hxxps://pastebin[.]com/gU4Zj4SD

Resubmissions

07/05/2024, 19:43

240507-yfk6qsfa24 7

07/05/2024, 19:40

07/05/2024, 19:35

07/05/2024, 19:31

07/05/2024, 19:26

07/05/2024, 19:21

07/05/2024, 19:16

07/05/2024, 19:14

Analysis

max time kernel
234s
max time network
248s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
07/05/2024, 19:35

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://pastebin.com/gU4Zj4SD

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
5512	mbr.exe
5972	noise.exe
884	mousedraw.exe
1552	sussywaves.exe
5840	BitBlt1.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/6132-1161-0x0000000000400000-0x000000000062C000-memory.dmp	upx
behavioral1/memory/6132-1201-0x0000000000400000-0x000000000062C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
4	raw.githubusercontent.com
6	pastebin.com
47	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Beryllium.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1696768468-2170909707-4198977321-1000\{B1C077E8-8BD8-4632-852D-CC6BA68F2281}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Beryllium.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Chlorine 2.0.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3408	msedge.exe
3408	msedge.exe
3888	msedge.exe
3888	msedge.exe
5092	msedge.exe
5092	msedge.exe
4172	identity_helper.exe
4172	identity_helper.exe
1576	msedge.exe
1576	msedge.exe
4844	msedge.exe
4844	msedge.exe
1144	msedge.exe
1144	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe
4076	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	4800	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4800	AUDIODG.EXE
Token: SeShutdownPrivilege	3872	Beryllium.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6132	Chlorine 2.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 4140	3888	msedge.exe	79
PID 3888 wrote to memory of 4140	3888	msedge.exe	79
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 1088	3888	msedge.exe	81
PID 3888 wrote to memory of 3408	3888	msedge.exe	82
PID 3888 wrote to memory of 3408	3888	msedge.exe	82
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83
PID 3888 wrote to memory of 4224	3888	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pastebin.com/gU4Zj4SD
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff95ab93cb8,0x7ff95ab93cc8,0x7ff95ab93cd8
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,8671495246292211890,12121589829777553356,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5252 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1464

C:\Users\Admin\Downloads\Beryllium\Beryllium.exe
"C:\Users\Admin\Downloads\Beryllium\Beryllium.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Users\Admin\Downloads\Chlorine 2.0\Chlorine 2.0.exe
"C:\Users\Admin\Downloads\Chlorine 2.0\Chlorine 2.0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6132
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\8C87.tmp\8C88.tmp\8C89.vbs //Nologo
  2⤵
  - Modifies registry class
  PID:5264
- - C:\Users\Admin\AppData\Local\Temp\8C87.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\8C87.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:5512
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8C87.tmp\msgloop.vbs"
    3⤵
    PID:5708
- - C:\Users\Admin\AppData\Local\Temp\8C87.tmp\noise.exe
    "C:\Users\Admin\AppData\Local\Temp\8C87.tmp\noise.exe"
    3⤵
    - Executes dropped EXE
    PID:5972
- - C:\Users\Admin\AppData\Local\Temp\8C87.tmp\mousedraw.exe
    "C:\Users\Admin\AppData\Local\Temp\8C87.tmp\mousedraw.exe"
    3⤵
    - Executes dropped EXE
    PID:884
- - C:\Users\Admin\AppData\Local\Temp\8C87.tmp\sussywaves.exe
    "C:\Users\Admin\AppData\Local\Temp\8C87.tmp\sussywaves.exe"
    3⤵
    - Executes dropped EXE
    PID:1552
- - C:\Users\Admin\AppData\Local\Temp\8C87.tmp\BitBlt1.exe
    "C:\Users\Admin\AppData\Local\Temp\8C87.tmp\BitBlt1.exe"
    3⤵
    - Executes dropped EXE
    PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e4ed4a50489e7fc6c3ce17686a7cd94

SHA1
eac4e98e46efc880605a23a632e68e2c778613e7

SHA256
fc9e8224722cb738d8b32420c05006de87161e1d28bc729b451759096f436c1a

SHA512
5c4e637ac4da37ba133cb1fba8fa2ff3e24fc4ca15433a94868f2b6e0259705634072e5563da5f7cf1fd783fa8fa0c584c00f319f486565315e87cdea8ed1c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8ff8bdd04a2da5ef5d4b6a687da23156

SHA1
247873c114f3cc780c3adb0f844fc0bb2b440b6d

SHA256
09b7b20bfec9608a6d737ef3fa03f95dcbeaca0f25953503a321acac82a5e5ae

SHA512
5633ad84b5a003cd151c4c24b67c1e5de965fdb206b433ca759d9c62a4785383507cbd5aca92089f6e0a50a518c6014bf09a0972b4311464aa6a26f76648345e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
37KB

MD5
c912655c8d691e1a190dbec03d14e653

SHA1
a90a6ea007e121441a0d9c48ea4073a635085f6b

SHA256
35e5f055ba3fc9eb6c89884d533f5484fcb335d0e226145d7ea7a6a1e2da6fae

SHA512
c606bf2711a2be266c69a702d60bbc0d66dc6655c88dd669932f9c3954941a44d6a09e25bf60272ba5e0ba09ee65f4a3d8bd33a215ed2eb76ed601f06fa984d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
1.2MB

MD5
25a7f8dea0207366b4b9d77569ff6f78

SHA1
57a20ac66704e6b2766c6946fafdec22f47ee79d

SHA256
502a9f82d39ef6fca4b4fc1bfd046b9736d8e232c8b1562eed0ca62d149bbfed

SHA512
db300662a1a49ae8417fb013462fc62ab20351c9c458cb60b0b22ec89c1cba410ae03301cefa6464dc58ed332ceb8a2d67eb6b8078c7f2127729594126133024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
33KB

MD5
3cd0f2f60ab620c7be0c2c3dbf2cda97

SHA1
47fad82bfa9a32d578c0c84aed2840c55bd27bfb

SHA256
29a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b

SHA512
ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
75KB

MD5
cf989be758e8dab43e0a5bc0798c71e0

SHA1
97537516ffd3621ffdd0219ede2a0771a9d1e01d

SHA256
beeca69af7bea038faf8f688bf2f10fda22dee6d9d9429306d379a7a4be0c615

SHA512
f8a88edb6bcd029ad02cba25cae57fdf9bbc7fa17c26e7d03f09040eb0559bc27bd4db11025706190ae548363a1d3b3f95519b9740e562bb9531c4d51e3ca2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
34KB

MD5
0e9744c1da98f50cb22ba91847729381

SHA1
1c131a0e19b857566146392ad0a24a05f34f4f08

SHA256
dd2ba7b7c25dff6c9ad514cf1c01cb4bbf92f1bb8bb6da623141192fd218c07c

SHA512
cd2be2c3c69a24e93195ba612829b7e2042fe58d9b7c2ff9f67d3417d6e25e58ffabdb2c98ddc8992b7a52dbe38e44880dfe5816805d37660b532abb2dbfc8e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\02b1a637dfc4493e_0

Filesize
4KB

MD5
93812cadbaaa23db3f1bbeb222b98873

SHA1
da71de8f0cacb68144614098a0b2ab6d07df8c5e

SHA256
7488125f940a722f02e20c1c17f6ad371bcb02b2096e4f57e2f56115159d83d3

SHA512
5051c42e493cb725526100af4b439cccf4f79dcb3d7b50e0624923c3cb0bc17ccf2f6bfd1201f36b39e169b53fa2a762cbbf2c4eedebc34f2f99d6713846f973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5ebae3eea1f01edc_0

Filesize
2KB

MD5
b63ac89795643a97f99412320b950db1

SHA1
7199d6720b07a69014e85fff2b78739c04ca7c9e

SHA256
2fe0970e6639a60f057d0b75e2d6dfaab9f3734573ca647af226d8cdd3fae313

SHA512
1486ce7042dd267b948a088e568df11e247ffe10e552d8591de832c893dbdad15e7794399be8210375f58a9ae92b748825241a234b2f774db94b89a643ae3944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\74b88724f60b0383_0

Filesize
2KB

MD5
1e5644a3531e65edf3439d03f4e99af7

SHA1
ec9a9c8d902b0cbcd458162bb6b5e04c63622b81

SHA256
bed2362a4d650806d40bfcff93dbb004c529083576567cb9a52b47ec9e129215

SHA512
0cc7714e1416ba66eeefc6c360e8279c4be95b5437b912c2dd6ab5a4ed9968c6d962421be828afbc90f04e920b540509c4caefac051c95a6360720e7821d65c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ac9b40a0411376f7_0

Filesize
2KB

MD5
ed20a009225ce5e43ebff4e5b4cc7976

SHA1
a6a315c7344f2019df57507278902719d472868a

SHA256
bbf6f71907f490e9029d61a353346b038e188af7cd763d2e18a23312926aa5b4

SHA512
b716b930aa67c675200c4cd6206653805533356635ba71cf17f9dd471d931afe5df9e6bd4c1abc45c9eec3a41e01fa228cf4a1e5446ead8b89000158854a7b61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b0285107134e229d_0

Filesize
13KB

MD5
e8db72e944ec7f750ebe4de226b439f2

SHA1
b0f74da1431eb4bca4f7958ce367cac9e873f901

SHA256
d3044bb369393bf378036d240811845d002e709c9de79094cdcfeecb0ecae975

SHA512
f22c6b3a4fa76adcda4def9a8645a1acddcfa0481c1d9e259c70ffc7b119acdbedb48132abbc40d4280d0c3a62393c3b3eb66f5f6cf282604f695a83b470d335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ed26cd2dcd561670_0

Filesize
26KB

MD5
454f8b146c2f2332ebaa736ff192386d

SHA1
ed975b05ad41c3781f2ba583c24d0529bd5a3051

SHA256
6e5d845d8ace1451de7b366593bf012ae069c404c9e5f0c0b93e05a075c592c3

SHA512
35bad4e07247b7f27fc652bbf527f75c53751d3c1b232900e983837515057eff8def56ecfb6c8287b90fce781591bc7e6d40858cfdc0b8c6b4d48654c31db659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
44ef85d11dfcb9ce9d355048432f7578

SHA1
b421546f308995f52b5018848cb733ae02ab47df

SHA256
f29d78f61363aa4b1b5d32850dca926fcee832be29e6cdaabe2aec2bac051ea1

SHA512
95e94f56df593d46a2e4ce6663af18dea26ef5b20fbf0c76c816e89d6dd7381874951388b90586c285bcdbb046474c4fdba033056e02bd6842984e39d56d3af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2846fd6fc28c48902e01969d55122de8

SHA1
fe0702ad9b9a0bbb009424ad4a6d3e1e0f00d109

SHA256
38868aac628e5abe2ac171284083f7aab1c57002beff321e32aa75e3fceaee5d

SHA512
88ebc3dadfeefb8b3cd2a0d0cdf6af42ffcfb5ce2ec593a90e05db77f182746a511e159a8c7c1e27025226ed5b49285abdce9ff35f8949b2cf9d0eec2c30a84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
62a85f4cff196ad4ced2ac64f903164c

SHA1
e5c3abd7f82d1649ef864e069e91fd70f6f7e9ba

SHA256
b0249f19bf34a1ad8f9bade211a344be55c970540b3c470da96c415e6ad54b68

SHA512
9af4a74960c4a83bdb89bcf4e5030fba4003db43a22028c3419bbc0f35edc49933ef10c2dd357d6df3a858cc59052f1e6da8c5d96c4e66783cd719265409c8a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
928c07600dde5e6fd00b6de687d0f5d8

SHA1
f5cd16379c0263a19965a5134973e7a2f549ffcc

SHA256
55642198f250b0654ed6d640b6805314bad111ad384f95961d69051263ee8bb3

SHA512
ab3704b6791ce1e4f39ab33899aefaea6bb4e2bf9e555fd6f010af7ec0b861a078f324d4c2177416b24aef6d45f9df3ef4f363af1fce1c70affbbabc47a44215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4614dc2efc0d5b86f5a356cabe8539ec

SHA1
36796195cd5a9f8153d67016e3bbbb3b510d2879

SHA256
a0b546da123f494327d19ea728d08d8ac1c9e5470860b58e6596de74d7a05290

SHA512
a8d87e4a3d52ef5f6111172ebf78bd0de9063748640be02a3f35c2f6f86567fc821ee9da5fe2a9f8e43d6f20d9c81503fe7fffb44105ff307bde7e88f5618e1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ceb0f318a1d417525080fbc145bd869d

SHA1
5cb7a5fd1a54d8bea4ac419410b2fb4100bb1b31

SHA256
5f446bdbf28410e83e94e04a1bc672988de7bf65f4b8ee98e4d496530848a302

SHA512
98b4d6760265a1cc2bcff491c4e368341b8888c32c71818e96cd4d930eb63179addeeb732c3ca2e3682d8dd55d923bb2e4e9f12dcdb6a853521b3bfeef413116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a48f336080c6d34f38a3a587b957ff71

SHA1
b202f3fed009fd62e55d9b79f6fcff47355c2e18

SHA256
2c1e18c6a4202abc28b9e6003561f2ded5f4fe85e45d1d18cbbf21a19bfd31f6

SHA512
13e94ba0a664fe6604fdb074b5f447bc461f2f8d508b35a95273e277f0345018b0623758c2e8baeffa4ad940a947265ac4a7d8a8d6ea3b81ce9d396df52da735

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b1ae7fec05410369a5181c97aef51e9

SHA1
809d25e199ce8636ec37eb06514f79201c65b4f3

SHA256
950d2d930d2f4fbdc85ff7b46475810684e7104bea88b5973205f413d93748ef

SHA512
ed830af6fd697a0385b4413f10d8393ba6a158146bb7de97960d3b75e688978bd13ee0b6548647056943b873d9d2d511e574035c024848ef7dc43a2dea890f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7600cdec345edf294c51156402f15f7d

SHA1
f312f96e3c6ddf327a3432c7739fbae9685c15c5

SHA256
89de984b0e4faa5617a26a13a6cbc7cbfe482ccd27933620d554e04936842e4a

SHA512
e347500c7afc2fe9e3ccfb3d2ce7329d6f65b59982613f0acebb332e3b110080780c004314fc8a5e7a3c225a377c5b2623f1c46b4fada6bdd0829107d0e147f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a6704748165fe93e005ef163c66d67ff

SHA1
fa671a7833c1147312216c1564cfea71a4f52c39

SHA256
cab04267e10447b4b90a9a340e76bf7238adce459ff0423c46499395acca1cd5

SHA512
a8c787695b894926dea3b8948b72573f024345419e2a4c2dc1599f408725f830f35d6dd3f1e32aa21a627ac80ec9018194d503da99531a884e7689063ca9352b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
cd8c6d8adc57586666e65fac3826f5ff

SHA1
55f61ddd177a8ec42591894895c601e874f7bddf

SHA256
9c3a149ecba343caac638d114adb26e2ad17f3fa24de1a97e2a3c5b9119487f5

SHA512
3d1037a273383c299957cad45eaae4620d7a23ee608ff1769d16b87c0e6b12870792933a4812a71c3ce69c09a023f939fa9b4aed5a157d84780c238a70f8fffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e12d8e2f92c2068d2e31d46478db6719

SHA1
518ba912ad838a7b9279d7e851e705da42068518

SHA256
5447ed1a91152f4cf9e41fd8992d35adec3c523443679a6d8ea6d0ca643ec3ac

SHA512
3d3d58f92620911388180d1a9f16571aa4e50f8327bf12cfc18e9ae30447a695a10a86c25550fdeca67c09990aee4c4509fdc2702f63d447536fc1fea1175404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
b1f0bd1d9426327fc5e97e5d7e2d1c1f

SHA1
2e09ac413a0764568c4a259a5d1de33bfee5104d

SHA256
3e482ffd41180ec9b120dbad5a7b0fba3d5af9e7cba692593a3a9f9734ae4bc8

SHA512
0dc604e92ddccea313cca3727b06a375cc6daea86b309141423aa32063401a0aafa853f3312c86033d1fe20c2e938889847a1df5de8e85228822811ed30b1706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579114.TMP

Filesize
203B

MD5
13bab2e5b2f9f2955dd0df48b7977572

SHA1
c69f9b2f90e25dbaa3f9d26fe0d9e6d5a294d1b9

SHA256
c33ec8be898fb539cbde67067eec258be30a951c7443414640198b5179a4f9de

SHA512
1dad6b9612591b89b1b2dd6931ed9a60a49644adc94e5a57f67b08f5d327191ee728efa81f8c361dcc183f014d3c52fa59f8f1ed8fc5e475ea126fc71d24e05f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f19d1ebb0f87c41093a1d9a33ce38883

SHA1
d406df847b6c25bf72054e84a8d2e564f26dab6e

SHA256
8284dc04745cee60a831264dcf07203d8aec02744aa09584c68257840fb0c84c

SHA512
c7af4667625e5f4879697aa6ba8c32127f533dbd18e3fa82410b6b23779425b3577050b4ce1ba9695ebcc88d31e56e2a0f34cf043643ad41b2d69010462025f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4850e974e33e402b3ae4d2fd17d7703a

SHA1
fb778f76877f3b5badd0b20a77587cf9ebd4d2ca

SHA256
01b5edaa9d5d152bebe1868e3196b96e3d6e3bbab1b56d7d47e3984682c85978

SHA512
ab565c7d20840472a4ccfad11c4343abe4cdb38793d9830a00e3165b2c935a8a5b36e9f24f3a0b323faf0457b532bd6fa57396f2824ad4700c34157070cbdc08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
095fe4389c4e265d45c25287f10ec2a2

SHA1
f122ef43396956ae6903656bb20f3f8c0b165c99

SHA256
9a27dff761baf311962af6ccc1e8910c14d1a9f9640d22987761150974abac7e

SHA512
15f13571a6871b55ef521c3aec6d4bd503a3e5ed3c7684dc5540b996a86970133270c8c121c2a74ec0c04e9d7887e6c661e4378de3d6f98e799f3d5f1878b9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C87.tmp\8C88.tmp\8C89.vbs

Filesize
1KB

MD5
45b6873a3068a9fc124fe76d9bea42d4

SHA1
ab8be455775e5fcf1118fa68990b54daad9216b1

SHA256
76bc005b55d16fb4fe99d303a8cbcdfb8fa09a169a0f2dafdd1f15a514acff13

SHA512
0a3bd4b62b8a9b2edf81b30043f556ca18dadecdd358a007f797565dfbdaf191751c3df5e97b08bf1556fa59c82f4ea204fe0da4d9c457c2572495e00e36faa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C87.tmp\BitBlt1.exe

Filesize
105KB

MD5
19a8a16e2a0d3225d1fc390c0a11b5dd

SHA1
ca235475f7a767e10c81426e013ee59106deb306

SHA256
8d6452b5a2dacbf6a1e064fc959f16a5ec13b5986a2687e70b5458eefdb60573

SHA512
d470d61fa9b19c34cd9ed916f9a6b44c821ed47082393212c17c743a764d2eed4dea2aae31f37d984f3c359ca646b34f0c6486f5f473d940c675974deb313ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C87.tmp\mbr.exe

Filesize
1.3MB

MD5
7a2bd73519cd758b01e8c3b28311cac1

SHA1
a2255b0aa4ea8e5ed139a2e9a1aa64307f7eb5ee

SHA256
24706c7d79457b47edca4623fbdef2c2ef1f56e905838c70ac44dc4cad539238

SHA512
aa5b48cf7685f0dc66ba3146e396fc3c8c3d4a70b0ab4ccf3bf183bd4e2b198909c09b82459694dc49040a775c74802abf32dd3252209051af7969796c674ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C87.tmp\mousedraw.exe

Filesize
104KB

MD5
f7db0edd465e545dcd947f4beef32779

SHA1
a02d2dcbe4ea1146b726a6191354340f8dd41f6a

SHA256
9bbce9c9e1b513084b8a206e935b2512a341fd81688e71735ef27511d0378d47

SHA512
6d40cf365a30277328f9103083e939ac8fedf860ffef6d0c5bd80d708e0f73d606f456d37aa1fa5e69964ac2e20c263fbaa755a9c28eff962395e3509a7a4e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C87.tmp\msgloop.vbs

Filesize
336B

MD5
d95b234c9cef8f7f398d758564bf5821

SHA1
cd499485f7b128d2b475bc92311a45cd8c8b6de7

SHA256
33923a07189189bcb897d6617457ece2a93c0fc9f5de8a786c39c874af9a0630

SHA512
51dfccb4975eb385d20cf58af02ed4e19d954777fdcc289a00409d94611d177efc20307312d42fc8e03590d0afc02bf78802830847bd8f0e8a6485bcb9ef8154

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C87.tmp\noise.exe

Filesize
102KB

MD5
3c285eec317672f7eb27ec27244cbe59

SHA1
3bd2512ea461dd67babad9b398128c70a3dde059

SHA256
81cbb8c54d2dfdda281e37aff08f9f98afab3f415fbe3c7b5242c1b85495e715

SHA512
590ec0ed53848bee0ae82e0ecc62c48d66f0380ca04c6e425cc97bdd05f1b2cddeecf2e58d58dbfee4872500a425b7d5d1401f955d65d891114f61cd7baaf5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C87.tmp\noise.wav

Filesize
1.0MB

MD5
cdc6c78486f27876fca2f9ce090fe2df

SHA1
5b2655c058b1a0415e00c207839113b863b0a750

SHA256
31be0f1ab83ae8bddccd657ca78c57ee26e2ac3b3a87637e3adc6405f018b399

SHA512
3f80524dbcfd2f1e756710f2f21cb498268da7528077833ed01b4f2030aa0df0f0528a69a6b516ad1e5988174d1395ae189981e707127bea0acdfa6be0477f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8C87.tmp\sussywaves.exe

Filesize
105KB

MD5
632da6456dceea4819027bad982ab3cb

SHA1
9a5da49ddc3458b72fa3eae77332cac643508ad3

SHA256
13304570c6ccb706114aaae4602be5c85fa1862e1ed0200b3f0de514b14fcd41

SHA512
cceb677651a8f7df59c8a22a076a69be31bc3a72992fbce6373d6908a33a0e2e1b7c669f664a9617933197ec7ff1b6e96fcc8613329b750dc143273f90991a55

Download Submit
C:\Users\Admin\Downloads\Beryllium.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Chlorine 2.0.zip

Filesize
8.7MB

MD5
283ace63f8098bc81085b1afa4a1b2e1

SHA1
4848409d5dd062eaea4664fb1471da87242f5e5a

SHA256
9882a822f94ab32f588d8db12165838798c8adefefc5301eb367592662df944f

SHA512
1ff5ed7b3d4bccfee9a12817cdc537eb37fe92c082fd445e696ceb4d595f05dffe180464dabe23037b9f46030ed2ed54fe82fba2b8b9856b62013ba3bf6cc3f0

Download Submit
memory/884-1213-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/884-1245-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/884-1227-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/884-1221-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1552-1219-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3872-1211-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3872-1199-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3872-1100-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3872-1160-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3872-1205-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3872-1217-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3872-1222-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3872-1231-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5512-1198-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5840-1225-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5972-1212-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/6132-1161-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/6132-1201-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads