Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2024 15:16
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://qptr.ru/Vmkj
Resource
win10v2004-20240226-en
General
-
Target
https://qptr.ru/Vmkj
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exemsedge.exepid process 2364 msedge.exe 2364 msedge.exe 2116 msedge.exe 2116 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe 2700 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe 2116 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2116 wrote to memory of 3748 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3748 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3472 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 2364 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 2364 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe PID 2116 wrote to memory of 3940 2116 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://qptr.ru/Vmkj1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb0c946f8,0x7fffb0c94708,0x7fffb0c947182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,11568425723258244007,2098393379727463089,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3108 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
384B
MD5968f564da2a80577f6815d975e10e7b5
SHA17f965f916ac65a5e94c94e248fa3883e77542a5b
SHA2567d28203d542a124cc3cf68024dc2d7e7fc5b1b511dbbfb709d366019f162ce95
SHA5126b637f0f33fc8dceed1d2c8640a7c6f3c99169559b300f5f834880fab93c226245a8be57aca9deaa2ec1d7b309f97cab29d332b15c418248b8348b98037c2aa2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
910B
MD5d497acb6320f03ed0f57c696aef0978c
SHA1a69461bddf42c8b98ec6d83dba4f99a2750d2fef
SHA25677275c59311101295719d62967188036127ecb1b34b85b9ca69fe38c26962b68
SHA5122f69aefa906815892f1d0fe22fc4cf3f9ce6b5c227604cf60abc9bf4ec8feb16d6f3a02ca7aee07c4100dc536097b54586545ae163533e594204b86801681b38
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5795f879266ac51d289f7920bef34f950
SHA115b41c03ac703c2d4770ed9a594481e2fae3765d
SHA25629f62ab50b61ea4e0341213747f76971ffbcce299e4a50122a945000bacd2dc5
SHA512961e15d21b5363e313192469134c2138f3221f60421485bedeb891d2d11c4ecefd38857f1ea207bd68a61d42bcdd86185cabae3d5760d3db8175e31c1e8ffbce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD582f244cf913681a09fb7f854ef8568a6
SHA1cc6e53bf2f6b84d3f763680153d4ded598853f2e
SHA256f9294add60a4047e1b8bebe1fd53d180a3327d9a24711c1507af5a8faea1108c
SHA51213494fac2be45b6bd0cc3adecb0527c2c20743c0cfc7187072c0e6b781ab5ba07b573dd4b1a828b2343c879f862ee2e315ccd518292a34e44e48414d95172886
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58bb62e0336a76f654482d1f225bed7bf
SHA14550f177101aa2b04908f621300f744873437deb
SHA2569238543aa4757d68ff8cf64405f0fdf59a730905afdc38a0f028f6b287f420c6
SHA5122371680a7e8af4d8f4e0ae729ecbe41fbf12c2ef325132024231d69b39d1ba967f2682619a11c54bae48105a87e4c81077046917f02bb2bb08a2c0d68ba82bf7
-
\??\pipe\LOCAL\crashpad_2116_ZEJVPGPMKTLKJYOHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e