hxxp://q | Triage

Analysis

max time kernel
256s
max time network
258s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-04-2024 19:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://q

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

nevirus.exetmp37C.tmp.exebrowser.exeemail.exetmpD2E3.tmp.exe

pid process

2812 nevirus.exe
2188 tmp37C.tmp.exe
556 browser.exe
716 email.exe
484 tmpD2E3.tmp.exe
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2812	nevirus.exe
2188	tmp37C.tmp.exe
556	browser.exe
716	email.exe
484	tmpD2E3.tmp.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

email.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	email.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

44 5.tcp.eu.ngrok.io
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\eventvwr.msc mmc.exe

flow	ioc
44	5.tcp.eu.ngrok.io

description	ioc	process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133588045108069915"	chrome.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exetmpD2E3.tmp.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\mscfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UACBypassLauncher.exe"	tmpD2E3.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\mscfile\shell\open\command\ = "%SystemRoot%\\system32\\mmc.exe \"%1\" %*"	tmpD2E3.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\mscfile\shell\open	tmpD2E3.tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\mscfile\shell	tmpD2E3.tmp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{30B483E2-7DA8-45DA-BCEA-ABD7327B91BE} = "0"	MicrosoftEdge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2628 PING.EXE

pid	process
2628	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

chrome.exechrome.exenevirus.exe

pid	process
200	chrome.exe
200	chrome.exe
4880	chrome.exe
4880	chrome.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe
2812	nevirus.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

524 MicrosoftEdgeCP.exe
524 MicrosoftEdgeCP.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

200 chrome.exe
200 chrome.exe
200 chrome.exe
200 chrome.exe

pid	process
524	MicrosoftEdgeCP.exe
524	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2912	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2912	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2912	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2912	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	976	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	976	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	976	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1780	MicrosoftEdge.exe
Token: SeDebugPrivilege	1780	MicrosoftEdge.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe
Token: SeCreatePagefilePrivilege	200	chrome.exe
Token: SeShutdownPrivilege	200	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exenevirus.exemmc.exe

pid	process
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
2812	nevirus.exe
2608	mmc.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe
200	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exemmc.exe

pid process

1780 MicrosoftEdge.exe
524 MicrosoftEdgeCP.exe
2912 MicrosoftEdgeCP.exe
524 MicrosoftEdgeCP.exe
2608 mmc.exe
2608 mmc.exe

pid	process
1780	MicrosoftEdge.exe
524	MicrosoftEdgeCP.exe
2912	MicrosoftEdgeCP.exe
524	MicrosoftEdgeCP.exe
2608	mmc.exe
2608	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 200 wrote to memory of 4132	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 4132	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 3580	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 4356	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 4356	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe
PID 200 wrote to memory of 1532	200	chrome.exe	chrome.exe

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "http://q"
1⤵
PID:2588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:524

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9f3719758,0x7ff9f3719768,0x7ff9f3719778
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:2
2⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:1
2⤵
PID:1036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:1
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4432 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:1
2⤵
PID:312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5128 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:1
2⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3216 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3156 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5060 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4924 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5048 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:8
2⤵
PID:4600

C:\Users\Admin\Downloads\nevirus.exe
"C:\Users\Admin\Downloads\nevirus.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2812

C:\Users\Admin\AppData\Local\Temp\tmp37C.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp37C.tmp.exe"
3⤵
- Executes dropped EXE
PID:2188

C:\Users\Admin\AppData\Local\Temp\dump456\browser.exe
C:\Users\Admin\AppData\Local\Temp\\dump456\browser.exe -f C:\Users\Admin\AppData\Local\Temp\\dump456\pass1.txt
4⤵
- Executes dropped EXE
PID:556

C:\Users\Admin\AppData\Local\Temp\dump456\email.exe
C:\Users\Admin\AppData\Local\Temp\\dump456\email.exe -f C:\Users\Admin\AppData\Local\Temp\\dump456\pass2.txt
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:716

C:\Users\Admin\AppData\Local\Temp\tmpD2E3.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmpD2E3.tmp.exe"
3⤵
- Executes dropped EXE
- Modifies registry class
PID:484

C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
4⤵
PID:2236

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
5⤵
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c ping 0 -n 2 & del "C:\Users\Admin\AppData\Local\Temp\tmpD2E3.tmp.exe"
4⤵
PID:1796

C:\Windows\system32\PING.EXE
ping 0 -n 2
5⤵
- Runs ping.exe
PID:2628

C:\Windows\SysWOW64\shutdown.exe
shutdown -r -t 00 -f
3⤵
PID:2588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3200 --field-trial-handle=1864,i,2084097453259692092,8924416839677516064,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a82055 /state1:0x41c64e6d
1⤵
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
496974b57a9cbd970568363e872f390c

SHA1
cc1df6790eaa81e7ad4b604d84d88c07c3527c16

SHA256
a544f961a00416c5067eb60e77226f02d5f68ebbf74ff8626d9a2a570dad7fdf

SHA512
ac878d91612f3ebf118936229b301f6b897ad55c0ea209e56688e393489ffbffe760200849c60dac4800933cbaad61f6f54e260351e050cdf363c40823ffaadc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
1b3247768e6f998ce0eb5140dbca0517

SHA1
27a64f58e04999236a18b7fd908ada09ff00162e

SHA256
7c99c7d3a75e98b9ad65f78e30bd9b5aaa3d8d9ef6d0a633ca31241818ba9a30

SHA512
fbbe0a681bd0a9741587a03d15ef52e6099d20da06b70e853b8e0f71eb0f44b84853870473702468ae7d15305f8fd59ead3cf541cac0552c7528c84ef2479867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
b6f968a6472dafd135784b66a117089b

SHA1
cd41131461f3cb2da21eb32e05483513ac5cce82

SHA256
f0d5cfa74d8a51c660e4dc984d20ce5d1ccfc26084de718dae82be8628d07c2f

SHA512
87a30e4653b9152a19977c1bb1cfc25e7cadee844d9460195130e8eeeae0f092677b9116178277362de65b9e199c21962f5def6e827b9575012bfa46707f3665

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
700f888558d60eba51e82c67b71fe02c

SHA1
86f2d5143d712ef1a62b7ef6380f6017f8767d32

SHA256
ddb6b0eb5c5559254f3553d212b6d37f7c9bd926ae58def5c446fea9c2704bf9

SHA512
42a35474f820182613498d03e8f30ef7b40c94a5720f5ce9e6870a5d6a1eefeeddac972a51b210e582625c15fd843564549f8bc30b18508915b6bb15a5a78ece

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
537B

MD5
b699fd6a85bf23c1ad94ebffa3182746

SHA1
171a8a7a763661c05753790ccd669217ea0ca37b

SHA256
667460c39d1640f411331dc1349d75ea4ad03331835b3a33822c424c159e95a8

SHA512
e89b5eb85246bf3b353b8b3eb6f5a50e33f27e096e5196a66d911c700cff1f41c4470955d14566622d1c0a684561c604c8b7089692492446ed0864348fae9fa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
446c4301ef453458b0d9827822f641ff

SHA1
34b63830172e45c6b4a86b31f39f9a6e4a2eaf64

SHA256
920fd55a179e75ed005b37f208f7fecbb102c2ab3b5eab02066c6bba849ba90f

SHA512
e1883b938e48825d7f2f5e656021d93530369459b05e862d3f21ce23762f0b55fb843b8b03674d120cfbdb92335454d485208761307c801d7c48d12a02b83b55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
6d1ffec19fc1d61c148f249aaa3c6d86

SHA1
0d0446d687914f6cd66c02bf93c5da3abeb0b571

SHA256
485994764a7a40b1fc00e3f3ad47278c1458d43d200b7797bb016c5b6cb2b018

SHA512
85eed7996e0d533dbcf5437d1d5220e8b7e9f50f23b4df5efa810dcc2fc6e7328ed98240e23805dfdcefc7ec879c62a963a11eaac87da9055cf6e600bc5ae9c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5c2c236972c420bbac94d058b203e2f5

SHA1
b71eb512b9f86abededf4072f9492a1cfa442b5a

SHA256
0c92bee72aebede8356bf87c9dddab64f49d8d3ad2096475c8937ff82ca95d04

SHA512
7730afa6a529aaa0d823c4e46b0d731dde4a4d7e91abcebccab759a8fe44aeb04caa34f7fb80c00149b6f73fae15409f566193ad4e75c486b55efe1428d7a3fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
089da6e6bba6a8228e526c85c0c38391

SHA1
cb2de962a472b44f4a307e4927a94dc39f6c4ef6

SHA256
5ecfd7b1005d31322d56277383a5d341bd01a45f452e50a7fc77a8f0bc3ef8cb

SHA512
c7ec88c28731b7d6669f1ebf10dfe4e29ace95eb17da346d6d9fb8ef472561dd902fa6dbc6cb0032348892f3cdf1716ca4d4244da8b352d44c6f0dec7017ec2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ea7cd2245d0e386dbd146617b27e58ad

SHA1
c1ac116768b0df9fc3027b7dbedb9ccd716b405a

SHA256
248de46b1438bf944f16422fdc11d56ed7beb79c487a222897c539b9edb1a965

SHA512
e0af60df73c7ebe8553ba0613656bf080c1febf4ecae2a32a4c936ae7947481db38883a08a2a07002382e0896f17c20906583192e4620e9369e774b7a771d2f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
adb47b9f2097d96612ba917a69b34e20

SHA1
8948ee505606cc2f93a1db5f89b47b5757e3fddd

SHA256
d75130368b193d7b73e8ea6ba4a50abe8f84be5b8789a33e735d796c4734174c

SHA512
97083b8323ce0713d4dae467fc1d4f4d2848276be1002a28253004bc4374aeb3d4ff22b63bc11cedec4431464a7a0bb54c96a56f896fde3b8a10cd4d1b4bbbd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
12KB

MD5
12a745e88b72051e17cf844f5507401b

SHA1
58fb965560adb24f3c45a7b634971fe9f92378a6

SHA256
da3deb2e54402a81e7ff9c55ea1ac988c1f22ba5873ff1c05856f219c16946fb

SHA512
55a5bdec76d7bff851519c4ef156bf3a65869f3721a923023d20c86b05c4c277a916b600eefce1ddf5cfd10317826327908f89293a9715078870a5d7f5a5509d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
273KB

MD5
6274ea31d43d198da10dc63a51375595

SHA1
837176f8d5d7ab852e01bf5dd94b2d879d36a4a7

SHA256
c8373a3831a8e52b174b7ff2ae09ddd058a6a267892a7aca6dd0957f4b6712c9

SHA512
fc4fee40978e0d1a32fcf8f90819c50311742f3bf5aee9b5ed9bf4c8cce10dac857728f7d4fed9cc1d68e8f8e65b4419caa7b53a28f8da060ff5f0dabcd1872c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
149KB

MD5
31c89f5c205620f7c8b593e2de491923

SHA1
15fa9b5aa7878362509a51ed15a2c55799522830

SHA256
dbf72e308d1c3bd63c15bfb93220ea5b5a31cc55c92068c9d4ba4456fa5ca836

SHA512
7a44387d3aa7706172d08eb52d135b49bc09b496f0d18fe5bd5c5c0d5aa090196ecdcde2bdb77d064fca4ea9540b69fb7e8b83e3ff2c698d36207c184120df3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
105KB

MD5
62ad4478e0d6cb03c85c8c33f92d1e94

SHA1
2c3c6f25737bcf11ef82a0b3813a3b9adc37618f

SHA256
84aba2aa96acfc99a2e4ce0cd410b50a66d781ea5ad70c6312d59d34b7c9359a

SHA512
796c891f970a73f2e0bb5d23881185755b6d72e1b3dfd266b9935cdce7b6b2968245d7aff7883b8d1db847f64cb1c3401875165fa1cfbf5755b1f13f0ec1738e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59d70d.TMP
Filesize
92KB

MD5
000794f759ea910a41b7f3338f43c3ec

SHA1
9c85e1fba100b53a34e0b786018cba9767b2610b

SHA256
db26f27a42c883c033be2743313c068bb5c8c1371c88216f89e75067e5827a34

SHA512
e1f93d1ce390c6c23c0dc28dee4193346405f3bc63bd98eb33512707cbad2d6832929e9e4577d3793f92cfdb432a56d3122880e0d066a26870e9365e46454934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF8DDF3EBBC8621FA3.TMP
Filesize
16KB

MD5
9c7fdde40f9e8ef18de6cbd32b0b9af7

SHA1
2b1d78ca2e695b26f3bad14f94c25237f64dd98b

SHA256
ef1743ad6f99e5b7ba484a9add75fa762809d9a77273dcd3617907324bc7b56c

SHA512
f9983202e620113aaa7ed52e94489711d2c322705020e113588a19f73ad417e888e320c272ecd42fef25c0db000730d30137f2c626fd9a6a1803a31e32d35012

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump456\browser.exe
Filesize
439KB

MD5
10ae9f2eb3e7e79590493c47e39eb04b

SHA1
87490001bce150fd684e6ffe9343aa8f62dac963

SHA256
2a403b01727b1f8d2a7079427946f178c3c66dc17a00e6d1ab7547b11680d012

SHA512
764cd1f5f5466dbb55ec8ee1360ec8a8671468c761d3f70e2e9bc4f548e1d4bb920254abf68eb6c3c2a44bad7e9d7e7c205d4e316d3d0fdab2f2f55e398f9ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump456\email.exe
Filesize
464KB

MD5
9b222f92f7c7da9287e5daa968638638

SHA1
99b8f6deaa13d04e9ec49a23eadbc9736209df26

SHA256
941d0b28c048462fcaad246d6c0721d261a18d233732bef9a900adfb29ad7364

SHA512
8ff915bda99d0ea3a5426c2f92c9f583af8a4aa162c3fddfe0734d7617135a1fa5f6a85ec5eae80a1f0b9f95e595e53998e3da262aa5bdc4489a0876010472e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump456\pass1.txt
Filesize
1KB

MD5
eb27d56cb9e5b4421481a5f43e41649f

SHA1
2bc61491c880e4938a664d60a982616a2dfcf8d7

SHA256
9c8df096357fd180fa3b2194adf7a5e7ab1f75748befdfdd8f90496e0bce3772

SHA512
e52ddb5128d03bd1ae490476f1877319eae7f7b8504879c02e5fa9940a0a6aaa60c92f3d4a9a557b95d5a07413f88b0f2b66594eac41405061808dc959991a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump456\pass2.txt
Filesize
400B

MD5
51e38a852a05cc9718fa3f68041e9dad

SHA1
dd4bee5a01be174c3fda9904c61cfb2c41ede71c

SHA256
b6e9dcb02e18ec89d3e003c56fffab57b9afb032f89f5a7826b729311938b288

SHA512
197fb341edd0185948ff9739368ab0bea74012e87c9d27a67a665af50be2df7d6305b336e16cd1cec04dcca330dbbf6103d942ca9796030eb0b67fd331bea675

Download Submit
C:\Users\Admin\AppData\Local\Temp\dump456\pwd.txt
Filesize
1KB

MD5
23f048c69f5fba81d7e65d77465ebf2e

SHA1
71d2a314f3538e8859ee0064e888c930612920cc

SHA256
95930f1dcfb13bea11b4f40d03f1dcf098bec29c250baa6f6f6f896c27044170

SHA512
c60d8a0d9dd8beaf467a276da7e4a40fc279eefbc0d4406a1d1a679b8709d21a72dcf9518bfe68358715a7b8976f655aceb91ae95c2e6d35e59653a205c14688

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp37C.tmp.exe
Filesize
915KB

MD5
2e17223a079a3957be8009ebed5548fd

SHA1
63c6378d766db9b0a4a5cd960d9f5b6184d867e1

SHA256
eff6d9f2f2609be04c69339c21b69b77c6b2f9575ff1b8ea3218426032f28a29

SHA512
2b31424278b60708045e8ce4e3c7519fcf409aa755ccd8e942cdfee4e127112dbbf2f34e7e161cd511c21594b2679fd7c926848d7591f3283d4d9cb71f40a60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD2E3.tmp.exe
Filesize
1.9MB

MD5
9462fc0f63c2f95bc2e6796189ef18b5

SHA1
6bb4282414f3fddef31debe396a5264371ab1e3d

SHA256
80063f3e9fee6ced4f159714bd00ba61d757fd185621d82330bed16d4c2eb495

SHA512
c0b542784f681aec31899235e425c482b43da038f1ca847b428e34a4677f1da30c773f43183c3d287f64bb7271fffcea873ca03136de77f54c1bf614cccec297

Download Submit
C:\Users\Admin\Desktop\ApproveInstall.m1v
Filesize
737KB

MD5
d0db6de134c48a245b68a96455eb7ae5

SHA1
221541d9cec20393f0a8c320b19aeb45e7e60498

SHA256
e6046453cb4b668b6dfce47afa72373fe3a0785ef69d7308b6197b89f935545e

SHA512
9224a916cd05901b97d0b1e73601f1a0f290bf9c6c9d6ba29d6caed4b02351612e7feb1aa190b163030ef4a5cfae318916a92d9550118b785cee52e422e7b985

Download Submit
C:\Users\Admin\Desktop\CloseOpen.mht
Filesize
368KB

MD5
d258731bb8c10af9517c6236fccbf433

SHA1
677601a55f381ff16e004fca92548ac1bf111aa0

SHA256
549f8de4b6c23308b8068281288f5143c4cd74ac283ab9300f783c3ebf688c4a

SHA512
400551cd3e26f210a533e15cf9845be2789ed6efe3e0d95f0fe29a97b5c675050d298d180dfb0fccc10a8c371ecd59ebdac123fa4ed08705249c1f134fbd3f72

Download Submit
C:\Users\Admin\Desktop\ConfirmOptimize.ttc
Filesize
583KB

MD5
ec2d2468270c7eb9591352c7874bbba9

SHA1
af57430226b95155566227ccc77851f28dbe2a27

SHA256
e2c14565e206f5c47ee97e2aafdac3431cbf50154f9796ea5d070fd8b688f6b2

SHA512
95667ab4056c4a4c63e6417e6ae5b08d457a0f0cf3c9a077910769a1d9af03716ca402b021752d6e8c617ed02c1cb084211e80ee515f0ffeafab38ca666ef2c4

Download Submit
C:\Users\Admin\Desktop\DenyDebug.asp
Filesize
675KB

MD5
005a62965a06d68dcd7e26389c2c6aed

SHA1
7532de2a07398ce8d7f5bd015bdfa81f8ec6e903

SHA256
62570380d8b8c70c33bebf6fc0e86a01961e7ad2d27b93cf65ba0a674b8280be

SHA512
1419c239c24169d4fb60a66a518bf1f612a599d3fc97841af1a141bbd497679f9f69ab45563c5b17c258520c8bf302dac1337b862e9bb9f32edc5a14e6878268

Download Submit
C:\Users\Admin\Desktop\HideInstall.mpeg2
Filesize
614KB

MD5
4094061ffc502aafebd7dc92813d6fed

SHA1
629782cbc77f0281d94d2ca5e1fbba2dd3d4f0d7

SHA256
082d3f261b771f8bdc468e92d2924eb234bcac6915c1846e0114e00c222ffe04

SHA512
47b8a395d781f5d3d3f7fea6781dec26c93d15094cf7081f5a92f658a4f4c0711edc7025165ae1d94eec968dcc40c205540fc3e8dd933da0313b4578f0c6af96

Download Submit
C:\Users\Admin\Desktop\ImportEnable.cr2
Filesize
1.2MB

MD5
f9aa2a52fe97d636af75400175aa3cc4

SHA1
59c1bf6ab273d0c7e220a33094d96f152d9476e3

SHA256
41fdc4fc7f11d43fd4d444f76ef6426091f1e545dca6f67809cbfdbe2da15d9c

SHA512
5e35830f6ec968134a92755abdd8e436135fcad95d2d130b1499ef33b737fe349ebdb3c5a59a4f2194f94fda92017eb73fd65fcee58d5e4f437018fd88e07397

Download Submit
C:\Users\Admin\Desktop\LimitNew.mp4
Filesize
430KB

MD5
3ff5795df8334e91a17b1c152f394c0b

SHA1
0dc1dce389b39d84654cef6d3c40bd9cd5f5b15d

SHA256
f1a21fc5b9474c1bd9a92ecba92e93c3c9269940f8e448d149ea2b84cef95ea6

SHA512
540ad3dcff60abcad47d8b2672c6388532efa14d086cfe49c49a89a9760a539c928da92e65c0b46a19445c792568028108bc49d9cdf21e95fa800c3b4f75398d

Download Submit
C:\Users\Admin\Desktop\LockApprove.txt
Filesize
860KB

MD5
ddcd5ab01327a62ba80ac24ee1425470

SHA1
529f7e54940cb338fd5ce8ab32bf910f6547f3cc

SHA256
c0b7942478f59bfedd8db6b6d955979376658b665c4371f59af942abf384e55c

SHA512
d0e3cad0b6b607041bf658a5c0b461ca362d61ed15dc9d8c52adf7dcf30e147e863e1e468c33d0a545349fb7281b384e96bc0f2f825b124bde1322fa8e9a42be

Download Submit
C:\Users\Admin\Desktop\LockReset.search-ms
Filesize
460KB

MD5
ed2e88a3d5c43fd60f5eaa3b9c458406

SHA1
74b9224a55c2f017bca4ea4c9b92d0b9e7f2db14

SHA256
b6f251d07270542e47f1b818c134cd4c2fa128548a460d73ae943b76022fdeda

SHA512
9c78dbc8fa873f096d64bc583868dd0e31f28db9860a5af8015a7cc4fc8d89c8e2c6c57b0a2b885b1c5a546400c373653295f24a365bcf5d396cd31341b21a0a

Download Submit
C:\Users\Admin\Desktop\LockResize.mp2v
Filesize
645KB

MD5
4e808f257d654648a7d6fc20b3e780cf

SHA1
6c53ec2f90f8a42026ef0f76275d019a0bffddaf

SHA256
88ed16fb54b663b5c7a3da29ad38fc37d2c03c2ab7136d3efb7ac8da350c40fa

SHA512
6dde75de9ca172fa4546dbeca7e59556abd0f6a7ec7b2f9c14d13932a6f494c1a77850c70f332bc638d7edf2edb833031d68bfed6c406299bad0c8ec392d6e58

Download Submit
C:\Users\Admin\Desktop\NewInvoke.hta
Filesize
552KB

MD5
7f2786b7aa3446363eff1f6429aab4ba

SHA1
ee82dc4b5da2afe820aead628b20892e135c3772

SHA256
a082e99c5460ebfb405d17c2ef0c7238ea9347a78a50152399c1a31a1b559a68

SHA512
cf20709203ae47ceebdcccd7142c0ab0eace727233dd4353b79908fd66561f1b365ba165c315080ad62c5fcf5940bb0166e6f743faae4990179951f40dee33bb

Download Submit
C:\Users\Admin\Desktop\NewSend.html
Filesize
829KB

MD5
681dbc0736aa729dabb76cc3365337e1

SHA1
5ac747eea2515fc5d1e393f74d0d847cf3f35008

SHA256
6f866e95f853349bbec9ee5023544051217f06f5b0f9e6e2515a26c6277b5d9b

SHA512
8b8289709a161539c322e1cd3cf917cfdc777144d8126b16b4ce8bdcb1711f0b17538954c1d9ee6ec160732758ddf09989a38ee9725e4941ba4efd5b7f06810e

Download Submit
C:\Users\Admin\Desktop\PingApprove.xlsm
Filesize
522KB

MD5
c61b262939ba228140f4e4f4c795415a

SHA1
d893f33e9ea5fc8a4006b89d988b526b86f8ecb4

SHA256
d11c37d116616e4e3977ab7a13c9bcb181aeedce2c3e69482f80535b17a9c56a

SHA512
2a6fc3dccb0d3f7fdddb690730acd0d4c4fb9d20bbb6dac9642b083534816b1fa02800514549460fcb5ebe4b7738fc80d39c6218d9f2a42c656799eb874a4288

Download Submit
C:\Users\Admin\Desktop\ProtectFormat.pptx
Filesize
399KB

MD5
683d9692a36395728a5abd8bbf73114c

SHA1
55ef6d4d677aeda06783342c4d7121385ca36a07

SHA256
58b4c7f0de0ad5c57eb2c4c25c6dfde69f1b7a943324e1eda3604ffa75b1a3b8

SHA512
8f2b3da925b38dc29d7a1ea344cc798d1bc6c936772b9c124910e359a6b13dac515673f0043d86cf7d61b58f1daa376485caf892a8983203a3c9c9b65b4a9df7

Download Submit
C:\Users\Admin\Desktop\RedoExpand.pub
Filesize
706KB

MD5
a6ac0f9198bb2ee5b5fd884e6d996f10

SHA1
e7fa26695a9fa0e6aa012619107cce0a47ee6a7f

SHA256
dc68a0aa1544e9fe11940f24cfb3b590619b5627fcb50fc30e31346973181eb7

SHA512
8251bb947d49f3c2e3dafc5bd5ee310bf51b44b6f02de1ca8108962ccc5d8205b976e3fb21fa94936d8d7bda7452823fb5bc09d682c3581e4b8a77be50ec7da1

Download Submit
C:\Users\Admin\Desktop\RegisterSkip.xla
Filesize
767KB

MD5
695568593d28c7049da0881eb4f52fcc

SHA1
8ff7269836883b88276b61bae38eab4815205b72

SHA256
ae54e37ae89d4f32b3a03b18db67542a670b7d4f18d83f32fa62dc31bd31241b

SHA512
a60977a6035b5a667622ef9281bf3cfb03172d7b604d9b9177d1920f4ea10aff90740b5f32f0569675a23decb1387835055f6124c0cf5b655754d2a1af04c17b

Download Submit
C:\Users\Admin\Desktop\RevokeRegister.dot
Filesize
337KB

MD5
cfbd2304958dd32b04196eb4bda48d8b

SHA1
7ecd4d453f051ec8d5bb66997cfdf9e9116d64ac

SHA256
00032128d52bae39840357916427cff89df8258b322f4cf6acbab70efbc40d81

SHA512
73d37eccb01ec19bf20d94b84a122bf5d4497b1ecac41e1800847d89eb0d6cb46394159eb6fdf96a8d3c171fc670b1e1cdd8dc3ed6600f3ae6d6dd8c94bee5ea

Download Submit
C:\Users\Admin\Desktop\StartUninstall.docx
Filesize
798KB

MD5
6a7000c435b0b0f9fd9d8f824446bd51

SHA1
0863b102f8b15be34b48cfacbb6e015ecaa19b46

SHA256
5e9feffb3c5b2ad0fbf8826a464735aa314e04d0e7c5972f3ab87f6ae114dabd

SHA512
f58abf8b4e14f1686d1888e7e4c8de07863d0795e2d529983dfa2488b218016d5728bb1c5a0154db68fa912894402af96c0fa17cde8b952adc961576529cc7de

Download Submit
C:\Users\Admin\Desktop\TraceClose.wmf
Filesize
491KB

MD5
416549c0a413d44e0c24d01f09f0d80c

SHA1
a8d0a2bd616e0805d10dff68e38fe1d971368434

SHA256
9faec17c029b3b75fc856f3e5982b7cafafdc70dd79d8108072646a1eaf8040e

SHA512
27191ac53018fe5a3561dcb90b8f6b678bf82d9f9cb0d7d6da4f0a05d6ab6505e5b3171894d4384801d2cebe025f1a0c795a915ce611d51e76cca5612e0d2632

Download Submit
C:\Users\Admin\Desktop\UnprotectEnable.pot
Filesize
307KB

MD5
29ad141a89efe586038f7404929d9709

SHA1
4f3d51fb3575aa97840c60d0db92309bf5ea4740

SHA256
19bc88b7bb12f3a10400fe453f8f3549799a52a94f163c0e9419b7ea31059e09

SHA512
e41690cffa9af3013472b63fddc372e2783b3b346e68318c207c29544e8600e893962069b41c1ef55a5626c8ddf42c633dfa58d84e99a4ddaf0b0632986803a9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 880692.crdownload
Filesize
165KB

MD5
3f5664b0327a70a68129624fc21274b9

SHA1
8a8f2c3da196cfb2cc16c6552e9a20b849eaa773

SHA256
5b5a3600c375b69427ea08b86bdc69b9edf46c2beff302457f6210d4fe8609ab

SHA512
c2aa9a9474dcf33b16dec03d7d1a046a5bbbdb449eef5daf20a16957960067cd77cb7a7f538682bdc1dc557cf17a18a9d427c6ecf7032c501e81a8b915212c8d

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
Filesize
2KB

MD5
1062e70d1b2cb35fb3f241eed8c144d5

SHA1
ad98028d31a049ca4d73c98b2ac66f4441b66156

SHA256
cc36ae1a83256b1e570eac585cbae58382927e5aef5c265063517f305a1b5aa7

SHA512
24e79228f97a00b38a791f363bac18e91103a4509d033a92fb044431bbc15be8829d89aa7b4fc2650ac20bee9293e1bd1d868b497a7ba769ad98388732227c5d

Download Submit
C:\Users\Public\Desktop\Firefox.lnk
Filesize
1000B

MD5
727e8d51e8bfe552a1e1d8d0f9abd4e2

SHA1
86c030bb74792a7b0326defaca114364213945b9

SHA256
acb08ee2bcb9d65b4e0443f5d68c3e204b5c8e7baab5208fe52ecdcb4313a87a

SHA512
fc7509cbeec353985601a2ab5eb1c609e1a4ab8be2acfddd91b13eccf57e30994a052618ec197f61f4b6ec5860c64432e021feb339362777dc3af7e412caf3fb

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk
Filesize
923B

MD5
8332bfce613d0df38fb9e89761c894dd

SHA1
98ce9e69af406d5c037d0562c04709eaf4835fad

SHA256
c72c2e46c7bd4a89def8025fa0f0f299f94c87e7ce5b967093c8364fd592eb5f

SHA512
b98ea6408dcadb3f11ae034af1b21503eab5330eb91f65022cb74ff881e2be85a418f23064654484985fe8cace46c4ec6de647cfb159765582f76c073ae066dd

Download Submit
\??\pipe\crashpad_200_IFDQKNWEHDVMYHHD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/556-270-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/556-259-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/716-268-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/716-262-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/1780-63-0x000001E613EB0000-0x000001E613EB1000-memory.dmp

Filesize
4KB

Download
memory/1780-16-0x000001E616920000-0x000001E616930000-memory.dmp

Filesize
64KB

Download
memory/1780-67-0x000001E613E70000-0x000001E613E71000-memory.dmp

Filesize
4KB

Download
memory/1780-60-0x000001E613EF0000-0x000001E613EF2000-memory.dmp

Filesize
8KB

Download
memory/1780-35-0x000001E613E80000-0x000001E613E82000-memory.dmp

Filesize
8KB

Download
memory/1780-0-0x000001E616820000-0x000001E616830000-memory.dmp

Filesize
64KB

Download
memory/2188-254-0x000000001C5E0000-0x000000001C67C000-memory.dmp

Filesize
624KB

Download
memory/2188-253-0x000000001C070000-0x000000001C53E000-memory.dmp

Filesize
4.8MB

Download
memory/2188-252-0x000000001BA70000-0x000000001BB16000-memory.dmp

Filesize
664KB

Download
memory/2912-44-0x0000018176DC0000-0x0000018176EC0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads