16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591.exe
Size

14.5MB
MD5

ee3abe42f7a3785717625dc2aeafd9d5
SHA1

2f079bd0d328dde0e342349134c910c5405b3b0a
SHA256

16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591
SHA512

bcf4ae8ba2ee701881b10b62caeb74a28234bfb99f78a5cf8e1be0617deecd76579df2cc35548c0c1a9b3434f21458d507c96018f67c0c28122e58b56393ccf2
SSDEEP

393216:F5+gOfb3U+EdUK44L5HgZm2bknJ/4AHwZYAfglbVqqx07ydkFf0+3U:P+Hj3UljL58cLQZ7fglbfOMkFsQU

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591.exe
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	CareUEyes_setup.tmp

Executes dropped EXE 4 IoCs

pid	Process
4344	CareUEyes_setup.exe
112	CareUEyes_setup.tmp
5100	CareUEyes.exe
3384	Replace.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\WOW6432Node\CLSID\{FC36FD6A-7586-4ad1-8CBF-EB8AB7A51533}	CareUEyes.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\WOW6432Node\CLSID\{FC36FD6A-7586-4ad1-8CBF-EB8AB7A51533}\uuid = "YTRmMDQ3ZTIxYWYyNjAyNDA2YTNhYjhlNjRlOGIwNjE="	CareUEyes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432Node\CLSID\{35125042-FD30-44fb-9006-2A5ACC5D8A2E}	CareUEyes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35125042-FD30-44fb-9006-2A5ACC5D8A2E}\i = "2590304664"	CareUEyes.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
112	CareUEyes_setup.tmp
112	CareUEyes_setup.tmp
1668	msedge.exe
1668	msedge.exe
4592	msedge.exe
4592	msedge.exe
5496	identity_helper.exe
5496	identity_helper.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
112	CareUEyes_setup.tmp
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 4344	2984	16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591.exe	86
PID 2984 wrote to memory of 4344	2984	16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591.exe	86
PID 2984 wrote to memory of 4344	2984	16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591.exe	86
PID 4344 wrote to memory of 112	4344	CareUEyes_setup.exe	88
PID 4344 wrote to memory of 112	4344	CareUEyes_setup.exe	88
PID 4344 wrote to memory of 112	4344	CareUEyes_setup.exe	88
PID 112 wrote to memory of 5100	112	CareUEyes_setup.tmp	91
PID 112 wrote to memory of 5100	112	CareUEyes_setup.tmp	91
PID 112 wrote to memory of 5100	112	CareUEyes_setup.tmp	91
PID 2984 wrote to memory of 3384	2984	16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591.exe	94
PID 2984 wrote to memory of 3384	2984	16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591.exe	94
PID 2984 wrote to memory of 3384	2984	16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591.exe	94
PID 2984 wrote to memory of 4592	2984	16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591.exe	96
PID 2984 wrote to memory of 4592	2984	16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591.exe	96
PID 4592 wrote to memory of 2536	4592	msedge.exe	98
PID 4592 wrote to memory of 2536	4592	msedge.exe	98
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 440	4592	msedge.exe	100
PID 4592 wrote to memory of 1668	4592	msedge.exe	99
PID 4592 wrote to memory of 1668	4592	msedge.exe	99
PID 4592 wrote to memory of 1052	4592	msedge.exe	101
PID 4592 wrote to memory of 1052	4592	msedge.exe	101
PID 4592 wrote to memory of 1052	4592	msedge.exe	101
PID 4592 wrote to memory of 1052	4592	msedge.exe	101
PID 4592 wrote to memory of 1052	4592	msedge.exe	101
PID 4592 wrote to memory of 1052	4592	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591.exe
"C:\Users\Admin\AppData\Local\Temp\16370ae8496af1013554c2025bba85d3e9ef190769104067677cfe3d91286591.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\CareUEyes_setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CareUEyes_setup.exe" /silent
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\is-SIMKB.tmp\CareUEyes_setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-SIMKB.tmp\CareUEyes_setup.tmp" /SL5="$70238,4731251,131584,C:\Users\Admin\AppData\Local\Temp\RarSFX0\CareUEyes_setup.exe" /silent
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Users\Admin\AppData\Roaming\CareUEyes\CareUEyes.exe
      "C:\Users\Admin\AppData\Roaming\CareUEyes\CareUEyes.exe" /gamma
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:5100
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe"
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cybermania.ws/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdc9d46f8,0x7fffdc9d4708,0x7fffdc9d4718
    3⤵
    PID:2536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
    3⤵
    PID:440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
    3⤵
    PID:1052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:2736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:2248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
    3⤵
    PID:4572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
    3⤵
    PID:548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
    3⤵
    PID:5068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
    3⤵
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
    3⤵
    PID:1672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
    3⤵
    PID:5292
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
    3⤵
    PID:5480
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
    3⤵
    PID:5596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
    3⤵
    PID:5588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
    3⤵
    PID:5792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
    3⤵
    PID:5800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,14567923890990463811,16479451585778412549,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4620 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\11dfbc32-82b3-4c63-bb64-7b10d28bdd1e.tmp

Filesize
10KB

MD5
50f343d1e9ab13415c98c7442fd9e5fe

SHA1
9230a9514c56ee3723420d0c284aa51a85fa89b3

SHA256
4a75012003ca1f377a87fa93a928974369c0413f66e4231c98eb676c30a9acf6

SHA512
8877faae0a68382503362f20a8c9619a6342422e94ea5bd9072d41b966bb2eff560585f15e32fad7a1a5a0be1171daaa3a4d9170e125ed4fe11b89b1157eccad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84df16093540d8d88a327b849dd35f8c

SHA1
c6207d32a8e44863142213697984de5e238ce644

SHA256
220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c

SHA512
3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
196de7564d7018f68451c96d3278933c

SHA1
d63fe7806fccdf0f7ea5beeed1d1c1699ef29eaf

SHA256
c34f432dcae5e6f182a9b476b3c0d1a383ccb3deacec6f67b9d57eb2335ee623

SHA512
85f1893c38684f248a28f40cb60dde576ad1f975686f878f6fb7c2b0ac1dff1038adfa15bfb572776bc31bdaddff1b059d66abbf6e25fc504061d90310b8e533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b28018c10ec02c4ea738664bb9766b59

SHA1
c5f1eab2752c51a8d817609e721b104e151226e8

SHA256
b21a136f43bff61aef07ae2ecb0c399f535e3aeaefdbd70f5ce8b8999ef1191b

SHA512
a75f669fe2305c0de9b4d554499bdfa8898650ecbf34a46e751a797e49c34996515c0130ec6ae94dc6688bacd289d3ad56992baf80d93085f56a7c7e0bd9e444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b291a44018dc1ec34b6345144584db48

SHA1
7b6c4489a9c0ab813a26ec5bd28129d9bb282953

SHA256
633ccdc601cbadf97947437e83d3c24b78527683a0d33f4adfb97687fc82003d

SHA512
8e7ca2ba876001c885d64d8e8c182dfe93fe5b4e11f16ae3aecabb25138cfd103fc096b4a4b310131b26c08d5167c7335570fc4674330ad80117b662fafb89b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a2dfb2e80b504142d1cec57b0f32319f

SHA1
fe65eebebfdaf0bf1fc55fb512d756476dcfdbb9

SHA256
d93ffe557368ecfe3edc7bf124a16de99eda6b0ba5e6c5f6eda3e0d60543ad50

SHA512
cc54e8e62007ea4eca3a229d97a9d4d7031756d8a564fa828d18b50458f215a60f03155d5eeb2f006fcbd67b5c2737734601918cdbb10965e574b0b2c7acbd89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
918ecd7940dcab6b9f4b8bdd4d3772b2

SHA1
7c0c6962a6cd37d91c2ebf3ad542b3876dc466e4

SHA256
3123072fba0ea8e8f960dd213659a0c96ce2b58683593b8ea84efac772b25175

SHA512
c96044501a0a6a65140bc7710a81d29dac35fc6a6fd18fbb4fa5d584e9dc79a059e51cbe063ca496d72558e459ffa6c2913f3893f0a3c0f8002bbca1d1b98ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CareUEyes_setup.exe

Filesize
4.9MB

MD5
6a7c277dfe315a93ea5f6949b341fb9f

SHA1
63beaf84877331a5897ff9402ccbb3debb7ea425

SHA256
c115bc82b2cbdce64bf738145d784a8c338c482dd03d20b8a454ec9128dbdbb6

SHA512
4bd67444c7855dc51036ae902aff2e5e6019abba46b0fabe2384ad6f9ed120ca07815202ba201098f0ec5ca8e433395969d90e2a19e1255ab19eae7946226833

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CareUEyes_setup.exe

Filesize
4.9MB

MD5
6a7c277dfe315a93ea5f6949b341fb9f

SHA1
63beaf84877331a5897ff9402ccbb3debb7ea425

SHA256
c115bc82b2cbdce64bf738145d784a8c338c482dd03d20b8a454ec9128dbdbb6

SHA512
4bd67444c7855dc51036ae902aff2e5e6019abba46b0fabe2384ad6f9ed120ca07815202ba201098f0ec5ca8e433395969d90e2a19e1255ab19eae7946226833

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CareUEyes_setup.exe

Filesize
4.9MB

MD5
6a7c277dfe315a93ea5f6949b341fb9f

SHA1
63beaf84877331a5897ff9402ccbb3debb7ea425

SHA256
c115bc82b2cbdce64bf738145d784a8c338c482dd03d20b8a454ec9128dbdbb6

SHA512
4bd67444c7855dc51036ae902aff2e5e6019abba46b0fabe2384ad6f9ed120ca07815202ba201098f0ec5ca8e433395969d90e2a19e1255ab19eae7946226833

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberMania.url

Filesize
4KB

MD5
f89e823b83f9edc863ae9e35ea0a5949

SHA1
12db7e3d70e47bd97df335c74cd7323dc48a778d

SHA256
7fba1e8849a88298272be247c2b22ef4a50ac1bc4c83a4c02848bc131e622088

SHA512
d3e297af4eeeb3b8201381fddc426c33ab543db80c0da2ef7ee000ad773cf6895d7221ec17b95806377ea74488f8db7354e23d13c43d87599f6b02631e379d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe

Filesize
9.5MB

MD5
d68b4ceeda8e4d40f7eafa99fa59ecc5

SHA1
1870ec6b7892fece54dfb80cf051b2bdf059230f

SHA256
61510e5a47cdb44e2951984d15fd88f782a83bf6789e9e1a02c8a4780c53a63e

SHA512
02a860080ba7e0892f2902ad8a527db5d45d3dd2de27ed57e5cd33f3073a5eeafba5368ad59358c86b4d4c943c25ce3aee5751028811a22dc40d535a6ed75e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe

Filesize
9.5MB

MD5
d68b4ceeda8e4d40f7eafa99fa59ecc5

SHA1
1870ec6b7892fece54dfb80cf051b2bdf059230f

SHA256
61510e5a47cdb44e2951984d15fd88f782a83bf6789e9e1a02c8a4780c53a63e

SHA512
02a860080ba7e0892f2902ad8a527db5d45d3dd2de27ed57e5cd33f3073a5eeafba5368ad59358c86b4d4c943c25ce3aee5751028811a22dc40d535a6ed75e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe

Filesize
9.5MB

MD5
d68b4ceeda8e4d40f7eafa99fa59ecc5

SHA1
1870ec6b7892fece54dfb80cf051b2bdf059230f

SHA256
61510e5a47cdb44e2951984d15fd88f782a83bf6789e9e1a02c8a4780c53a63e

SHA512
02a860080ba7e0892f2902ad8a527db5d45d3dd2de27ed57e5cd33f3073a5eeafba5368ad59358c86b4d4c943c25ce3aee5751028811a22dc40d535a6ed75e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SIMKB.tmp\CareUEyes_setup.tmp

Filesize
1.1MB

MD5
31b0ca3fea6b0a4de6c0b60df6d0f8de

SHA1
f006e23679af783325f13bad1077e39de7ff031e

SHA256
f91656871fd959fed90f0255818ab2a19c3ba4c626b76f06ccdbf87da8a9a87b

SHA512
1e21e72729fbc8897b0b60e19cf50625f28452e3f70a095f98e7c7c9a3c4176343acbd0af68b0433fdb7c94f127b61eee53baf30005790efa728aef78b5eaa20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SIMKB.tmp\CareUEyes_setup.tmp

Filesize
1.1MB

MD5
31b0ca3fea6b0a4de6c0b60df6d0f8de

SHA1
f006e23679af783325f13bad1077e39de7ff031e

SHA256
f91656871fd959fed90f0255818ab2a19c3ba4c626b76f06ccdbf87da8a9a87b

SHA512
1e21e72729fbc8897b0b60e19cf50625f28452e3f70a095f98e7c7c9a3c4176343acbd0af68b0433fdb7c94f127b61eee53baf30005790efa728aef78b5eaa20

Download Submit
C:\Users\Admin\AppData\Roaming\CareUEyes\CareUEyes.exe

Filesize
5.6MB

MD5
3bccf07a9db2a364b19ba12c18a89f30

SHA1
bb9005a148681881a2385971bfc39346ba308647

SHA256
e76e65343553bdec6e61020f2b177f1e908246852d19839d87034052100f9b39

SHA512
65ac0145e51ca135e3a1d5287131e88dca1e909633bda46f11a6f89d4076eccc31b6d64eb2c012190fae247173c496dd484c0a80e7cb2c08d08a626464490762

Download Submit
C:\Users\Admin\AppData\Roaming\CareUEyes\CareUEyes.exe

Filesize
5.6MB

MD5
3bccf07a9db2a364b19ba12c18a89f30

SHA1
bb9005a148681881a2385971bfc39346ba308647

SHA256
e76e65343553bdec6e61020f2b177f1e908246852d19839d87034052100f9b39

SHA512
65ac0145e51ca135e3a1d5287131e88dca1e909633bda46f11a6f89d4076eccc31b6d64eb2c012190fae247173c496dd484c0a80e7cb2c08d08a626464490762

Download Submit
C:\Users\Admin\AppData\Roaming\CareUEyes\CareUEyes.exe

Filesize
9.4MB

MD5
6f11e2be5d8eff27142ceeb450525276

SHA1
302c67ee3297427fa0d828e8d5a16973d0356192

SHA256
bc9aaaae664ed1700078b2952441ea705a8dbf7d998755c87d46009440afbe7b

SHA512
021d4432765cfe25b8d18d62d1d8e1623ea5515d2fd8b4de2ffb34bfc4c9bdbb1c2f8e24419716925fde1d75c2c9ec0c3f99fadde2523dba9fc39783087b975b

Download Submit
C:\Users\Admin\Desktop\CareUEyes.lnk

Filesize
995B

MD5
96abbe8085355db5aadbd03cd78ed549

SHA1
5ccbd9af9aac0ffccf84c62f9d0bf4f869fa4700

SHA256
4dd9eee44ed0a0e3adda77fd0f831a5680843282c294cd7a3150e4a843d243f3

SHA512
857a31ffbee097f7cb58165fc07a71c94059d49b3161231b3a7c1543043df2a47bfdb365c215b0f4aa68eabe59b79449daea7d9b1b8a4e301cd41bd32734efda

Download Submit
memory/112-74-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/112-22-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/4344-75-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4344-16-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5100-56-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/5100-44-0x0000000036910000-0x0000000036920000-memory.dmp

Filesize
64KB

Download