d8776 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\yahoo.exe\" .." yahoo.exe -
Drops file in Program Files directory 64 IoCs
Processes:
svchost.comLocalPPiXazGYJv.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe svchost.com File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\INSTAL~1\setup.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\msedge.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI391D~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\IDENTI~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~3.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\MSEDGE~2.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MI9C33~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EdgeCore\104012~1.47\BHO\IE_TO_~1.EXE LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe LocalPPiXazGYJv.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE svchost.com -
Drops file in Windows directory 4 IoCs
Processes:
dw20.exeLocalPPiXazGYJv.exesvchost.comdescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe File opened for modification C:\Windows\svchost.com LocalPPiXazGYJv.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\svchost.com svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies registry class 2 IoCs
Processes:
LocalPPiXazGYJv.exeLocalPPiXazGYJv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings LocalPPiXazGYJv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" LocalPPiXazGYJv.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
yahoo.exepid process 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe 1800 yahoo.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
dw20.exeyahoo.exedescription pid process Token: SeRestorePrivilege 1420 dw20.exe Token: SeBackupPrivilege 1420 dw20.exe Token: SeBackupPrivilege 1420 dw20.exe Token: SeBackupPrivilege 1420 dw20.exe Token: SeBackupPrivilege 1420 dw20.exe Token: SeDebugPrivilege 1800 yahoo.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exeLocalM_GXZGkpRk.exeLocalPPiXazGYJv.exeLocalPPiXazGYJv.exesvchost.comyahoo.exedescription pid process target process PID 904 wrote to memory of 3036 904 67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe LocalPPiXazGYJv.exe PID 904 wrote to memory of 3036 904 67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe LocalPPiXazGYJv.exe PID 904 wrote to memory of 3036 904 67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe LocalPPiXazGYJv.exe PID 904 wrote to memory of 2296 904 67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe LocalM_GXZGkpRk.exe PID 904 wrote to memory of 2296 904 67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe LocalM_GXZGkpRk.exe PID 904 wrote to memory of 2296 904 67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe LocalM_GXZGkpRk.exe PID 2296 wrote to memory of 1420 2296 LocalM_GXZGkpRk.exe dw20.exe PID 2296 wrote to memory of 1420 2296 LocalM_GXZGkpRk.exe dw20.exe PID 2296 wrote to memory of 1420 2296 LocalM_GXZGkpRk.exe dw20.exe PID 3036 wrote to memory of 5016 3036 LocalPPiXazGYJv.exe LocalPPiXazGYJv.exe PID 3036 wrote to memory of 5016 3036 LocalPPiXazGYJv.exe LocalPPiXazGYJv.exe PID 3036 wrote to memory of 5016 3036 LocalPPiXazGYJv.exe LocalPPiXazGYJv.exe PID 5016 wrote to memory of 4648 5016 LocalPPiXazGYJv.exe svchost.com PID 5016 wrote to memory of 4648 5016 LocalPPiXazGYJv.exe svchost.com PID 5016 wrote to memory of 4648 5016 LocalPPiXazGYJv.exe svchost.com PID 4648 wrote to memory of 1800 4648 svchost.com yahoo.exe PID 4648 wrote to memory of 1800 4648 svchost.com yahoo.exe PID 4648 wrote to memory of 1800 4648 svchost.com yahoo.exe PID 1800 wrote to memory of 2896 1800 yahoo.exe netsh.exe PID 1800 wrote to memory of 2896 1800 yahoo.exe netsh.exe PID 1800 wrote to memory of 2896 1800 yahoo.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe"C:\Users\Admin\AppData\Local\Temp\67414c50442005a05cf1d3200ed6903d43bb10fe97b91f3ba5fb20b5111066ee.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalPPiXazGYJv.exe"C:\Users\Admin\AppData\LocalPPiXazGYJv.exe"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\LocalPPiXazGYJv.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\LocalPPiXazGYJv.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\yahoo.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yahoo.exeC:\Users\Admin\AppData\Local\Temp\yahoo.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\yahoo.exe" "yahoo.exe" ENABLE6⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\LocalM_GXZGkpRk.exe"C:\Users\Admin\AppData\LocalM_GXZGkpRk.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8443⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXEFilesize
1.6MB
MD5ca08e5fa7f142d36e4e16d1b9ca35ea1
SHA18d2ab4723b21ac8045bcbc78341777f3d343f140
SHA256807bc9b3e8689b8e7019ecf93ac475636a2f51c3dc678cf7483923c7fe9f50d4
SHA512d5e6519397a9eeef0861b32911da6bd20853e608a9c7f4651ca9c6fe69f79dc016010e558934cf96dd968ca49098553831ac2296ff7dc83878f3d7370db148d3
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\BHO\ie_to_edge_stub.exeFilesize
537KB
MD5365a79a3103889da0d1034eef90e150b
SHA19c6d6600212ceb9b712fea1d99d85e7ef7f748eb
SHA25649593d97b8367cddb5e341e367c851573c076fa052639e08d933e5203b77b5ef
SHA51208ad848319600e122f9de12d103104ea155be17205171669cd305e3c9d9ac500a4dc10938b1c094b2705a13b4aa2b67344a59635ed7cedc95e52e9eba9371684
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\INSTAL~1\setup.exeFilesize
3.2MB
MD5fe1b69272105afc35c59fdde851a0e73
SHA17407f32ccd3d444aac532dfa2dee59d6d38fb91a
SHA256f68ee8f47c69284ceabde249d8f9406f35f085353a299a8707a24c6b34b775c6
SHA51292fc046442048f67e0a5612f3d63e9b986d7803469737c226825415e91a9b2fdebd02bd951d082806cc8944e422c79ef29ffa4653a6364f4c1f5681c7ba043a3
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\cookie_exporter.exeFilesize
156KB
MD55ad8dd7a663f101ffeddfcd6bae2f9cf
SHA167fabad5399c2e46191c1132e0874a6cc2b208f8
SHA2566a4a49328946be26ca31632af3e5441ba2b8247a51671de188c86821f1eb890b
SHA5121db427eee862578fa4ce1e40071df6e5b6db3f67546d15a497a4714ee4b1de6dd8d7aba73681dc8e9f23f135f5ca71dcd8dfd9abaf1620ab578e5ef63e36968a
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\elevation_service.exeFilesize
1.7MB
MD52a52fd23291f3caca91b559c3dcd637f
SHA1c2cef19fcb10d45e5e1c437a7e4246d500ed09a3
SHA2562a228d131fd39876865c31dadd000193978618637ca12408e42f4060aa2f466c
SHA512f189c9f0b68d6d6842113e048356565569f67e7e63c6d4563913c99038f0a0bb54b750f37c098a50936eb115d751265314abde27d5014c6c73011c031f82b248
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\identity_helper.exeFilesize
1.1MB
MD5abd40544970e354010ac043696fcc6f2
SHA1207ca492a30f97bed856fdaa318bd1ded2c8f191
SHA25658b3fc8e0f6d38e27f8f5b7984e70ec6132fddd5e05169d4026c1b3a9e43d5e4
SHA512e8a491a8ff31b0854eb0cf69f95ef56bb9ffa0e113113201ef650bd5e02b9fd3fd7aca072d697de007333ea8a254fa4f2944db50b8ea4ff19b851241b3c93890
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge.exeFilesize
3.7MB
MD5e1545cbdd197de221913344565f16c76
SHA13672b92456462879827edb7041bab80812ff8edd
SHA2566ecc928d1a67f292103a6731630a942cf8b9bcb52ab6a1d47ed4f9202751b110
SHA512a8186842890a851a9760d821d42490620e4e9f7906908ac63547913f9411502f45847155d844824e646068529b4112c7acd07ee1840294a347e07d293c0309ac
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_proxy.exeFilesize
1.1MB
MD55423852b85f3cd0628f3a242e1e9eebe
SHA11264f6ee997a1876062952dbb7ceae06c2732792
SHA256385fd4beecebd8c3702413373be358994e1af9481c88148613026f737a855f93
SHA5124fb16f3c8198e77437b609e05831421a2d9a5597f83ac22819787082f52ffd1a5a626ff99c137a99ad8b6eca40bb2111a347e67e0351be4d8235a26517475300
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedge_pwa_launcher.exeFilesize
1.8MB
MD5e9db236130389516b93f40c919c2619b
SHA12722717f25122719010bdb0b49bcbb6f9a9d69ac
SHA2563d3c7ff298fa5d2914470fc32fcb92a82d1ce8924933221895bcbab49d29eab8
SHA5125bc6fbd9f97754bf4ec44ee7101d86657a35af6ee3a1b0b79bba4fbffffbfbf3b5836bffe9dd7db495c5688c8b7b291e52b0a6c89ea1f5e41e79507e49f30598
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\msedgewebview2.exeFilesize
3.2MB
MD5816bf809bdab7e95c6f16b38f619a527
SHA15bc139e11d077e8fa88394fb610f63f629f3b86d
SHA25675367284d50434c966d4126241682829523a0baa1c03163b9383433182433a75
SHA5121e7fbdbfcfb805691ca402acb7da16222da3f6d923db3cc5fe36cb7e677159f5a4b3ab8397d4d34ed82dc389220721bd40d37e35ecc57411133a1601fca1555c
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\notification_helper.exeFilesize
1.3MB
MD52a46785ab8b2aad2bf6630d12a17a6ce
SHA1e9704d280ea3589c3b4c1d808a5ff0efe83bc330
SHA2561bb2b789bf7890e583958a213a20a20c920972ecac9e1874c04b49d28f69f224
SHA5125efb0fdfbadca4698879249f5a2d07846012394c50695f663c18f469e887124819537bb71b179d427886e1325bc201cd28bd499fb75d2bdff01dfdf8a13db94e
-
C:\PROGRA~2\MICROS~1\EDGEWE~1\APPLIC~1\104012~1.47\pwahelper.exeFilesize
1.1MB
MD525689bf879a14f124ea71db500ddb522
SHA136dc53850fef561a5ecbb3acdaaaa8aa7868c14c
SHA2562bd534244e50c34d36957c30cb26077ef7e91635eb93df15d1b16c867b125c3f
SHA512fc182276d7187bbb941c171dc70900bdbf81591f83559dd3c0be2f2467ca66c853a5e5cc6affff5870cd0fbd6dcd0db69bb8f55068085eb39fb61b3cfdcd0ed3
-
C:\PROGRA~2\MOZILL~1\UNINST~1.EXEFilesize
129KB
MD5e7d2d4bedb99f13e7be8338171e56dbf
SHA18dafd75ae2c13d99e5ef8c0e9362a445536c31b5
SHA256c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24
SHA5122017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc
-
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exeFilesize
494KB
MD505bdfd8a3128ab14d96818f43ebe9c0e
SHA1495cbbd020391e05d11c52aa23bdae7b89532eb7
SHA2567b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb
SHA5128d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da
-
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEFilesize
6.7MB
MD563dc05e27a0b43bf25f151751b481b8c
SHA1b20321483dac62bce0aa0cef1d193d247747e189
SHA2567d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3
-
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
485KB
MD586749cd13537a694795be5d87ef7106d
SHA1538030845680a8be8219618daee29e368dc1e06c
SHA2568c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA5127b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c
-
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
714KB
MD5015caa1588f703bd73bc7cfe9386ffe4
SHA1747bec0876a67c0242ff657d47d7c383254ea857
SHA256e5c6463292e3013ef2eb211dad0dfa716671241affbd8bed5802a94f03950141
SHA5121fb3b2fa422d635c71a8e7865714516b7de1c32e6286f8b975be71b17a9186fcac78852e9467b4751b4eab69cb6af30140772858a758596596d09d767d170aab
-
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
715KB
MD506366e48936df8d5556435c9820e9990
SHA10e3ed1da26a0c96f549720684e87352f1b58ef45
SHA256cd47cce50016890899413b2c3609b3b49cb1b65a4dfcaa34ece5a16d8e8f6612
SHA512bea7342a6703771cb9b11cd164e9972eb981c33dcfe3e628b139f9e45cf1e24ded1c55fcdfa0697bf48772a3359a9ddd29e4bb33c796c94727afd1c4d5589ea3
-
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD531685b921fcd439185495e2bdc8c5ebf
SHA15d171dd1f2fc2ad55bde2e3c16a58abff07ae636
SHA2564798142637154af13e3ed0e0b508459cf71d2dc1ae2f80f8439d14975617e05c
SHA51204a414a89e02f9541b0728c82c38f0c64af1e95074f00699a48c82a5e99f4a6488fd7914ff1fa7a5bf383ce85d2dceab7f686d4ee5344ab36e7b9f13ceec9e7f
-
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
525KB
MD5f6636e7fd493f59a5511f08894bba153
SHA13618061817fdf1155acc0c99b7639b30e3b6936c
SHA25661720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33
SHA512bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1
-
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
536KB
MD53e8de969e12cd5e6292489a12a9834b6
SHA1285b89585a09ead4affa32ecaaa842bc51d53ad5
SHA2567a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf
SHA512b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e
-
C:\Users\Admin\AppData\LocalM_GXZGkpRk.exeFilesize
911KB
MD5f896fd2230ec80959e01c4d3ede8cd70
SHA102a15f21a6f9664d1c7923228d24051bcf6afa0f
SHA2561876a63391a12016b8b5ae4fb7cc67d0f1ab163f51c673a79ee98e01fe01055f
SHA5129bbe552ecf9f33b41656068513516469c6c068b99fb76babdfc00f0252bdf13c7d3a9dfdffcb46c18f73fa3b771f3b887fa053008b74b2e38a6d08e6f8bfe7b6
-
C:\Users\Admin\AppData\LocalM_GXZGkpRk.exeFilesize
911KB
MD5f896fd2230ec80959e01c4d3ede8cd70
SHA102a15f21a6f9664d1c7923228d24051bcf6afa0f
SHA2561876a63391a12016b8b5ae4fb7cc67d0f1ab163f51c673a79ee98e01fe01055f
SHA5129bbe552ecf9f33b41656068513516469c6c068b99fb76babdfc00f0252bdf13c7d3a9dfdffcb46c18f73fa3b771f3b887fa053008b74b2e38a6d08e6f8bfe7b6
-
C:\Users\Admin\AppData\LocalPPiXazGYJv.exeFilesize
4.6MB
MD52e9e324e8f76e5616ddd8c4f6253bb45
SHA1bc09dfce3d2ff1cdd74b4118470a3a0a539f1f88
SHA256cfe4342e63ddae099d29699e295ff9ade3b1847ddb264d75b0ef478b08ecca81
SHA5122b40b71ab0e37e7aaccd5d34fb084967abbad83221c6fc82d9e225b8013b9496578a38537b23ca999dcb200b9eca74add13b3cfc2d92cfcb09716172d321d6af
-
C:\Users\Admin\AppData\LocalPPiXazGYJv.exeFilesize
4.6MB
MD52e9e324e8f76e5616ddd8c4f6253bb45
SHA1bc09dfce3d2ff1cdd74b4118470a3a0a539f1f88
SHA256cfe4342e63ddae099d29699e295ff9ade3b1847ddb264d75b0ef478b08ecca81
SHA5122b40b71ab0e37e7aaccd5d34fb084967abbad83221c6fc82d9e225b8013b9496578a38537b23ca999dcb200b9eca74add13b3cfc2d92cfcb09716172d321d6af
-
C:\Users\Admin\AppData\Local\Temp\3582-490\LocalPPiXazGYJv.exeFilesize
4.6MB
MD55080bd240def418ca25ade93a1cb8f0c
SHA128ba6662bfad38ddadd2c9c91f421acdd1631465
SHA256c4137bd5ece1919ded21a6489dab7beae37f8233f53e85b194d6c27d8bbbfc4e
SHA5128398819044cc429b5e06466c03d23b30b1d3bd23827c05b2450ac4f2a7ee30e4c9024348096206d26cb3509ea725666fe4e67ac92f8cddeac12fc9a78ed20959
-
C:\Users\Admin\AppData\Local\Temp\3582-490\LocalPPiXazGYJv.exeFilesize
4.6MB
MD55080bd240def418ca25ade93a1cb8f0c
SHA128ba6662bfad38ddadd2c9c91f421acdd1631465
SHA256c4137bd5ece1919ded21a6489dab7beae37f8233f53e85b194d6c27d8bbbfc4e
SHA5128398819044cc429b5e06466c03d23b30b1d3bd23827c05b2450ac4f2a7ee30e4c9024348096206d26cb3509ea725666fe4e67ac92f8cddeac12fc9a78ed20959
-
C:\Users\Admin\AppData\Local\Temp\yahoo.exeFilesize
4.6MB
MD55080bd240def418ca25ade93a1cb8f0c
SHA128ba6662bfad38ddadd2c9c91f421acdd1631465
SHA256c4137bd5ece1919ded21a6489dab7beae37f8233f53e85b194d6c27d8bbbfc4e
SHA5128398819044cc429b5e06466c03d23b30b1d3bd23827c05b2450ac4f2a7ee30e4c9024348096206d26cb3509ea725666fe4e67ac92f8cddeac12fc9a78ed20959
-
C:\Users\Admin\AppData\Local\Temp\yahoo.exeFilesize
4.6MB
MD55080bd240def418ca25ade93a1cb8f0c
SHA128ba6662bfad38ddadd2c9c91f421acdd1631465
SHA256c4137bd5ece1919ded21a6489dab7beae37f8233f53e85b194d6c27d8bbbfc4e
SHA5128398819044cc429b5e06466c03d23b30b1d3bd23827c05b2450ac4f2a7ee30e4c9024348096206d26cb3509ea725666fe4e67ac92f8cddeac12fc9a78ed20959
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\Windows\svchost.comFilesize
40KB
MD536fd5e09c417c767a952b4609d73a54b
SHA1299399c5a2403080a5bf67fb46faec210025b36d
SHA256980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2
SHA5121813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92
-
C:\odt\OFFICE~1.EXEFilesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
memory/904-132-0x00007FF9F2B30000-0x00007FF9F3566000-memory.dmpFilesize
10.2MB
-
memory/1420-140-0x0000000000000000-mapping.dmp
-
memory/1800-156-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/1800-150-0x0000000000000000-mapping.dmp
-
memory/1800-153-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2296-139-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2296-145-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/2296-135-0x0000000000000000-mapping.dmp
-
memory/2896-154-0x0000000000000000-mapping.dmp
-
memory/3036-133-0x0000000000000000-mapping.dmp
-
memory/4648-146-0x0000000000000000-mapping.dmp
-
memory/5016-152-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB
-
memory/5016-141-0x0000000000000000-mapping.dmp
-
memory/5016-144-0x0000000074EC0000-0x0000000075471000-memory.dmpFilesize
5.7MB