hxxps://disk[.]yandex[.]kz/d/bKNrMM6SukgYOw

Analysis

max time kernel
97s
max time network
99s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
13-06-2024 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.kz/d/bKNrMM6SukgYOw

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 10 IoCs

Processes:

reg.exereg.exemsedge.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	msedge.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	reg.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\очиститель.bat:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 558859.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4048	msedge.exe
4048	msedge.exe
1156	msedge.exe
1156	msedge.exe
4504	identity_helper.exe
4504	identity_helper.exe
3800	msedge.exe
3800	msedge.exe
3468	msedge.exe
3468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

1156 msedge.exe
1156 msedge.exe
1156 msedge.exe
1156 msedge.exe
1156 msedge.exe
1156 msedge.exe
1156 msedge.exe
1156 msedge.exe
1156 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

whoami.exe

description pid process

Token: SeDebugPrivilege 5084 whoami.exe

description	pid	process
Token: SeDebugPrivilege	5084	whoami.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe
1156	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1156 wrote to memory of 1392	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1392	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 3852	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4048	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 4048	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe
PID 1156 wrote to memory of 1076	1156	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.kz/d/bKNrMM6SukgYOw
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbb75b3cb8,0x7ffbb75b3cc8,0x7ffbb75b3cd8
2⤵
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
2⤵
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
2⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
2⤵
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
2⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
2⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
2⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\очиститель.bat" "
2⤵
PID:2340

C:\Windows\system32\chcp.com
CHCP 866
3⤵
PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit
3⤵
PID:3768

C:\Windows\system32\bcdedit.exe
bcdedit
4⤵
PID:4000

C:\Windows\system32\reg.exe
REG DELETE "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" /va /f
3⤵
PID:1416

C:\Windows\system32\reg.exe
REG DELETE "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU" /f
3⤵
- Modifies registry class
PID:1200

C:\Windows\system32\reg.exe
REG DELETE "HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags" /f
3⤵
- Modifies registry class
PID:1624

C:\Windows\system32\reg.exe
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU" /f
3⤵
PID:4580

C:\Windows\system32\reg.exe
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags" /f
3⤵
PID:2072

C:\Windows\system32\reg.exe
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f
3⤵
PID:1708

C:\Windows\system32\reg.exe
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder" /va /f
3⤵
PID:1052

C:\Windows\system32\reg.exe
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU" /va /f
3⤵
PID:3316

C:\Windows\system32\reg.exe
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy" /va /f
3⤵
PID:3576

C:\Windows\system32\reg.exe
REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" /f
3⤵
PID:1184

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU"
3⤵
PID:4664

C:\Windows\system32\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" /va /f
3⤵
PID:4804

C:\Windows\system32\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatCache" /va /f
3⤵
PID:4900

C:\Windows\system32\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications" /f
3⤵
PID:4260

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications"
3⤵
PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami /user /fo table /nh
3⤵
PID:828

C:\Windows\system32\whoami.exe
whoami /user /fo table /nh
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\reg.exe
REG DELETE "HKEY_USERS\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps" /f
3⤵
PID:1968

C:\Windows\system32\reg.exe
REG ADD "HKEY_USERS\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps"
3⤵
PID:4228

C:\Windows\system32\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\S-1-5-21-1560405787-796225086-678739705-1000" /va /f
3⤵
PID:3260

C:\Windows\system32\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\UserSettings\S-1-5-21-1560405787-796225086-678739705-1000" /va /f
3⤵
PID:4856

C:\Windows\system32\reg.exe
REG DELETE "HKEY_USERS\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /va /f
3⤵
PID:2024

C:\Windows\system32\reg.exe
REG DELETE "HKEY_USERS\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /f
3⤵
PID:32

C:\Windows\system32\reg.exe
REG ADD "HKEY_USERS\S-1-5-21-1560405787-796225086-678739705-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2"
3⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
2⤵
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
2⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,17129023138041075250,17967987603215531997,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
2⤵
PID:3160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1520

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\очиститель.bat
1⤵
PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f717f56b5d8e2e057c440a5a81043662

SHA1
0ad6c9bbd28dab5c9664bad04db95fd50db36b3f

SHA256
4286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945

SHA512
61e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
196eaa9f7a574c29bd419f9d8c2d9349

SHA1
19982d15d1e2688903b0a3e53a8517ab537b68ed

SHA256
df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412

SHA512
e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\16b1e57e-7ee7-425b-878f-2b6cfc7beeb5.tmp
Filesize
875B

MD5
fbe3c78c4e4c2e46080a5e97e7b7daa3

SHA1
08992ca1d7764a7ef5d5033643984618479eab62

SHA256
a49fa7145e1b463abeea078c5b73aab7f6e0ef972eaeb0609a77ef8726c7685e

SHA512
ccaaf1c9e01542fc22674135acff0b1b1e7e30a4453b251f1c50b34331dc525d345ef887d393cb3e59ff448cc8ecfb21e2034411e26cfbc1850f583b50b3e488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
55KB

MD5
04b46dd7b8f437825e4b2892ccd3bd1e

SHA1
3d7b28c828e39e88baa05c54ce2d0ad9c183236d

SHA256
65cd73f30109c4a68734de37e5e15ff3209351c327fc4cc262b548c024adb05b

SHA512
7494460c41b34a798ac29657ffbbc5170819ce54f423d48eec5627fad3fdfae8914c3ab822ead6bda2c432d1811f6db40a10857aa8176c5aca5024381b626b67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
528B

MD5
34f3715c3bd29c2948740fd43b79193d

SHA1
8bb927417962499963407200b7f0fa5ee69f985d

SHA256
589ac6ddbbcf44b77bc3a62a62f52cfb27db86679ef7f4f9a290109e026bd641

SHA512
96c2d7cff72ab3e716f1f7a7694c48b39ed86737f43a28fcbf8a16151311f77ccc1e8f39f109c186957de8d4b84ee18bca7a0b0fc6ae559f2f44e06922acf9e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\001\t\Paths\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
700B

MD5
0f5e83d1461465ee3d8b4915f101224a

SHA1
fa8241ca713e14ede3bed9e2e8dced60d6293b21

SHA256
c3f36db0c776e31945b686c0abf32b8e0ed4dd6e9f6dd98cb9c55655cb183a94

SHA512
2e9add765dcabae8169e4e722c9fa3f4fb83bfa8fcaed5a567fc4f33d4fcbff1040b9cbd22c00fa4d2e1693142e6a17426bfaea9a99b9e4beec5b728aa831c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e31d158fee7a0523c64124e9f1e9b519

SHA1
7e6273225ab98712e061e20a8d7083f2153c0658

SHA256
a395858942fb037befb70e2917afa243611e08bbce7899f5cc25c8e1a62a0b86

SHA512
0fd25de1879504de52305f12c93a75eef8caeafcfb503e1147b31cc96f6bae06fb90ca5bd38bed5531eb2a2a3809de0e943e7bd343b8f1ac7e40c63e4ed1b080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
35eacb1d3247f874021879cfb554f3e2

SHA1
a1db71a7f74b130aa23b02aa198bfb3b023b950a

SHA256
55337047ec0d1a227ee3d3d08a10e3baec3ceeac52256b0635ae292690bd1031

SHA512
d40412bce7bc3cc70f5ef0cef8d232a654640ab1362935a4c32072063e2c79472eb23a3ec76a1204df262c6b3a90ce57724fd881555ae0f253b5d62e9c39b0ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
5d6548f3ffc2f939e8117dcf9cd0c5d5

SHA1
d46575e32a99131c374f191fb03c3d547846cc92

SHA256
aba9ecce631f819ce34b718a104ecd0ee7cff1eac77133f87f24dd3090bb1415

SHA512
d8bbee3d4e40bb1e787ed5e0d5354deaee4383a1e65be4f7fc23edc0549c63b98b0508e8da761fda7465618cee85b38bd1f3dc3ea61ca9989d71bb5c1ba224d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e84d.TMP
Filesize
875B

MD5
9b44548aab769b59ac462d2b92bc9792

SHA1
cc6abcff31720529056ae525985f685f3969fa58

SHA256
100b7e87f811b5a326cb89db4957c060c7c898fb5dcc20c1f9ee8bd78f7da38c

SHA512
69193c68d409bba1d061f031391168746fb88d80282618a4efa45f04f464008c4e05df050ce7e54ab9e20c074001002c6cf54f3a108a5367023fc120d3241cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
494bee6d4e8d6741c24b9ff64eb52dde

SHA1
a19724e5b79af30de0e592399de8a4df9faf3249

SHA256
2446ee8f827e99e5615b01487d381a3119b59238416572cabaf5b116955b36b1

SHA512
222f86c09ebad34a5fecd0b73b8af696d9fa00bf00dcf02fefb2d3f3ca63decb55dbc2d5237196310f81728531803dd0df3f405eb07adffbbbf86cfcf8870cdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4ab7474b6e1830f5915b0386a6bde9b3

SHA1
fce8b3576005b9aa74d940c0e0cf1f7c7b84273c

SHA256
3b0bdefd642b984035296f176605a37e6c4fd046df3509820ce966f07664992b

SHA512
0357bed0a44c31148884ae9716f03b0e5ecfb0212b28ba1262e3cce3c1d28f69b8d41fa8c2bfaea0a9850648dd4829fe7a583600d0ab84ab8627cfb638887881

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 558859.crdownload
Filesize
13KB

MD5
8bb47bc15412d726a038cff591aa5933

SHA1
8768216458761909c94bf544e1acd250099a4465

SHA256
bb279a32dd1bc418a72d80553859d64f2f0fceb3e5c40c8c09e9bdbf4080710b

SHA512
56251138791ab720dd835e3a7903f93a8b3a8553384d406a52f32ea854951beeb4286f42cc483b7f5d6b4398bd2d1fab8f4b9a3891c57e65116efe6ec6fe3a17

Download Submit
C:\Users\Admin\Downloads\очиститель.bat:Zone.Identifier
Filesize
796B

MD5
1b2bdcde0204ef3854be4eee633aecf7

SHA1
9eef90e638b6d418fcf44f5eaf0a39e2af4261ca

SHA256
c54a8cb5b10951b7c735bcc9f6efca7c2a6c796e8ac22e45632e1f43ad088f22

SHA512
1165572d705352374d98c9f1beb7fb284939a2d469da812f91aa3fda0667c43c31ba37d3e8bb1f1b50463ac922686b8d9e1dcfc321f48df2d3c9218b5b384682

Download Submit
\??\pipe\LOCAL\crashpad_1156_ORPTYDAGUFNYTPGM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit