bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522

Resubmissions

17-12-2023 18:27

231217-w38jfaggb2 7

17-12-2023 18:09

231217-wrpl7afbhk 7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2023 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NordVPNSetup.exe
Size

1.7MB
MD5

59cb69a08fdd9cb4b0539e3356df1d4d
SHA1

0c773a0a76f821780c002d527bee387b98904569
SHA256

bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522
SHA512

51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2
SSDEEP

24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NordVPNSetup.tmp

pid process

3348 NordVPNSetup.tmp
Loads dropped DLL 3 IoCs

Processes:

NordVPNSetup.tmp

pid process

3348 NordVPNSetup.tmp
3348 NordVPNSetup.tmp
3348 NordVPNSetup.tmp

pid	process
3348	NordVPNSetup.tmp

pid	process
3348	NordVPNSetup.tmp
3348	NordVPNSetup.tmp
3348	NordVPNSetup.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-635608581-3370340891-292606865-1000\{923FFA36-49DF-4D61-B697-41E0F3937F12}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
4448	msedge.exe
4448	msedge.exe
2816	msedge.exe
2816	msedge.exe
2744	identity_helper.exe
2744	identity_helper.exe
2632	msedge.exe
2632	msedge.exe
2856	msedge.exe
2856	msedge.exe
4676	msedge.exe
4676	msedge.exe
4676	msedge.exe
4676	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NordVPNSetup.tmp

description pid process

Token: SeDebugPrivilege 3348 NordVPNSetup.tmp

description	pid	process
Token: SeDebugPrivilege	3348	NordVPNSetup.tmp

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NordVPNSetup.exemsedge.exe

description	pid	process	target process
PID 4756 wrote to memory of 3348	4756	NordVPNSetup.exe	NordVPNSetup.tmp
PID 4756 wrote to memory of 3348	4756	NordVPNSetup.exe	NordVPNSetup.tmp
PID 4756 wrote to memory of 3348	4756	NordVPNSetup.exe	NordVPNSetup.tmp
PID 2816 wrote to memory of 3288	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 3288	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4076	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4448	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4448	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe
PID 2816 wrote to memory of 4784	2816	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\AppData\Local\Temp\is-JTO6H.tmp\NordVPNSetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JTO6H.tmp\NordVPNSetup.tmp" /SL5="$6011A,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffccbbf46f8,0x7ffccbbf4708,0x7ffccbbf4718
2⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
2⤵
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
2⤵
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
2⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
2⤵
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 /prefetch:8
2⤵
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
2⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
2⤵
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
2⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
2⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1648 /prefetch:1
2⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4548 /prefetch:8
2⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5316 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
2⤵
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
2⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
2⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
2⤵
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6040 /prefetch:8
2⤵
PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
2⤵
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
2⤵
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,1489100028072766319,9959494930947361115,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4972 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1544

C:\Users\Admin\Downloads\Bonzi\BonziBuddy432.exe
"C:\Users\Admin\Downloads\Bonzi\BonziBuddy432.exe"
1⤵
PID:3268

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
fa070c9c9ab8d902ee4f3342d217275f

SHA1
ac69818312a7eba53586295c5b04eefeb5c73903

SHA256
245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7

SHA512
df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\80187f00-a3a4-4d4d-83c0-e08954b29bed.tmp
Filesize
6KB

MD5
4cc43098bc9ab3cfe403872825e935e9

SHA1
37799879f733e1cdc37163a5ff03e61eb71b91e2

SHA256
6fade1411449d3ee7d87016c0adce82ed7c750623baf82c80c29f4c3f2712f17

SHA512
f8851a43062d70fe1f3d3202239715847fdddf1da93ef48d74c9832f7a44d9a709ee21cd203c02d867296152fadef85218fd313a6eec1edd615ba43168948cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
23KB

MD5
de49e39687e06cc5533b84d3a37b861f

SHA1
8c2c09b8f17e5c6bc20dd050ee7a88ab23f93e55

SHA256
73c2a51f287192796dc8e6e33ed40cb8427bd6d9d4088ced267052c6be90f416

SHA512
446f81670ba584787ec54a183df4c419ccc0f48ea6a25b35b2bab0a07e29c85a66d3a41d1016fdaf00cbafed6e4b932c8747400896f99f7d7a23c6d526a93664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
67KB

MD5
bea64c447b0f2a1012d0ede8e09e700d

SHA1
03c4e014a1ed074ed2611b5889ed79b6f1ed8aa6

SHA256
34dcdd7a5b57897d1eb1a2620ae5bc31d4b5d80e761e62fb8cd3c2a3b907241f

SHA512
ac1c4b495b990d8fad333f54d3e61d5573efb7a0c7c584659cea48be8d4857461bb011b1f2a4966cd714bb9252cc1750e8e53f2203418ca19fcc8143fdea6b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
89KB

MD5
20b4214373f69aa87de9275e453f6b2d

SHA1
05d5a9980b96319015843eee1bd58c5e6673e0c2

SHA256
aa3989bee002801f726b171dcc39c806371112d0cfd4b4d1d4ae91495a419820

SHA512
c1e86e909473386b890d25d934de803f313a8d8572eb54984b97f3f9b2b88cbe2fb43a20f9c3361b53b040b3b61afb154b3ec99a60e35df8cf3563dabf335f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
1015KB

MD5
e1cee112c820ba2233c461cf1b40169d

SHA1
692d1389a54792f05d621e743991a92bdedfa378

SHA256
370aaff5529abbf49c2c84f04dcad310d2f0d11dbde782a726edb9c461178a92

SHA512
ead2f0ebc63ddff08ffd3623074e579dee3043babaf7bf344896c55f7453153759e1c1eff030e23b17f26602502936745f0b7214a8e2b786984abb54533af592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
ed0de48150d5457561038a187dc5b85c

SHA1
495497d97e50306557934e88f93b9fa2b422b5f3

SHA256
eb8d052c43b4868e23a2c4de2f7af3ffd5f00a2fee5fbb96fef880698085353c

SHA512
e5477064d9ebd01e1e8bddd71cfa1435a5d23bcd7b3669066ce941b5e9d65b33e978f9e3ea0b907a3f3ea17df6d930ff975aea2e823c25604a730739891b3aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
539B

MD5
3cb47f6b5998408f5f0939a5554e0a2d

SHA1
870ead2752630f5e2d55856adea54e22708407c4

SHA256
2ed79dcbe661bfcf2d31a290209a399e45e294f3698d27439bd953eef60869cb

SHA512
6ee41d5bbb261cffeb2a07bc16d0a102c0d13ee9ab219320327cd5e95fd7aac1a3c4dd680dfe9975116031702cc98a9229cf9ceb9b78b8a6982640056c1c071e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
539B

MD5
38a80ad0ce09c7c1f43d73153d627968

SHA1
1804a279dbc198326b641c95342c4f7dd998fe66

SHA256
f9fc3d601f2d9d18f03ee173dcbb23081ddc0c8a2258f87998d3426da261bb0e

SHA512
666dbf04cb41708d84d4116187b00e67b75a8522cd15cc9de54698789d2bdbe4d98e2f9937aec4cb3ceefd93a3371294beda6ba5380baeae98c55cd9d0cfcfc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
ba4e905aa7898536a4e4f84deb759df2

SHA1
ab6d936d952d1643329f8aaaefea466813c8d172

SHA256
eba49ccd17a4f206377b0a06d5f5cdd02825e62c73fd2873785fca61589c6708

SHA512
9e5945826e36e24af46a1e808bcdb2602b21096f11b4a913427761b9c7cdfd64d0538bd3c15af035f0e360e4c1be183799d572db14761c4a34d43f8f951f2404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
2a7330dafd47213072c070c19616632c

SHA1
4d7e0dd6d2cd22e4c9f07e32755b0653f00c25d5

SHA256
2e793e786b15aaf567a016f2cbf5f56e246027504ccfa027c21d949b4231f84b

SHA512
57ba96d399f9d254a8a31d095383d8db3638ca2c92cab5657989adc0b10aa1ee4c77c83ea315a04c9bf410d26106fa67b36f654cd8679be2e46ae908e47b0edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
9d34fee9cca874e32ed38b3ca89533a8

SHA1
56f36e5d21e65f170be56f26969d6ae38598c4df

SHA256
61a9969c6c6ff6471f768a5a5ffde6fe8a0016950186ac5e2832cf0b4a00d729

SHA512
3c12eed7624aa9a4e790359e0456a0edda334d7c5f1fe4c6ffd6b9a1bcc682c0c7ade3f2b5ed4a2da709f8a1c6093f80168419fa6f85e101ee56b1fa1601f6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e5fe32f3870e7b9b469b9e702649734c

SHA1
cb3d516ba60f70e4d322516be8e9e1e9cd3f6c75

SHA256
7afed098d4bb0abc0470ed7ce938111dae69f9756bef20762c0e9958d7233e5e

SHA512
13c0984a3301275b7245bdbe4e09e7cbe92953e474f203769c506378f43fd23a9a41dcc18570e21a39e5149bc89764e4c7eab4bdfc4dd6a770cddf3c28a6ffa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
917dedf44ae3675e549e7b7ffc2c8ccd

SHA1
b7604eb16f0366e698943afbcf0c070d197271c0

SHA256
9692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37

SHA512
9628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
538B

MD5
5f9596817d08ddec0fbfb6b1debde4e4

SHA1
0ebc69b3c9b0dc9cff08f8653cee668a171fefda

SHA256
a5b43621b91d274360def0fe6d9aaabb3c4e793201ab9fb3af68f0287f6dbb3c

SHA512
ce8080d124bf5ff66dbed1c64f22e50d9f264b7c170c7421a6a6eb89e83e8515a8766be40ab8a023a74c4daf4600447113e88b0a0759522a5b0d7254f4bfb62d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587a0d.TMP
Filesize
370B

MD5
2dd81ed22aac78dc6e5d268087609609

SHA1
669dd14cfd80605ce6e2bb45adbcc2d4bf7cd0e1

SHA256
be1b685cea5d4778be899b505ede491ef65c5966db83da9c073f7725e8dee875

SHA512
b325804acc8608e06f08e109bb478802a40b06759418467cfc54509be1b558ac1a5006a68071d81a644ea191ba9171266e6f1f53c9ff99b415663da9e9f9d6b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
d3e8dac5c9299a1ea2ecee0be3eca6f6

SHA1
9a9cda7c0468134a036b81a6ffd4043f357501ac

SHA256
1b5dcae7f9ce20acb5fd88663c4b7b77b0c0f31813c1960152137e8dcd571410

SHA512
0fa9cc10692a00bee643d1e3f2a00433da73e8fa0c9945836864ee605ac9ccd47908b6058220ea9f0ef6ea8d5245c6d146f83e0bbb91b87e487c7648f45c000e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b638533611467dc3c7b7b043c8023579

SHA1
b18156f493581b601cbe631e817c688643606cad

SHA256
6a215321125ae4af120a28f5f5b9d5694f4c31f9dbc843af6b312c3ad913abd1

SHA512
d9ea1a43bc6f3c0c2c2fa19d3ed35fdaf9dbf0bda819b453b4a56124e68b85ca0418b2cb9085f1c6a3a7f8ae987892c2e753900ad5ceec766b4d09bd370c9584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e5f0b90408c21f8b614599814a4520c0

SHA1
163ff0fde4cf74373c7112610fa72f6b6e3f605f

SHA256
5904d313971030eef90398d3dbcd7222015954739ccffbb51dd4e416865d04e9

SHA512
1d30e25c54a0b8e722a88af19b8d2f889a0f2a14ed78c711e5fa2309b47e952c47311a6a452fccb057704881613e26b9ea259443941d54160b5f5d38c0afca8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5MQ0H.tmp\Nord.Setup.dll
Filesize
40KB

MD5
b18bd486c5718397bc65d77a16ce2593

SHA1
58fe73e27c5c04e6915c5358f698f7fe8c2b5af8

SHA256
0bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c

SHA512
f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JTO6H.tmp\NordVPNSetup.tmp
Filesize
3.1MB

MD5
29ca787f3a0d83846b7318d02fccb583

SHA1
b3688c01bef0e9f1fe62dc831926df3ca92b3778

SHA256
746b972e21acb59e4086b5b25fe53ef2cddcecfa94dd56ad68c8e5bab9960c3c

SHA512
a6c21bf5590dc91a5d9bc729d9c04c20b54341d3270efd2fb7d2b548d7dc7b23a1a351147a07dfd569e901a608cb44533304de10725cb02fec781cada80b8e3b

Download Submit
\??\pipe\LOCAL\crashpad_2816_UOBQNOEPWJOHLNYI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3348-22-0x0000000003720000-0x0000000003730000-memory.dmp

Filesize
64KB

Download
memory/3348-23-0x0000000074510000-0x0000000074520000-memory.dmp

Filesize
64KB

Download
memory/3348-24-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/3348-18-0x0000000004340000-0x0000000004350000-memory.dmp

Filesize
64KB

Download
memory/3348-25-0x00000000069E0000-0x0000000006F0C000-memory.dmp

Filesize
5.2MB

Download
memory/3348-61-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/3348-62-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/3348-5-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4756-0-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download
memory/4756-64-0x0000000000400000-0x00000000004E1000-memory.dmp

Filesize
900KB

Download