rhadamanthys | hxxps://vivopartners[.]ru/

Analysis

max time kernel
969s
max time network
979s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vivopartners.ru/

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

vivo Договор на оказание рекламных услуг.scr

description pid process target process

PID 6736 created 2460 6736 vivo Договор на оказание рекламных услуг.scr sihost.exe

description	pid	process	target process
PID 6736 created 2460	6736	vivo Договор на оказание рекламных услуг.scr	sihost.exe

Executes dropped EXE 12 IoCs

Processes:

vivo Договор на оказание рекламных услуг.scrvivo Договор на оказание рекламных услуг.scrvivo Договор на оказание рекламных услуг.scrvivo Договор на оказание рекламных услуг.scrvivo Договор на оказание рекламных услуг.scrvivo Договор на оказание рекламных услуг.exevivo Договор на оказание рекламных услуг.exevivo Договор на оказание рекламных услуг.exevivo Договор на оказание рекламных услуг.exevivo Договор на оказание рекламных услуг.exevivo Договор на оказание рекламных услуг.exevivo Договор на оказание рекламных услуг.exe

pid	process
1968	vivo Договор на оказание рекламных услуг.scr
6624	vivo Договор на оказание рекламных услуг.scr
6644	vivo Договор на оказание рекламных услуг.scr
6676	vivo Договор на оказание рекламных услуг.scr
6736	vivo Договор на оказание рекламных услуг.scr
7036	vivo Договор на оказание рекламных услуг.exe
7116	vivo Договор на оказание рекламных услуг.exe
3600	vivo Договор на оказание рекламных услуг.exe
2688	vivo Договор на оказание рекламных услуг.exe
3252	vivo Договор на оказание рекламных услуг.exe
6900	vivo Договор на оказание рекламных услуг.exe
6044	vivo Договор на оказание рекламных услуг.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

Processes:

flow	ioc
408	raw.githubusercontent.com
410	raw.githubusercontent.com
400	raw.githubusercontent.com
404	raw.githubusercontent.com
407	raw.githubusercontent.com
409	raw.githubusercontent.com
401	raw.githubusercontent.com
405	raw.githubusercontent.com
406	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

114 ipinfo.io
115 ipinfo.io
113 ipinfo.io

flow	ioc
114	ipinfo.io
115	ipinfo.io
113	ipinfo.io

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6896	6736	WerFault.exe	vivo Договор на оказание рекламных услуг.scr
6952	6736	WerFault.exe	vivo Договор на оказание рекламных услуг.scr
4876	3600	WerFault.exe	vivo Договор на оказание рекламных услуг.exe
3120	3600	WerFault.exe	vivo Договор на оказание рекламных услуг.exe
4820	2688	WerFault.exe	vivo Договор на оказание рекламных услуг.exe
2524	2688	WerFault.exe	vivo Договор на оказание рекламных услуг.exe
7016	6900	WerFault.exe	vivo Договор на оказание рекламных услуг.exe
6984	6900	WerFault.exe	vivo Договор на оказание рекламных услуг.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Users\\Admin\\Desktop\\VIVO~1.SCR"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveActive = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\ScreenSaveTimeOut = "900"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop	rundll32.exe

Modifies registry class 22 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe7zFM.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\text_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\text_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\text_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\text_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ヨ彾翾	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ヨ彾翾\ = "text_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\⺘繭乜耀	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\text_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.text	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\text_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\\ = "text_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\⺘繭乜耀\ = "text_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\text_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\text_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{A17ECFBF-E5AE-4AE1-A943-787D9FB27571}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.text\ = "text_auto_file"	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

3348 vlc.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

vivo Договор на оказание рекламных услуг.scropenwith.exetaskmgr.exe

pid	process
6736	vivo Договор на оказание рекламных услуг.scr
6736	vivo Договор на оказание рекламных услуг.scr
6788	openwith.exe
6788	openwith.exe
6788	openwith.exe
6788	openwith.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

vlc.exe7zFM.exe

pid process

3348 vlc.exe
3928 7zFM.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

7zFM.exe7zFM.exe7zFM.exe7zFM.exeAUDIODG.EXEvlc.exe7zFM.exetaskmgr.exe

description	pid	process
Token: SeRestorePrivilege	3120	7zFM.exe
Token: 35	3120	7zFM.exe
Token: SeRestorePrivilege	4472	7zFM.exe
Token: 35	4472	7zFM.exe
Token: SeRestorePrivilege	4524	7zFM.exe
Token: 35	4524	7zFM.exe
Token: SeRestorePrivilege	2304	7zFM.exe
Token: 35	2304	7zFM.exe
Token: SeSecurityPrivilege	3120	7zFM.exe
Token: SeSecurityPrivilege	3120	7zFM.exe
Token: 33	4920	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4920	AUDIODG.EXE
Token: 33	3348	vlc.exe
Token: SeIncBasePriorityPrivilege	3348	vlc.exe
Token: SeRestorePrivilege	3928	7zFM.exe
Token: 35	3928	7zFM.exe
Token: SeSecurityPrivilege	3928	7zFM.exe
Token: SeSecurityPrivilege	3928	7zFM.exe
Token: SeSecurityPrivilege	3928	7zFM.exe
Token: SeDebugPrivilege	6288	taskmgr.exe
Token: SeSystemProfilePrivilege	6288	taskmgr.exe
Token: SeCreateGlobalPrivilege	6288	taskmgr.exe
Token: 33	6288	taskmgr.exe
Token: SeIncBasePriorityPrivilege	6288	taskmgr.exe
Token: SeSecurityPrivilege	3928	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

7zFM.exe7zFM.exe7zFM.exe7zFM.exevlc.exe7zFM.exetaskmgr.exe

pid	process
4472	7zFM.exe
3120	7zFM.exe
4524	7zFM.exe
2304	7zFM.exe
3120	7zFM.exe
3120	7zFM.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3928	7zFM.exe
3928	7zFM.exe
3928	7zFM.exe
3928	7zFM.exe
3928	7zFM.exe
3928	7zFM.exe
3928	7zFM.exe
6288	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

vlc.exetaskmgr.exe

pid	process
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe
6288	taskmgr.exe

Suspicious use of SetWindowsHookEx 44 IoCs

Processes:

vlc.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

pid	process
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
3348	vlc.exe
4268	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5012	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
5188	OpenWith.exe
3944	OpenWith.exe
3944	OpenWith.exe
3944	OpenWith.exe
3944	OpenWith.exe
3944	OpenWith.exe
3944	OpenWith.exe
3944	OpenWith.exe
3944	OpenWith.exe
3944	OpenWith.exe
3944	OpenWith.exe
3944	OpenWith.exe
3944	OpenWith.exe
3944	OpenWith.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

rundll32.exevivo Договор на оказание рекламных услуг.scrvivo Договор на оказание рекламных услуг.scrvivo Договор на оказание рекламных услуг.exevivo Договор на оказание рекламных услуг.exeOpenWith.exeOpenWith.exeOpenWith.exevivo Договор на оказание рекламных услуг.exe

description	pid	process	target process
PID 3284 wrote to memory of 6624	3284	rundll32.exe	vivo Договор на оказание рекламных услуг.scr
PID 3284 wrote to memory of 6624	3284	rundll32.exe	vivo Договор на оказание рекламных услуг.scr
PID 3284 wrote to memory of 6624	3284	rundll32.exe	vivo Договор на оказание рекламных услуг.scr
PID 1968 wrote to memory of 6736	1968	vivo Договор на оказание рекламных услуг.scr	vivo Договор на оказание рекламных услуг.scr
PID 1968 wrote to memory of 6736	1968	vivo Договор на оказание рекламных услуг.scr	vivo Договор на оказание рекламных услуг.scr
PID 1968 wrote to memory of 6736	1968	vivo Договор на оказание рекламных услуг.scr	vivo Договор на оказание рекламных услуг.scr
PID 1968 wrote to memory of 6736	1968	vivo Договор на оказание рекламных услуг.scr	vivo Договор на оказание рекламных услуг.scr
PID 1968 wrote to memory of 6736	1968	vivo Договор на оказание рекламных услуг.scr	vivo Договор на оказание рекламных услуг.scr
PID 6736 wrote to memory of 6788	6736	vivo Договор на оказание рекламных услуг.scr	openwith.exe
PID 6736 wrote to memory of 6788	6736	vivo Договор на оказание рекламных услуг.scr	openwith.exe
PID 6736 wrote to memory of 6788	6736	vivo Договор на оказание рекламных услуг.scr	openwith.exe
PID 6736 wrote to memory of 6788	6736	vivo Договор на оказание рекламных услуг.scr	openwith.exe
PID 6736 wrote to memory of 6788	6736	vivo Договор на оказание рекламных услуг.scr	openwith.exe
PID 7036 wrote to memory of 3600	7036	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 7036 wrote to memory of 3600	7036	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 7036 wrote to memory of 3600	7036	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 7036 wrote to memory of 3600	7036	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 7036 wrote to memory of 3600	7036	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 7116 wrote to memory of 2688	7116	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 7116 wrote to memory of 2688	7116	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 7116 wrote to memory of 2688	7116	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 7116 wrote to memory of 2688	7116	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 7116 wrote to memory of 2688	7116	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 5012 wrote to memory of 1512	5012	OpenWith.exe	NOTEPAD.EXE
PID 5012 wrote to memory of 1512	5012	OpenWith.exe	NOTEPAD.EXE
PID 5188 wrote to memory of 5248	5188	OpenWith.exe	NOTEPAD.EXE
PID 5188 wrote to memory of 5248	5188	OpenWith.exe	NOTEPAD.EXE
PID 3944 wrote to memory of 1412	3944	OpenWith.exe	NOTEPAD.EXE
PID 3944 wrote to memory of 1412	3944	OpenWith.exe	NOTEPAD.EXE
PID 3252 wrote to memory of 6900	3252	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 3252 wrote to memory of 6900	3252	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 3252 wrote to memory of 6900	3252	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 3252 wrote to memory of 6900	3252	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe
PID 3252 wrote to memory of 6900	3252	vivo Договор на оказание рекламных услуг.exe	vivo Договор на оказание рекламных услуг.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2460

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vivopartners.ru/
1⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3872 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4128 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5024 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5808 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:1812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5024 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5468 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:2936

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x324
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5780 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6132 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5264 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6128 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6160 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6684 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6768 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:4876

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\vivo 2024 - Материалы.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3120

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\vivo 2024 - Материалы.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4472

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\vivo 2024 - Материалы.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4524

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\vivo 2024 - Материалы.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2260

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\vivo Промо-Ролик.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3348

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\vivo Промо-Ролик.mp4"
1⤵
PID:5012

C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.scr
"C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.scr" /S
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.scr
"C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.scr"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6736 -s 468
3⤵
- Program crash
PID:6896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6736 -s 464
3⤵
- Program crash
PID:6952

C:\Windows\system32\rundll32.exe
"rundll32.exe" desk.cpl,InstallScreenSaver C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.scr
1⤵
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:3284

C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.scr
"C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.scr" /p 328342
2⤵
- Executes dropped EXE
PID:6624

C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.scr
"C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.scr" /S
1⤵
- Executes dropped EXE
PID:6644

C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.scr
"C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.scr"
1⤵
- Executes dropped EXE
PID:6676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6736 -ip 6736
1⤵
PID:6856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6736 -ip 6736
1⤵
PID:6924

C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe
"C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:7036

C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe
"C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe"
2⤵
- Executes dropped EXE
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 444
3⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 452
3⤵
- Program crash
PID:3120

C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe
"C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:7116

C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe
"C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe"
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 416
3⤵
- Program crash
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 412
3⤵
- Program crash
PID:2524

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 3600 -ip 3600
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3600 -ip 3600
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2688 -ip 2688
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2688 -ip 2688
1⤵
PID:3652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO85F4404C\.text
2⤵
PID:1512

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5188

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO85F71DFC\.data
2⤵
PID:5248

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:6552

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO85F9E2DF\.rsrc_1
2⤵
PID:1412

C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe
"C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252

C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe
"C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe"
2⤵
- Executes dropped EXE
PID:6900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6900 -s 416
3⤵
- Program crash
PID:7016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6900 -s 436
3⤵
- Program crash
PID:6984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4848 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6900 -ip 6900
1⤵
PID:6792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6900 -ip 6900
1⤵
PID:6980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=6488 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:7104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=6444 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6384 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=6268 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=6432 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=6220 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=4792 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=6312 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:6828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=4492 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=5216 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:7152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=7108 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7304 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7276 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=7476 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=7236 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=6848 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=6376 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=7184 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --mojo-platform-channel-handle=4008 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7620 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --mojo-platform-channel-handle=4876 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:5716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --mojo-platform-channel-handle=3588 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --mojo-platform-channel-handle=7624 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --mojo-platform-channel-handle=7008 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --mojo-platform-channel-handle=5488 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:1044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --mojo-platform-channel-handle=6372 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --mojo-platform-channel-handle=7052 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --mojo-platform-channel-handle=6668 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:1
1⤵
PID:5884

C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe
"C:\Users\Admin\Desktop\vivo Договор на оказание рекламных услуг.exe"
1⤵
- Executes dropped EXE
PID:6044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
b4c8d7be19433b9f4aeb288df6e0ea06

SHA1
e6628922a84d47ff6f8ed18ef18a004cfe6791b9

SHA256
0ed40a0dd05c1c443ec61699a44d9e6718248373aaf3a8eb9e47b922177f8955

SHA512
a10ca80513fb1a99a378c65a3ad4dc34e69948e90ef90033ed6cd0c1c8e22d2be8d75e13fbd11d331ab881d62d83f1fd8007e85a6fe838bc5ccd96329533e6a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
69dbcf3d0689cb961056e99be4b11430

SHA1
1b4534d53c239a99410f52004c374dd565aba2ac

SHA256
8f725f3ca8489804ca0852afcb2cfdc3058897ef6801bef04c18682de24d3a7d

SHA512
e6749a94e885f66837bc3b572e1b0dcc11588bfdfcb24c1389160ec6bffbae3b9c789e15ae8cd2687c956369958873b407fd949e4e1f3a1fd257a656434eb007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme
Filesize
1KB

MD5
ad280b492678a8635ad65784ce8fb6ac

SHA1
2cb04e1023526e72306c064f594be74a6b5a0d7f

SHA256
212003d7f4f3030f0a9d1c0c63ea4efa3ee6441cdb1050d97caca1dccd4f9ee8

SHA512
62227f793e23078465175bba7e4592a7450fa064b857c011eb7a4513ad71bdcd121ab33ca5e1d4bccf255e65d12a27e882842697db895990b863a32ae76d12af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO85F4404C\.text
Filesize
464KB

MD5
94a040793142301f2f4cbc59c34852f7

SHA1
05cccb94e672f073d12d9397915ab8ff84ab9ad2

SHA256
0d05290432463cc3c3f3f56b5d3cfe1bd463353439fed632f0a6d4b6b75dbc58

SHA512
0705e772fcac6a4f27bb979afd5744d33c3900231e6b425403e3baad73d3970df974410ff0709b3b39b1850bc476724eb41813b1f38a2acf956577a5af0da102

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO85F71DFC\.data
Filesize
16KB

MD5
1233a06bee10e718449dc5f38e2bfa0c

SHA1
20485d05db1a6a753c50bedfa6b5075a619066b6

SHA256
4f5dd3320ad50a9d4574ce62538c044f58ad3dccaa61ab09a818bf3b83c93570

SHA512
102aea5bf54960c892d02d86254247576b4bfe27b752bc2c60b2ae79e297dcce1573c8cf2ca20ccc688c6499de898ad000f6b0d9f1afe3e4ea362333669bbafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO85F9E2DF\.rsrc_1
Filesize
276B

MD5
ff03065df3257688ba80646903a32ef4

SHA1
cfb7994daa7e094179b16e27955c8971499a0007

SHA256
a096160bf9db18d6505da1fc9b40929bba6ce61edc044751f106fbcb207b398a

SHA512
fc9e50f9e048f3945b2e699bb8844ed31b13f8662435c8fd632dd738d63d7a1d67cb6a098da63e8f4a154e409eaa2280093cc98279630c792c2a9566cd21f47b

Download Submit
C:\Users\Admin\Desktop\vivo Промо-Ролик.mp4
Filesize
3.2MB

MD5
c2dd1193df4a5596a6e750070f35dd0f

SHA1
5928072c58fc8039249c723be5f4b4a83ad68ba5

SHA256
0cc56bcd9502f38ff9f6b7bd60c2a1168abe5cdf21557c95b3927306e5c8ba57

SHA512
ec9dac269768b3a74870f5a5e9c13f2097353acee528a74b8a5fe355bc05059a0e6197cf55bae8a5543a0d7ccf45df009c2052808a8dd5f861645b51a3451dce

Download Submit
memory/1968-770-0x0000000000400000-0x000000000439A000-memory.dmp

Filesize
63.6MB

Download
memory/3348-71-0x00007FFE5D9F0000-0x00007FFE5EA9B000-memory.dmp

Filesize
16.7MB

Download
memory/3348-44-0x00007FFE60230000-0x00007FFE604E4000-memory.dmp

Filesize
2.7MB

Download
memory/3348-30-0x00007FFE712D0000-0x00007FFE712E1000-memory.dmp

Filesize
68KB

Download
memory/3348-26-0x00007FFE76D50000-0x00007FFE76D68000-memory.dmp

Filesize
96KB

Download
memory/3348-34-0x00007FFE60030000-0x00007FFE60230000-memory.dmp

Filesize
2.0MB

Download
memory/3348-37-0x00007FFE70E50000-0x00007FFE70E68000-memory.dmp

Filesize
96KB

Download
memory/3348-40-0x00007FFE70A50000-0x00007FFE70A61000-memory.dmp

Filesize
68KB

Download
memory/3348-33-0x00007FFE5D9F0000-0x00007FFE5EA9B000-memory.dmp

Filesize
16.7MB

Download
memory/3348-39-0x00007FFE70D00000-0x00007FFE70D11000-memory.dmp

Filesize
68KB

Download
memory/3348-38-0x00007FFE70D60000-0x00007FFE70D71000-memory.dmp

Filesize
68KB

Download
memory/3348-36-0x00007FFE70DD0000-0x00007FFE70DF1000-memory.dmp

Filesize
132KB

Download
memory/3348-35-0x00007FFE70EC0000-0x00007FFE70EFF000-memory.dmp

Filesize
252KB

Download
memory/3348-41-0x0000016D5DE00000-0x0000016D5F5B0000-memory.dmp

Filesize
23.7MB

Download
memory/3348-29-0x00007FFE712F0000-0x00007FFE71307000-memory.dmp

Filesize
92KB

Download
memory/3348-52-0x00007FFE5D9F0000-0x00007FFE5EA9B000-memory.dmp

Filesize
16.7MB

Download
memory/3348-68-0x00007FF6E8A70000-0x00007FF6E8B68000-memory.dmp

Filesize
992KB

Download
memory/3348-70-0x00007FFE60230000-0x00007FFE604E4000-memory.dmp

Filesize
2.7MB

Download
memory/3348-69-0x00007FFE71310000-0x00007FFE71344000-memory.dmp

Filesize
208KB

Download
memory/3348-25-0x00007FFE60230000-0x00007FFE604E4000-memory.dmp

Filesize
2.7MB

Download
memory/3348-27-0x00007FFE754B0000-0x00007FFE754C7000-memory.dmp

Filesize
92KB

Download
memory/3348-23-0x00007FF6E8A70000-0x00007FF6E8B68000-memory.dmp

Filesize
992KB

Download
memory/3348-28-0x00007FFE713F0000-0x00007FFE71401000-memory.dmp

Filesize
68KB

Download
memory/3348-24-0x00007FFE71310000-0x00007FFE71344000-memory.dmp

Filesize
208KB

Download
memory/3348-31-0x00007FFE70FC0000-0x00007FFE70FDD000-memory.dmp

Filesize
116KB

Download
memory/3348-32-0x00007FFE70FA0000-0x00007FFE70FB1000-memory.dmp

Filesize
68KB

Download
memory/5012-12-0x00007FFE713F0000-0x00007FFE71401000-memory.dmp

Filesize
68KB

Download
memory/5012-10-0x00007FFE76D50000-0x00007FFE76D68000-memory.dmp

Filesize
96KB

Download
memory/5012-7-0x00007FF6E8A70000-0x00007FF6E8B68000-memory.dmp

Filesize
992KB

Download
memory/5012-8-0x00007FFE71310000-0x00007FFE71344000-memory.dmp

Filesize
208KB

Download
memory/5012-11-0x00007FFE754B0000-0x00007FFE754C7000-memory.dmp

Filesize
92KB

Download
memory/5012-9-0x00007FFE60230000-0x00007FFE604E4000-memory.dmp

Filesize
2.7MB

Download
memory/6624-787-0x0000000000400000-0x000000000439A000-memory.dmp

Filesize
63.6MB

Download
memory/6644-788-0x0000000000400000-0x000000000439A000-memory.dmp

Filesize
63.6MB

Download
memory/6676-789-0x0000000000400000-0x000000000439A000-memory.dmp

Filesize
63.6MB

Download
memory/6736-778-0x0000000075930000-0x0000000075B45000-memory.dmp

Filesize
2.1MB

Download
memory/6736-785-0x0000000000400000-0x000000000439A000-memory.dmp

Filesize
63.6MB

Download
memory/6736-776-0x00007FFE7F410000-0x00007FFE7F605000-memory.dmp

Filesize
2.0MB

Download
memory/6736-775-0x0000000007140000-0x0000000007540000-memory.dmp

Filesize
4.0MB

Download
memory/6736-774-0x0000000007140000-0x0000000007540000-memory.dmp

Filesize
4.0MB

Download
memory/6736-773-0x00000000043A0000-0x000000000441E000-memory.dmp

Filesize
504KB

Download
memory/6736-771-0x00000000043A0000-0x000000000441E000-memory.dmp

Filesize
504KB

Download
memory/6788-781-0x0000000002D30000-0x0000000003130000-memory.dmp

Filesize
4.0MB

Download
memory/6788-784-0x0000000075930000-0x0000000075B45000-memory.dmp

Filesize
2.1MB

Download
memory/6788-782-0x00007FFE7F410000-0x00007FFE7F605000-memory.dmp

Filesize
2.0MB

Download
memory/6788-779-0x0000000000FA0000-0x0000000000FA9000-memory.dmp

Filesize
36KB

Download