88a1a1f09906b7501ea44d53c5583cb4a151cd4a47bd343c8d57f0877a526241

Analysis

max time kernel
418s
max time network
424s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bc8I.html
Size

7KB
MD5

8f686d4f90fb93d8d90fb8f818c05c62
SHA1

ddb3044b048d026fa0d8540a4c606d6c302b5e37
SHA256

88a1a1f09906b7501ea44d53c5583cb4a151cd4a47bd343c8d57f0877a526241
SHA512

8262149b1a4282da3377b110885ed5e12f5fb5a1260450912b054fbc7c00672484c49bd59004eae7d29ac5ce75e16ee444d5e803b8d3c73c7c58b42f7429a3ca
SSDEEP

192:PN2x2BsBm5oZRFR7seoIMfjlvWwKZZ8yWhN:AxDaEFFrQRigN

Score

10^/10

discovery persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 5048 created 2596	5048	Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe	44

Executes dropped EXE 2 IoCs

pid	Process
3236	Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe
5048	Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe

Loads dropped DLL 1 IoCs

pid	Process
3236	Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*UpdaterCisco = "rundll32.exe C:\\Users\\Admin\\Documents\\AvivaUpdate_0001.dll,EntryPoint"	reg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
468	5048	WerFault.exe	127

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1016	msedge.exe
1016	msedge.exe
3836	msedge.exe
3836	msedge.exe
1040	identity_helper.exe
1040	identity_helper.exe
4856	msedge.exe
4856	msedge.exe
5048	Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe
5048	Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe
5048	Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe
5048	Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe
2944	svchost.exe
2944	svchost.exe
2944	svchost.exe
2944	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	1612	7zG.exe
Token: 35	1612	7zG.exe
Token: SeSecurityPrivilege	1612	7zG.exe
Token: SeSecurityPrivilege	1612	7zG.exe
Token: SeManageVolumePrivilege	4092	svchost.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
1612	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe
3836	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 452	3836	msedge.exe	83
PID 3836 wrote to memory of 452	3836	msedge.exe	83
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 472	3836	msedge.exe	84
PID 3836 wrote to memory of 1016	3836	msedge.exe	85
PID 3836 wrote to memory of 1016	3836	msedge.exe	85
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86
PID 3836 wrote to memory of 4180	3836	msedge.exe	86

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2596
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\3bc8I.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8e3646f8,0x7ffd8e364708,0x7ffd8e364718
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,10535938055887658056,8273437078283726066,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5068

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2\" -spe -an -ai#7zMap4276:222:7zEvent12624
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1612

C:\Users\Admin\Downloads\Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2\Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe
"C:\Users\Admin\Downloads\Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2\Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3236
- C:\Users\Admin\Downloads\Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2\Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe
  "C:\Users\Admin\Downloads\Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2\Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 356
    3⤵
    - Program crash
    PID:468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\AvivaUpdate_0001.dll",EntryPoint /f & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1600
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\AvivaUpdate_0001.dll",EntryPoint /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5048 -ip 5048
1⤵
PID:4440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
db7d9d7271a20fff7e6b54d8d1b66484

SHA1
983862f8ef5141c9d4929a8971042d125259a5ed

SHA256
2b063a6da82c413be8a0bd03304c3ffb0ede41764555c9543f6bd0c17d675245

SHA512
fdeb8ff4e81069262a07bff690c9eec71febb4ae652229abe27e2c636ffcbd3aadada1cc07c195d0ce6425c0f3af1363b8f2495c5f09a32839e1574301b63333

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
427B

MD5
4a039d3163547fcecda689ff91d017fe

SHA1
c904a4f55df2c59c0708b72b5f133867a1445f5c

SHA256
24c957bfd7cf85fa76df0cb387296a4b57dc4a792b216632ef10cec57623f4e2

SHA512
b38aad30714f3b4458e6ac1116f06536805ad14655aa33eb3d99a49e1fc8d6c7a5138d5059842ef42d3947f742e261c100ed6b6036e04147d591eb0933677cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76207a1db140b6d0e707451e12162f99

SHA1
fd11fd6db389692cfe6ffa1b04d889fc7a6d0a3a

SHA256
41e13130dddd34c469bdeda6e8a3cca8366422fe07e0641e3c3538550b932b68

SHA512
b23be3b83396bd043819cc69658aa09d10ace686b14b050071d3991d9113e4fb0a0a3fdb7a8aa2f6021ea1890ec3afbd30911ded7ae255dbb18923d104104bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c706d80201b07f72ded0d12d4293d25b

SHA1
0e76e68531c56abf56d6ff22db46847bd1191ffa

SHA256
17b23b68476b6b35adf305f2dbbe9dd8043694913c09cf0eded51d426fb3b9d9

SHA512
880832be2dc895d532d54221e177c80dc7dcdfa426810ffd26d088e9dcdf91e499be756afc75ac1a7a8e5d91bb4a0cd3c7c2e2f6db3527f0bf41ce824564fb5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2adc5706211bfde2a4ef9b89f708c315

SHA1
4dcecb92cc2328c29d65d5c6bfd7762041a55107

SHA256
9846c1e4622f4bc56cc865ef3ed7628abe6c91d0bb56ebb4c09ac51c79504090

SHA512
3ecff14158e6eb09fb48afdfc9953a7a806f81e9cc2d5d2754738b67677396145d24236919152d1eced4d303abb53d67ceded1e8c94da09ff99563b5f590c3ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
766560fd9c6371b4eecd9e10f1b5a84f

SHA1
c4dc3f03f40eaa6400be6a8810a562ce420b2191

SHA256
2796faba68708c908d1294155c15d65e40e8650e34cc64e6ec7bfa6164b33a9a

SHA512
ad512a791f60a6aba775a8dab18288198f8150b4d34d8bb0b73d7c3c35115a12767e4ab3bbacf8cbe519d1885a8ab4fc062ed79f6e637923c108ec86eca57708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7f39fb313cc32ecbc1a6732963dec56c

SHA1
247cc924cdadc1e74dcfaa4a1a050951eedaca67

SHA256
86306cf08891c411bc48f14cad833e608c6b3e0a6d27619ea1195488e9f6a0dc

SHA512
2f4d1bd39e5293e93d86cf7f7cfe8a694dd0d5ec65dd3963f60b796104125f16bfbd0adbeb6324712c8eef93970d0c8ad2d632b6462e57c76e490f42bea64eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8b63090092bbfbe48b8382dfb7cdc005

SHA1
0fa0fea269e81ce7071bbb2b7c10f1c7aad20a37

SHA256
c9bc3d43015bdb43ed9d6f3d5e5aea35003058c5a6bfb6d3e5f551d1ec28cbe2

SHA512
f4af820a046f219b520a6cc065ee6f0d68d457b67caf1fd56e860d2422f1845ff85caa405a91db993819b0f7fee0034d6079e4204601374275fadbec1dbfb872

Download Submit
C:\Users\Admin\Downloads\Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2\Documento che prova la violazione dei diritti di proprietà intellettuale2011BHQ2.exe

Filesize
6.1MB

MD5
4864a55cff27f686023456a22371e790

SHA1
6ed30c0371fe167d38411bfa6d720fcdcacc4f4c

SHA256
08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2

SHA512
4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb

Download Submit
memory/2944-251-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/2944-256-0x0000000075FD0000-0x00000000761E5000-memory.dmp

Filesize
2.1MB

Download
memory/2944-254-0x00007FFDAB930000-0x00007FFDABB25000-memory.dmp

Filesize
2.0MB

Download
memory/2944-253-0x0000000001110000-0x0000000001510000-memory.dmp

Filesize
4.0MB

Download
memory/3236-231-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/4092-274-0x0000026918260000-0x0000026918270000-memory.dmp

Filesize
64KB

Download
memory/4092-293-0x0000026920870000-0x0000026920871000-memory.dmp

Filesize
4KB

Download
memory/4092-297-0x0000026920870000-0x0000026920871000-memory.dmp

Filesize
4KB

Download
memory/4092-296-0x0000026920870000-0x0000026920871000-memory.dmp

Filesize
4KB

Download
memory/4092-295-0x0000026920870000-0x0000026920871000-memory.dmp

Filesize
4KB

Download
memory/4092-258-0x0000026918160000-0x0000026918170000-memory.dmp

Filesize
64KB

Download
memory/4092-294-0x0000026920870000-0x0000026920871000-memory.dmp

Filesize
4KB

Download
memory/4092-290-0x0000026920850000-0x0000026920851000-memory.dmp

Filesize
4KB

Download
memory/4092-291-0x0000026920870000-0x0000026920871000-memory.dmp

Filesize
4KB

Download
memory/4092-292-0x0000026920870000-0x0000026920871000-memory.dmp

Filesize
4KB

Download
memory/5048-248-0x00007FFDAB930000-0x00007FFDABB25000-memory.dmp

Filesize
2.0MB

Download
memory/5048-238-0x0000000000A30000-0x0000000000AB1000-memory.dmp

Filesize
516KB

Download
memory/5048-250-0x0000000075FD0000-0x00000000761E5000-memory.dmp

Filesize
2.1MB

Download
memory/5048-246-0x0000000001000000-0x0000000001400000-memory.dmp

Filesize
4.0MB

Download
memory/5048-247-0x0000000001000000-0x0000000001400000-memory.dmp

Filesize
4.0MB

Download
memory/5048-244-0x0000000000A30000-0x0000000000AB1000-memory.dmp

Filesize
516KB

Download