Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 23:48
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://qptr.ru/hVVV
Resource
win10v2004-20240412-en
General
-
Target
https://qptr.ru/hVVV
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3180 msedge.exe 3180 msedge.exe 4984 msedge.exe 4984 msedge.exe 4864 identity_helper.exe 4864 identity_helper.exe 3924 msedge.exe 3924 msedge.exe 3924 msedge.exe 3924 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4984 wrote to memory of 3000 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3000 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 4312 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3180 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3180 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://qptr.ru/hVVV1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82d4546f8,0x7ff82d454708,0x7ff82d4547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,17290675265560148646,8976581840722698210,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
330B
MD5adfb24682be15905dfa0b14e26fc2c50
SHA19ca71ede0a7d81c7761bf8ea6e1bc85466d3189f
SHA2569e1b8a2c3c5ae00b1eb12d325d4924b9569f99de7e165967c7a573972667ccf0
SHA512b004ed70013bd9a0cbb36d6d9897cad96f91a8ae38123ea65f422b2fcf9295ece696b4d3ee22b651faf149e3ec61e7d418f374a140b2337c373af4aeeed1db98
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e36b219dcae7d32ec82cec3245512f80
SHA16b2bd46e4f6628d66f7ec4b5c399b8c9115a9466
SHA25616bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b
SHA512fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5559ff144c30d6a7102ec298fb7c261c4
SHA1badecb08f9a6c849ce5b30c348156b45ac9120b9
SHA2565444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10
SHA5123a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\32706f8c-e61a-4761-961a-714483b4838b.tmpFilesize
6KB
MD5149bcebe35d81ddd53cbd8006a6ec9de
SHA1325bcb767c1e581a1c6f722bfd6f77676a7ad624
SHA256d5d51d5fd9e043dbb7249e3e0ea7c14a1c80b96d0d4c49ad9c5678e4299d0c7a
SHA512e7db33dec65ac023df7c218c745f2032fd6cfa97087b198515ab0a29254c3091f96430cb05c6535abfbbb50d3b7ca51c20428eec5bec0a02e0efba7b04831ac7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
408B
MD52b629ae44b7d9df6d83b0690e8b04003
SHA1f0c7f238be3e6f38842f1e8c09488fae37ace90b
SHA25637515cbd2e4c255ff0f4f43d4b31a13c4df6d57b11cb0ab6e5e470596b5d50c0
SHA512cd4c5eae9b825f26514abafba9b01f3fc08f6904c27c79fe6f99529a445df6f1543a3a9dcfce7c913b35b75abee43a6ab27566975332e049822f742db7ee5ace
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD541607c2fb445f8f1a93d0a8e098b2f41
SHA127eec6a7662af4e5f8ca1164376ec05e241612a8
SHA25691a9b129684fae1f783d50224faaf5318112e384880926708d4f14bffdb18139
SHA5121d91377bf189fd2ef7db8165ff9353c82c0446533c725abda4a5fadefe38f49235e5a0e38546dfe6f02e7e9a99cf954310e88d6d2dd8e2903ab1894e7a0043d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59467fe1a3c05da0ba8198b72890cb97d
SHA1ee60318eb855ce75a32514d964e95b19aad3d819
SHA256f3a05406e2aeaf79d4b0e92baabb63fea1e4d3aeee4759f388b781872bc5f639
SHA512e9851d6a29c7428842266ed0c7d1baf77ec689dc0cbf84a8808fb9bbcd6ac070964c466b22dc1e1643f4f1b3521eb3b6d085b3d7b8fd4cc602fccd92273194ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD517b10105802812b5d72dae8d4cd638dc
SHA126703e9b47783ae0df4b108532280fadca689b9d
SHA256445f7b1b804a922d2a0505daa2220204da7a97525dccd34f40da1518c09bdcd3
SHA5127644531cd377631b4b29db1f9e6d00569fa20ed71ab28335f98ae3c58752bcfe067f1a850106f0027e98ef88e953573de2111ad6d8ff248a8166b25f1c68674c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD56cbcb14e583e7288316960f8c1798111
SHA155de3865a131af89bab032913e38158684647074
SHA2562b27bdd516e087f737386d8cce1ce460b4c367562ee9dd67aeb3484f7aa276a7
SHA51220e883ca490c84e32984ecd47b941bbecc7196348f43cc0d0177dd6dd29726f8f13b4899bac03efd8fbedc3aef3eee63e78e2f0de230437153e7a82f27811a24
-
\??\pipe\LOCAL\crashpad_4984_ABHVAWFNJYFXVNJUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e