cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
Size

196KB
MD5

9779201319cb781619e34fb60e456d46
SHA1

15e643a3d23a62cac36ec4f1e02f1bee573847a1
SHA256

cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27
SHA512

44e6dd958118e3634b97ceba75d01cd1db3098a686e04e58223b619a90a5fe3b2bbd365a190e5a3c18cfb4254e37917c1f8a20ef0c0e9a5aef73c8339bf22e74
SSDEEP

3072:JxrJOfxfkksCmh/yG+1vIebEBCiy+7aLyIVJochcCTpiwe9El8906uqMkeheqX8:JDOfxMBQ1EBCC+LroHCTcT906pehz8

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
File created	C:\Windows\System32\drivers\etc\hosts.ics	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe

Executes dropped EXE 3 IoCs

Processes:

a.exeminiads.exeminiads2.exe

pid process

3844 a.exe
3684 miniads.exe
2524 miniads2.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe

pid	process
3844	a.exe
3684	miniads.exe
2524	miniads2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in System32 directory 3 IoCs

Processes:

a.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\miniads.exe	a.exe
File opened for modification	C:\Windows\SysWOW64\dllshell.dll	a.exe
File opened for modification	C:\Windows\SysWOW64\miniads2.exe	a.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f69928e7-06a1-4d46-a74c-0f94aac1f5e9.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221129224009.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.vinacf.cf"	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exea.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
3844	a.exe
3844	a.exe
3844	a.exe
3844	a.exe
2712	msedge.exe
2712	msedge.exe
908	msedge.exe
908	msedge.exe
3844	a.exe
3844	a.exe
1592	identity_helper.exe
1592	identity_helper.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

908 msedge.exe
908 msedge.exe
908 msedge.exe
908 msedge.exe
908 msedge.exe
908 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exea.exe

description pid process

Token: 0 880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
Token: 0 3844 a.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exemsedge.exe

pid process

880 cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
908 msedge.exe
908 msedge.exe
908 msedge.exe

pid	process
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe

description	pid	process
Token: 0	880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
Token: 0	3844	a.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exea.exeminiads.exeminiads2.exe

pid	process
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
3844	a.exe
3684	miniads.exe
3684	miniads.exe
3684	miniads.exe
2524	miniads2.exe
2524	miniads2.exe
2524	miniads2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exemsedge.exea.exe

description	pid	process	target process
PID 880 wrote to memory of 908	880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe	msedge.exe
PID 880 wrote to memory of 908	880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe	msedge.exe
PID 908 wrote to memory of 4208	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4208	908	msedge.exe	msedge.exe
PID 880 wrote to memory of 3844	880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe	a.exe
PID 880 wrote to memory of 3844	880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe	a.exe
PID 880 wrote to memory of 3844	880	cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe	a.exe
PID 3844 wrote to memory of 3684	3844	a.exe	miniads.exe
PID 3844 wrote to memory of 3684	3844	a.exe	miniads.exe
PID 3844 wrote to memory of 3684	3844	a.exe	miniads.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 4420	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2712	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2712	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2260	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2260	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2260	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2260	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2260	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2260	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2260	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2260	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2260	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2260	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2260	908	msedge.exe	msedge.exe
PID 908 wrote to memory of 2260	908	msedge.exe	msedge.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe
"C:\Users\Admin\AppData\Local\Temp\cbd1d3a426e0f70bf087ef33ce3ce3a54c47f79b11c8a045c742d64fae53da27.exe"
2⤵
- Drops file in Drivers directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.vinacf.cf/
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffb3e7b46f8,0x7ffb3e7b4708,0x7ffb3e7b4718
4⤵
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
4⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
4⤵
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
4⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
4⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 /prefetch:8
4⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
4⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5160 /prefetch:8
4⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
4⤵
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
4⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
4⤵
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6983a5460,0x7ff6983a5470,0x7ff6983a5480
5⤵
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
4⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4016 /prefetch:8
4⤵
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4140 /prefetch:8
4⤵
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1440 /prefetch:2
4⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,11238614130441827143,14900764797686607207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6732 /prefetch:8
4⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\a.exe
a.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\miniads.exe
C:\Windows\System32\miniads.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Windows\SysWOW64\miniads2.exe
C:\Windows\System32\miniads2.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
ab741d0006b4fc69cfcb4582f410127b

SHA1
3fd1977c9ec9204755ecd09d5c38bfdee082ae5e

SHA256
f03491cd406de9f0962812056d900ad73e123ada305d151edeb8aa680d9def11

SHA512
0c9f550d698f34021994928c55d7dbe9e2b266506f8f761d6b79d9bfbc65757733e9056570f5174579aaac29a50fb7ecfd72f5e6089eb4fbd532e82b50a2142d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
305897e084ce33aa16f777e762da52d9

SHA1
baf3eba0d9dafc390bfc49daa0986d2e870e8d8e

SHA256
ae86621d24f18319420872a3ebae1c691deb32a0189df2e2164b764f5b28b7c9

SHA512
2943552836b3e6b32a705e3489be954f00e380a3409a56236fc4a79a0d546cd6b54429e33c7d56042c7455f77c3a6c4bb8ba8fb2fa67ddf41ac8af1b412ecf26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
95008604b82a384c7c8123cec0361d17

SHA1
7396683a5e0315720efa84ccf5289a84d3c68031

SHA256
bd8c8c1646d7f1ee0e8268a9aa9a0cff8ee523e712cd5887bdfb67ea33a42f69

SHA512
78ab8120b87d6d720e74d42b837a56350d33dccf3415f9238c61d6312f79a6af017a44b76382a852351bd249c451b470196c860bce7d0f281f7ee1fb45c56eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.exe
Filesize
260KB

MD5
2fc97a6fa91f7cddb0bf570299c8c6ae

SHA1
fa98710ae3811458ff60300ecdffac5b4b6e456e

SHA256
96398ae98f590b525a606af9073bf2f695326603f6d4de6ccfe38225a14a5feb

SHA512
aa7369ed7010d4b3ea5fe8502fee74037135899260982bc91892fcba655ebb46f93ba09377ea25cb4da776b0b86803c280e7d7712600fd8a4fe215482118dbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a.exe
Filesize
260KB

MD5
2fc97a6fa91f7cddb0bf570299c8c6ae

SHA1
fa98710ae3811458ff60300ecdffac5b4b6e456e

SHA256
96398ae98f590b525a606af9073bf2f695326603f6d4de6ccfe38225a14a5feb

SHA512
aa7369ed7010d4b3ea5fe8502fee74037135899260982bc91892fcba655ebb46f93ba09377ea25cb4da776b0b86803c280e7d7712600fd8a4fe215482118dbba

Download Submit
C:\Windows\SysWOW64\miniads.exe
Filesize
44KB

MD5
72fc04bde392e2df729201877f800975

SHA1
5253615fa06bbd3d6aed6cffbc0905d5bf2dc33a

SHA256
6d54c2bf617968210f84d1260300fe83e429fe614610cb5a20fdab3c2098af8b

SHA512
76a00667da450c3613003ca3f8a6ff315bbdbcbe6b5c1d5535b951b3a514f0c6753a7d9b5ea7f7f80506190c9c620a1a665d6b6347a7ea07314aba0136749db2

Download Submit
C:\Windows\SysWOW64\miniads.exe
Filesize
44KB

MD5
72fc04bde392e2df729201877f800975

SHA1
5253615fa06bbd3d6aed6cffbc0905d5bf2dc33a

SHA256
6d54c2bf617968210f84d1260300fe83e429fe614610cb5a20fdab3c2098af8b

SHA512
76a00667da450c3613003ca3f8a6ff315bbdbcbe6b5c1d5535b951b3a514f0c6753a7d9b5ea7f7f80506190c9c620a1a665d6b6347a7ea07314aba0136749db2

Download Submit
C:\Windows\SysWOW64\miniads2.exe
Filesize
32KB

MD5
16f5e2ba059a6ed2f5c2237e2a96981f

SHA1
e7e0305cacb7ea207b0776ffdb884b7bf5e33b45

SHA256
ea89a0f7a4755c9ee328b02ffad08e6c409183b6db698c7381a24ac86b27ee0d

SHA512
9932df4bb46e48ba0f12da34b3ec363d30822d0f4d6ef3200feedf0870706b1c5879bafe5a8dd45732f42de637298c4f172701ffc474f2a2bfa5cd411ed027a7

Download Submit
C:\Windows\SysWOW64\miniads2.exe
Filesize
32KB

MD5
16f5e2ba059a6ed2f5c2237e2a96981f

SHA1
e7e0305cacb7ea207b0776ffdb884b7bf5e33b45

SHA256
ea89a0f7a4755c9ee328b02ffad08e6c409183b6db698c7381a24ac86b27ee0d

SHA512
9932df4bb46e48ba0f12da34b3ec363d30822d0f4d6ef3200feedf0870706b1c5879bafe5a8dd45732f42de637298c4f172701ffc474f2a2bfa5cd411ed027a7

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
\??\pipe\LOCAL\crashpad_908_PCSPHYWAEVIUZQGS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/624-167-0x0000000000000000-mapping.dmp

Download
memory/880-186-0x0000000000400000-0x00000000005D0000-memory.dmp

Filesize
1.8MB

Download
memory/880-137-0x0000000000400000-0x00000000005D0000-memory.dmp

Filesize
1.8MB

Download
memory/880-138-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/908-139-0x0000000000000000-mapping.dmp

Download
memory/1120-163-0x0000000000000000-mapping.dmp

Download
memory/1160-178-0x0000000000000000-mapping.dmp

Download
memory/1404-190-0x0000000000000000-mapping.dmp

Download
memory/1592-179-0x0000000000000000-mapping.dmp

Download
memory/1864-159-0x0000000000000000-mapping.dmp

Download
memory/2108-169-0x0000000000000000-mapping.dmp

Download
memory/2116-191-0x0000000000000000-mapping.dmp

Download
memory/2260-157-0x0000000000000000-mapping.dmp

Download
memory/2524-172-0x0000000000000000-mapping.dmp

Download
memory/2668-188-0x0000000000000000-mapping.dmp

Download
memory/2712-154-0x0000000000000000-mapping.dmp

Download
memory/3120-193-0x0000000000000000-mapping.dmp

Download
memory/3184-177-0x0000000000000000-mapping.dmp

Download
memory/3348-181-0x0000000000000000-mapping.dmp

Download
memory/3684-146-0x0000000000000000-mapping.dmp

Download
memory/3844-141-0x0000000000000000-mapping.dmp

Download
memory/4208-140-0x0000000000000000-mapping.dmp

Download
memory/4216-165-0x0000000000000000-mapping.dmp

Download
memory/4420-153-0x0000000000000000-mapping.dmp

Download
memory/4548-161-0x0000000000000000-mapping.dmp

Download
memory/4836-171-0x0000000000000000-mapping.dmp

Download