Analysis
-
max time kernel
175s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 02:57
Behavioral task
behavioral1
Sample
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe
Resource
win10v2004-20220812-en
General
-
Target
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe
-
Size
191KB
-
MD5
47a51f3d6e697dbb17364ba2de7bb710
-
SHA1
f730dcc243f31c338fd815e208fd2adbf313e009
-
SHA256
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a
-
SHA512
8f4b133874499706f8d5e360201a3eae43eafacfea0c9c253fcc8d07d904c47617c07e354db90fcc67ec2c05b80b4f3c51f3eaa121272f70f8e52bfc1fa135b2
-
SSDEEP
1536:JxqjQ+P04wsmJCxgWY54vNd+4tNfuebnwZJ/roM7ZJfUQWd:sr85CSWOrgNfLbwTEM78N
Malware Config
Signatures
-
Detect Neshta payload 26 IoCs
Processes:
resource yara_rule C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\Windows\svchost.com family_neshta C:\odt\OFFICE~1.EXE family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe family_neshta C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE family_neshta C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE family_neshta C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE family_neshta C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXE family_neshta C:\PROGRA~2\MOZILL~1\UNINST~1.EXE family_neshta C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe family_neshta C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE family_neshta C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE family_neshta C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
Processes:
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exemsng.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" msng.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Executes dropped EXE 4 IoCs
Processes:
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exesvchost.comsvchost.commsng.exepid process 5040 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe 4328 svchost.com 3640 svchost.com 4416 msng.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exemsng.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msng = "C:\\Windows\\system32\\msng.exe" 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run msng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msng = "C:\\Windows\\system32\\msng.exe" msng.exe -
Enumerates connected drives 3 TTPs 3 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msng.exedescription ioc process File opened (read-only) \??\a: msng.exe File opened (read-only) \??\b: msng.exe File opened (read-only) \??\e: msng.exe -
Drops file in System32 directory 7 IoCs
Processes:
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exemsng.exedescription ioc process File created C:\Windows\SysWOW64\msng.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\Windows\SysWOW64\msng.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File created C:\Windows\SysWOW64\rundII32.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File created C:\Windows\SysWOW64\rundll32.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File created C:\Windows\SysWOW64\rundII32.exe msng.exe File opened for modification C:\Windows\SysWOW64\rundII32.exe msng.exe File created C:\Windows\SysWOW64\rundll32.exe msng.exe -
Drops file in Program Files directory 64 IoCs
Processes:
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exesvchost.comdescription ioc process File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe svchost.com File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE svchost.com File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MIA062~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe svchost.com File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~4.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~2.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe svchost.com File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE svchost.com File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE svchost.com File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13165~1.21\MICROS~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe svchost.com File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe svchost.com File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE svchost.com File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE svchost.com File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE svchost.com -
Drops file in Windows directory 5 IoCs
Processes:
svchost.comsvchost.com119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exedescription ioc process File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com svchost.com File opened for modification C:\Windows\svchost.com 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe File opened for modification C:\Windows\directx.sys svchost.com File opened for modification C:\Windows\directx.sys svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe -
Modifies registry class 42 IoCs
Processes:
explorer.exemsedge.exe119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 = 5a003100000000007a55bc801000333538322d3439300000420009000400efbe7a55b5807a55bc802e0000000e2e020000000900000000000000000000000000000003f63c0033003500380032002d00340039003000000018000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000000c5526a110004c6f63616c003c0009000400efbe0c5519997a55b6802e00000095e101000000010000000000000000000000000000004e3d50004c006f00630061006c00000014000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000000c55199912004170704461746100400009000400efbe0c5519997a55b6802e00000082e10100000001000000000000000000000000000000bc3d97004100700070004400610074006100000016000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e003100000000007a55b580100054656d7000003a0009000400efbe0c5519997a55b5802e00000096e10100000001000000000000000000000000000000bac50e01540065006d007000000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0 = ca003100000000007a55bc8010003131394638397e310000b20009000400efbe7a55bc807a55bc802e000000132e020000000700000000000000000000000000000003f63c003100310039006600380039003900320037003800370031003800640030003900340038003200360033006400300034003900610031003200660036003500610036003000370064006400620033006600310032003800350033003500650034003200350038003400650033006100300032003400640037003200660036006100000018000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\MRUListEx = ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000000c5590a1100041646d696e003c0009000400efbe0c5519997a55b6802e00000077e10100000001000000000000000000000000000000f5ed3500410064006d0069006e00000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000000c5519991100557365727300640009000400efbe874f77487a55b5802e000000c70500000000010000000000000000003a00000000008714af0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msng.exemsedge.exepid process 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4324 msedge.exe 4324 msedge.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe 4416 msng.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msng.exepid process 4416 msng.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 2208 msedge.exe 2208 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exemsng.exeexplorer.exepid process 5040 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe 4416 msng.exe 3212 explorer.exe 3212 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exesvchost.comsvchost.commsng.exeexplorer.exemsedge.exedescription pid process target process PID 4332 wrote to memory of 5040 4332 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe PID 4332 wrote to memory of 5040 4332 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe PID 4332 wrote to memory of 5040 4332 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe PID 5040 wrote to memory of 4328 5040 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe svchost.com PID 5040 wrote to memory of 4328 5040 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe svchost.com PID 5040 wrote to memory of 4328 5040 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe svchost.com PID 5040 wrote to memory of 3640 5040 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe svchost.com PID 5040 wrote to memory of 3640 5040 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe svchost.com PID 5040 wrote to memory of 3640 5040 119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe svchost.com PID 4328 wrote to memory of 4284 4328 svchost.com explorer.exe PID 4328 wrote to memory of 4284 4328 svchost.com explorer.exe PID 4328 wrote to memory of 4284 4328 svchost.com explorer.exe PID 3640 wrote to memory of 4416 3640 svchost.com msng.exe PID 3640 wrote to memory of 4416 3640 svchost.com msng.exe PID 3640 wrote to memory of 4416 3640 svchost.com msng.exe PID 4416 wrote to memory of 3472 4416 msng.exe explorer.exe PID 4416 wrote to memory of 3472 4416 msng.exe explorer.exe PID 4416 wrote to memory of 3472 4416 msng.exe explorer.exe PID 5084 wrote to memory of 2208 5084 explorer.exe msedge.exe PID 5084 wrote to memory of 2208 5084 explorer.exe msedge.exe PID 2208 wrote to memory of 4752 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 4752 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 1032 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 4324 2208 msedge.exe msedge.exe PID 2208 wrote to memory of 4324 2208 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe"C:\Users\Admin\AppData\Local\Temp\119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe"1⤵
- Modifies system executable filetype association
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3582-490\119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exe"2⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\System32\explorer.exe C:\Users\Admin\AppData\Local\Temp\3582-490\119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a4⤵
-
C:\Windows\svchost.com"C:\Windows\svchost.com" "C:\Windows\system32\msng.exe" fuckystart3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msng.exeC:\Windows\system32\msng.exe fuckystart4⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe http://www.OpenClose.ir5⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.openclose.ir/2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8342446f8,0x7ff834244708,0x7ff8342447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12571060935115180721,13997246822608992463,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,12571060935115180721,13997246822608992463,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,12571060935115180721,13997246822608992463,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12571060935115180721,13997246822608992463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12571060935115180721,13997246822608992463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12571060935115180721,13997246822608992463,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12571060935115180721,13997246822608992463,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2084,12571060935115180721,13997246822608992463,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3956 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12571060935115180721,13997246822608992463,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exeFilesize
942KB
MD52d3cc5612a414f556f925a3c1cb6a1d6
SHA10fee45317280ed326e941cc2d0df848c4e74e894
SHA256fe46de1265b6fe2e316aca33d7f7f45c6ffdf7c49a044b464fd9dc88ec92091b
SHA512cc49b200adf92a915da6f9b73417543d4dcc77414e0c4bd2ce3bfdfc5d151e0b28249f8d64f6b7087cf8c3bab6aeeab5b152ac6199cb7cc63e64a66b4f03a9f5
-
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exeFilesize
623KB
MD56e84b6096aaa18cabc30f1122d5af449
SHA1e6729edd11b52055b5e34d39e5f3b8f071bbac4f
SHA256c6b7f9119cf867951f007c5468f75eb4dca59c7eedeb0afdd8ad9d5b9606e759
SHA512af5b33e7e190587bb152adf65fbcd4c1cd521f638863a6d1c7de29599cce6439b6c7b653180661cb0382007aefa0ae5a1b1b841eaaa116ce715f3a5ba0725a42
-
C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXEFilesize
217KB
MD5ad0efa1df844814c2e8ddc188cb0e3b5
SHA1b1a8a09f2223aab8b8e3e9bc0e58cc83d402f8ab
SHA256c87fd5b223cb6dc716815b442b4964d4670a30b5c79f4fb9f1c3a65ec9072e5a
SHA512532cc173d9ef27098ff10b6b652c64231b4a14f99df3b5de2eb1423370c19590e2a6032023d3ed02e2080f2f087b620ebbbd079e4a47a584ef11f3eaa0eb8520
-
C:\PROGRA~2\Google\Update\1336~1.71\GOF5E2~1.EXEFilesize
138KB
MD5fafb18b930b2b05ac8c5ddb988e9062f
SHA1825ea5069601fb875f8d050aa01300eac03d3826
SHA256c17785fe7e6b5e08fe5a4ca3679fee85ba6f2e5efcce0fb9807727cf8aa25265
SHA512be034e7377bd27092aad02e13a152fb80ff74c1ba2fb63ccb344cd55315d115ee47e46727cbe55ca808efafa58d7924e3eed965e9a2fd3b9ae2dff7834383e54
-
C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXEFilesize
366KB
MD59e63bd6a4360beabbc82ed4a2f03522e
SHA110961b7873ce3b99939ab5abd634b0f771dc6436
SHA256c8f05c107ecdc905dd2b3c708c40eb50118a65d497e12df6958ce5e1a53af108
SHA512ae72061d3c198cdd9dd4eb17651b6532f3d6016651d943ae23c82d11d1b8b8c86679f0d516d1050f258e445edd7447019fbdb24d897bb919807ff8c449e04925
-
C:\PROGRA~2\MICROS~1\EDGEUP~1\13165~1.21\MICROS~3.EXEFilesize
285KB
MD5fab69bd8ce4878fe7db435f8708d8aa5
SHA15f57a48b198161d84a8b64b3611b5250bec2d818
SHA256171ee72970045068e62105231ae2dba43b7e8e6ad52c69703152c61747aa702f
SHA5128fdc5c5b0fa585484816537cdd5e6406204e899f8bfbb1e86ef38b001233145e7d64299a7f1c34a5485b44e04abbedce56380409b4e0c3e0385f3db9fefd0d26
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXEFilesize
1.1MB
MD56088771ce98d1dd4c4f3b70291c7ef39
SHA109f041bf16a84d2214a75672d2eb7e982b68f0c2
SHA2569300eae88b3af629d2041145c0b9692ae7d8ac0ba1d4fa626084c02ec9adb1cc
SHA512e1470ae4ad68f95655ba55c0ae578c46f030e2e627eff44f42934119ddff6ce2f58afbd4b7fc9a94086d954f1a053ae3b520758e1a536c0e823da7882a9dba14
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXEFilesize
1.1MB
MD5a5d9eaa7d52bffc494a5f58203c6c1b5
SHA197928ba7b61b46a1a77a38445679d040ffca7cc8
SHA25634b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48
SHA512b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXEFilesize
1.3MB
MD527543bab17420af611ccc3029db9465a
SHA1f0f96fd53f9695737a3fa6145bc5a6ce58227966
SHA25675530dc732f35cc796d19edd11ae6d6f6ef6499ddcf2e57307582b1c5299554c
SHA512a62c2dd60e1df309ec1bb48ea85184914962ba83766f29d878569549ca20fca68f304f4494702d9e5f09adedc2166e48ee0bc1f4a5d9e245c5490daf15036bea
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXEFilesize
1.1MB
MD5a5d9eaa7d52bffc494a5f58203c6c1b5
SHA197928ba7b61b46a1a77a38445679d040ffca7cc8
SHA25634b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48
SHA512b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787
-
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXEFilesize
1.1MB
MD55c78384d8eb1f6cb8cb23d515cfe7c98
SHA1b732ab6c3fbf2ded8a4d6c8962554d119f59082e
SHA2569abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564
SHA51299324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6
-
C:\PROGRA~2\MOZILL~1\UNINST~1.EXEFilesize
129KB
MD5e7d2d4bedb99f13e7be8338171e56dbf
SHA18dafd75ae2c13d99e5ef8c0e9362a445536c31b5
SHA256c8ef54853df3a3b64aa4b1ecfb91615d616c7ff998589e5a3434118611ad2a24
SHA5122017dea799cc03b02a17e3616fb6fbe8c86ab2450b1aaf147fce1e67cc472ded12befd686d395386ffdaa992145996eb421d61d3a922cea45e94ac40eef76adc
-
C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exeFilesize
494KB
MD505bdfd8a3128ab14d96818f43ebe9c0e
SHA1495cbbd020391e05d11c52aa23bdae7b89532eb7
SHA2567b945c7e6b8bfbb489f003ecd1d0dcd4803042003de4646d4206114361a0fbbb
SHA5128d9b9fc407986bd53fe3b56c96b7371cc782b4bac705253bfb0a2b0b1e6883fdb022f1ac87b8bfd7005291991b6a3dfbaceab54f5d494e0af70f0435a0b8b0da
-
C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD5bcb5db16e576464d3d8d93e1907bf946
SHA1b10f3c3dc4baef4655ae2c30543be9d3c40b9781
SHA25624c9b3b4cf5e45a56c90d7fd112b05f07dd89cf96e98729beb2f6081fca758c0
SHA512c36339b06a00938c8a63ba4d54a766dc3ca3d1e34d69e9b4b2bfa9ca79c5c65d07f216f84af2b60be0c9cbdccadc5c271018efed52def8bd778dc01743d61229
-
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXEFilesize
6.7MB
MD563dc05e27a0b43bf25f151751b481b8c
SHA1b20321483dac62bce0aa0cef1d193d247747e189
SHA2567d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce
SHA512374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3
-
C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXEFilesize
485KB
MD586749cd13537a694795be5d87ef7106d
SHA1538030845680a8be8219618daee29e368dc1e06c
SHA2568c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5
SHA5127b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c
-
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXEFilesize
714KB
MD524179b4581907abfef8a55ab41c97999
SHA1e4de417476f43da4405f4340ebf6044f6b094337
SHA256a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7
SHA5126fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8
-
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXEFilesize
674KB
MD59c10a5ec52c145d340df7eafdb69c478
SHA157f3d99e41d123ad5f185fc21454367a7285db42
SHA256ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36
SHA5122704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f
-
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXEFilesize
536KB
MD5bcb5db16e576464d3d8d93e1907bf946
SHA1b10f3c3dc4baef4655ae2c30543be9d3c40b9781
SHA25624c9b3b4cf5e45a56c90d7fd112b05f07dd89cf96e98729beb2f6081fca758c0
SHA512c36339b06a00938c8a63ba4d54a766dc3ca3d1e34d69e9b4b2bfa9ca79c5c65d07f216f84af2b60be0c9cbdccadc5c271018efed52def8bd778dc01743d61229
-
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXEFilesize
525KB
MD5a55d2c94c27ffe098171e6c1f296f56d
SHA1d0c875b2721894404c9eaa07d444c0637a3cbc3b
SHA256e81e4630b01d181fb3116e9e874eedfe1a43472bfa6d83cc24f55e78721ddf86
SHA51213ee9041b21d4e00392aeaa5440c34301f945d9bbd4f07f831397040991eee79842a5618c1fd26ec75e7132b5da811bc9605b76b83a48355ede37a2a1c1cd6f0
-
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXEFilesize
536KB
MD591490c78c45cbd686ac759b6a252e898
SHA151bb6c5aa14cf478b0b6fa0329c7366d1f6fb480
SHA25647f3331b4f35012d38bc11cdeae0ff7b4ae1186d4e916e3e48a9440438296821
SHA512f7d44cd6df2c0c492731c14ca27e26605e8cddb9cb9287bf083fe1e43f753cafa11c341f0915510ad1d189466e92bb3f4e219b3599e9df72878bde14518bee35
-
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXEFilesize
333KB
MD574faddfe0e1439ee631fb12a6c7679f5
SHA1759ac4cd1ba407d31e5951d57a37656f6eb0bad7
SHA256ac7914efd31353b62d05474b98f6d6f97022475803b41d5f4256f0f13e334066
SHA512f060c3fc72cb7d282ffbcfb5cd5a6ec8e0cfa013237326288b3ab35bb790fb76e190914f1eda9b632188b1f8efda91b4fae1bd21c719e5bf5f3b237746951e97
-
C:\Users\Admin\AppData\Local\Temp\3582-490\119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exeFilesize
151KB
MD547492b8fbb5cf1096ad18e36479ce000
SHA1a730907ae2f0ed8c8bdc04b4ad9e66aa6f37428f
SHA256066f4bc94ba6727ab0ca307d7c80b309ebeea596f4dc14f424a0a9b5df10504a
SHA5123e288a920dda1c7b7ecd9b21a90364e751bf650c12e801f12c38cc18d4a6bee0f005c87c7c13e1631da534cdf6caaeac8ecca2a4038992107700ac0a57bff2d1
-
C:\Users\Admin\AppData\Local\Temp\3582-490\119f899278718d0948263d049a12f65a607ddb3f128535e42584e3a024d72f6a.exeFilesize
151KB
MD547492b8fbb5cf1096ad18e36479ce000
SHA1a730907ae2f0ed8c8bdc04b4ad9e66aa6f37428f
SHA256066f4bc94ba6727ab0ca307d7c80b309ebeea596f4dc14f424a0a9b5df10504a
SHA5123e288a920dda1c7b7ecd9b21a90364e751bf650c12e801f12c38cc18d4a6bee0f005c87c7c13e1631da534cdf6caaeac8ecca2a4038992107700ac0a57bff2d1
-
C:\Windows\SysWOW64\msng.exeFilesize
151KB
MD547492b8fbb5cf1096ad18e36479ce000
SHA1a730907ae2f0ed8c8bdc04b4ad9e66aa6f37428f
SHA256066f4bc94ba6727ab0ca307d7c80b309ebeea596f4dc14f424a0a9b5df10504a
SHA5123e288a920dda1c7b7ecd9b21a90364e751bf650c12e801f12c38cc18d4a6bee0f005c87c7c13e1631da534cdf6caaeac8ecca2a4038992107700ac0a57bff2d1
-
C:\Windows\SysWOW64\msng.exeFilesize
151KB
MD547492b8fbb5cf1096ad18e36479ce000
SHA1a730907ae2f0ed8c8bdc04b4ad9e66aa6f37428f
SHA256066f4bc94ba6727ab0ca307d7c80b309ebeea596f4dc14f424a0a9b5df10504a
SHA5123e288a920dda1c7b7ecd9b21a90364e751bf650c12e801f12c38cc18d4a6bee0f005c87c7c13e1631da534cdf6caaeac8ecca2a4038992107700ac0a57bff2d1
-
C:\Windows\directx.sysFilesize
30B
MD5c442d3b8c7403c6dd7d9f93795276c05
SHA1bc8f41a5d4adc92875f58081f0256a4c7b614db6
SHA256e04865623a4f68d752dc73b27e8d38e2418832d1e9df3cdc9936737974e023cc
SHA5127816d49f07b34032d335e4a6758c76ae9a1ccc8cdac4b7d7792e5e1de5d6c0f9357fc31594ba75a70d8f7605972b45b7225a5d0e91a71d65b8d693950acdac2c
-
C:\Windows\svchost.comFilesize
40KB
MD5045910ccff03704d3f4d4024134e53f5
SHA1ab9491f710e9f205de2c89bfb14354bbfaee214f
SHA2568fab4e8f332d274e874047c29edca2bdb76a654da518413a2f7760810096550a
SHA5127468bb3f77b6d910f0ad6e6e511c2543f02e0fe97de32feef677b73be4d09b8f4f3d15b64168758fc42672b496e17ef038f9b44f88840da9f2ae675787e3e7a3
-
C:\Windows\svchost.comFilesize
40KB
MD5045910ccff03704d3f4d4024134e53f5
SHA1ab9491f710e9f205de2c89bfb14354bbfaee214f
SHA2568fab4e8f332d274e874047c29edca2bdb76a654da518413a2f7760810096550a
SHA5127468bb3f77b6d910f0ad6e6e511c2543f02e0fe97de32feef677b73be4d09b8f4f3d15b64168758fc42672b496e17ef038f9b44f88840da9f2ae675787e3e7a3
-
C:\Windows\svchost.comFilesize
40KB
MD5045910ccff03704d3f4d4024134e53f5
SHA1ab9491f710e9f205de2c89bfb14354bbfaee214f
SHA2568fab4e8f332d274e874047c29edca2bdb76a654da518413a2f7760810096550a
SHA5127468bb3f77b6d910f0ad6e6e511c2543f02e0fe97de32feef677b73be4d09b8f4f3d15b64168758fc42672b496e17ef038f9b44f88840da9f2ae675787e3e7a3
-
C:\odt\OFFICE~1.EXEFilesize
5.1MB
MD502c3d242fe142b0eabec69211b34bc55
SHA1ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e
SHA2562a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842
SHA5120efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099
-
C:\~0002ftd.tmpFilesize
109B
MD5eba2bdce5afa4e313a6d44491a2919eb
SHA1c7ce068d813220c11d655a1dcf6a17f8cbf9811d
SHA256190c29360753e1726c676a66a1c24f680392255c2d9e9b901cb5f25313408cd0
SHA512e2af0a37ad788ea447597fbb2ea9bc6813cc238fa1106760c33a8a8e55012a9eac565ecec9dfb51ed724f28fa68b1f9756659757adc081c2e8c5f0f89b75c1fb
-
\??\pipe\LOCAL\crashpad_2208_FZHRRTIYNZBLVTAYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/8-187-0x0000000000000000-mapping.dmp
-
memory/380-177-0x0000000000000000-mapping.dmp
-
memory/1032-171-0x0000000000000000-mapping.dmp
-
memory/1808-182-0x0000000000000000-mapping.dmp
-
memory/2208-157-0x0000000000000000-mapping.dmp
-
memory/3472-155-0x0000000000000000-mapping.dmp
-
memory/3480-180-0x0000000000000000-mapping.dmp
-
memory/3552-189-0x0000000000000000-mapping.dmp
-
memory/3640-142-0x0000000000000000-mapping.dmp
-
memory/4060-185-0x0000000000000000-mapping.dmp
-
memory/4284-143-0x0000000000000000-mapping.dmp
-
memory/4324-172-0x0000000000000000-mapping.dmp
-
memory/4328-139-0x0000000000000000-mapping.dmp
-
memory/4416-156-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/4416-154-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/4416-148-0x0000000000000000-mapping.dmp
-
memory/4752-158-0x0000000000000000-mapping.dmp
-
memory/4880-198-0x0000000000000000-mapping.dmp
-
memory/5040-132-0x0000000000000000-mapping.dmp
-
memory/5040-145-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/5040-136-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/5040-134-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB