hxxps://wearedevs[.]net/exploits

Analysis

max time kernel
125s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 13:27

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://wearedevs.net/exploits

Score

8^/10

evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

000.exe

pid process

4144 000.exe

pid	process
4144	000.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

000.exe

description	ioc	process
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\Z:	000.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

246 raw.githubusercontent.com
247 raw.githubusercontent.com

flow	ioc
246	raw.githubusercontent.com
247	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

000.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

000.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper 000.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\Wallpaper	000.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3576 taskkill.exe
432 taskkill.exe

pid	process
3576	taskkill.exe
432	taskkill.exe

Modifies registry class 3 IoCs

Processes:

msedge.exe000.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{5504E5A3-3EE0-4962-9A53-B7829C77F7C8}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{258BB095-C47A-497C-BF3F-960CE811DB95}	000.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 519569.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 519569.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
1580	msedge.exe
1580	msedge.exe
4548	msedge.exe
4548	msedge.exe
2976	identity_helper.exe
2976	identity_helper.exe
3952	msedge.exe
3952	msedge.exe
3580	msedge.exe
3580	msedge.exe
5636	msedge.exe
5636	msedge.exe
5636	msedge.exe
5636	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exe000.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeShutdownPrivilege	4144	000.exe
Token: SeCreatePagefilePrivilege	4144	000.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5260	WMIC.exe
Token: SeSecurityPrivilege	5260	WMIC.exe
Token: SeTakeOwnershipPrivilege	5260	WMIC.exe
Token: SeLoadDriverPrivilege	5260	WMIC.exe
Token: SeSystemProfilePrivilege	5260	WMIC.exe
Token: SeSystemtimePrivilege	5260	WMIC.exe
Token: SeProfSingleProcessPrivilege	5260	WMIC.exe
Token: SeIncBasePriorityPrivilege	5260	WMIC.exe
Token: SeCreatePagefilePrivilege	5260	WMIC.exe
Token: SeBackupPrivilege	5260	WMIC.exe
Token: SeRestorePrivilege	5260	WMIC.exe
Token: SeShutdownPrivilege	5260	WMIC.exe
Token: SeDebugPrivilege	5260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5260	WMIC.exe
Token: SeRemoteShutdownPrivilege	5260	WMIC.exe
Token: SeUndockPrivilege	5260	WMIC.exe
Token: SeManageVolumePrivilege	5260	WMIC.exe
Token: 33	5260	WMIC.exe
Token: 34	5260	WMIC.exe
Token: 35	5260	WMIC.exe
Token: 36	5260	WMIC.exe
Token: SeShutdownPrivilege	4144	000.exe
Token: SeCreatePagefilePrivilege	4144	000.exe
Token: SeIncreaseQuotaPrivilege	5260	WMIC.exe
Token: SeSecurityPrivilege	5260	WMIC.exe
Token: SeTakeOwnershipPrivilege	5260	WMIC.exe
Token: SeLoadDriverPrivilege	5260	WMIC.exe
Token: SeSystemProfilePrivilege	5260	WMIC.exe
Token: SeSystemtimePrivilege	5260	WMIC.exe
Token: SeProfSingleProcessPrivilege	5260	WMIC.exe
Token: SeIncBasePriorityPrivilege	5260	WMIC.exe
Token: SeCreatePagefilePrivilege	5260	WMIC.exe
Token: SeBackupPrivilege	5260	WMIC.exe
Token: SeRestorePrivilege	5260	WMIC.exe
Token: SeShutdownPrivilege	5260	WMIC.exe
Token: SeDebugPrivilege	5260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5260	WMIC.exe
Token: SeRemoteShutdownPrivilege	5260	WMIC.exe
Token: SeUndockPrivilege	5260	WMIC.exe
Token: SeManageVolumePrivilege	5260	WMIC.exe
Token: 33	5260	WMIC.exe
Token: 34	5260	WMIC.exe
Token: 35	5260	WMIC.exe
Token: 36	5260	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3892	WMIC.exe
Token: SeSecurityPrivilege	3892	WMIC.exe
Token: SeTakeOwnershipPrivilege	3892	WMIC.exe
Token: SeLoadDriverPrivilege	3892	WMIC.exe
Token: SeSystemProfilePrivilege	3892	WMIC.exe
Token: SeSystemtimePrivilege	3892	WMIC.exe
Token: SeProfSingleProcessPrivilege	3892	WMIC.exe
Token: SeIncBasePriorityPrivilege	3892	WMIC.exe
Token: SeCreatePagefilePrivilege	3892	WMIC.exe
Token: SeBackupPrivilege	3892	WMIC.exe
Token: SeRestorePrivilege	3892	WMIC.exe
Token: SeShutdownPrivilege	3892	WMIC.exe
Token: SeDebugPrivilege	3892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3892	WMIC.exe
Token: SeRemoteShutdownPrivilege	3892	WMIC.exe
Token: SeUndockPrivilege	3892	WMIC.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

000.exe

pid process

4144 000.exe
4144 000.exe

pid	process
4144	000.exe
4144	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4548 wrote to memory of 3680	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3680	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 3028	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 1580	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 1580	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe
PID 4548 wrote to memory of 4480	4548	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://wearedevs.net/exploits
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffceff246f8,0x7ffceff24708,0x7ffceff24718
2⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
2⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
2⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
2⤵
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3092 /prefetch:8
2⤵
PID:3756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
2⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
2⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
2⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
2⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
2⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
2⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
2⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
2⤵
PID:6116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5148 /prefetch:8
2⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5516 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
2⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
2⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
2⤵
PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
2⤵
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
2⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
2⤵
PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:1
2⤵
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6608 /prefetch:8
2⤵
PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
2⤵
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7160 /prefetch:8
2⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3580

C:\Users\Admin\Downloads\000.exe
"C:\Users\Admin\Downloads\000.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
3⤵
PID:2092

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5260

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
4⤵
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,7302601782358010714,7688537901360062568,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6616 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38df855 /state1:0x41c64e6d
1⤵
PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
63KB

MD5
5d0e354e98734f75eee79829eb7b9039

SHA1
86ffc126d8b7473568a4bb04d49021959a892b3a

SHA256
1cf8ae1c13406a2b4fc81dae6e30f6ea6a8a72566222d2ffe9e85b7e3676b97e

SHA512
4475f576a2cdaac1ebdec9e0a94f3098e2bc84b9a2a1da004c67e73597dd61acfbb88c94d0d39a655732c77565b7cc06880c78a97307cb3aac5abf16dd14ec79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
69KB

MD5
c0b23ab60efb763d27f9f92b50b6728f

SHA1
259f669d1089469b1485ab4c07942c8f32431267

SHA256
c066161623da6821af1d38fb2fc8b5026e89caf02416be88d9543d1a0d337f1f

SHA512
0a43c9a501a2b462b19abca689815b4a8ddab19b1abef51072f86686fe6c20f555b9d4edc62cc41d3dff6f364269507a75da6d43ec11eec129d28a44857bb717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
41KB

MD5
d4b647680376ac9b16859717871f03bb

SHA1
c734c2f065bfc3879076d88062a8646ba19a4c0e

SHA256
9c38ac2c84717e32282870858ee24d8ba4dc3eb949f6b59f0cab92e0e518e03c

SHA512
57a4caed69ae8b0891bcc284d89e78ab7478085ddb610716ad7e799ac08b5c3464b9d75ca2e3bbb30fde7c24875bb99b30b5c9dfb8386038d0960672ee72e332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
19KB

MD5
635efe262aec3acfb8be08b7baf97a3d

SHA1
232b8fe0965aea5c65605b78c3ba286cefb2f43f

SHA256
8a4492d1d9ca694d384d89fa61cf1df2b04583c64762783313029ae405cbfa06

SHA512
d4b21b43b67697f1c391147691d8229d429082c389411167386f5c94e3a798f26c2457adf6d06caec446106e0f0aa16d895bfc4e8a1ff9e9c21a51173a923e3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
64KB

MD5
2923c306256864061a11e426841fc44a

SHA1
d9bb657845d502acd69a15a66f9e667ce9b68351

SHA256
5bc3f12e012e1a39ac69afba923768b758089461ccea0b8391f682d91c0ed2fa

SHA512
f2614f699ac296ee1f81e32955c97d2c13177714dbd424e7f5f7de0d8869dd799d13c64929386ac9c942325456d26c4876a09341d17d7c9af4f80695d259cfea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
88KB

MD5
77e89b1c954303a8aa65ae10e18c1b51

SHA1
e2b15a0d930dcc11f0b38c95b1e68d1ca8334d73

SHA256
069a7cc0309c5d6fc99259d5d5a8e41926996bbae11dc8631a7303a0c2d8c953

SHA512
5780d3532af970f3942eecf731a43f04b0d2bdb9c0f1a262dbd1c3980bcc82fe6d2126236ad33c48ea5434d376de2214d84a9a2ccec46a0671886fe0aa5e5597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
1.2MB

MD5
f4365a50f672f5824e1359095a829f89

SHA1
5fe1be1f63693d4dadf694f044d3f05f526af909

SHA256
853f0dc083987ecbe463203524f2388035cfb4de17df8bfcc9172af08dfe5da2

SHA512
c1520c7263cb95e6f034346e27a980ca89644d328fcdb6a9a032b8b4f26d107c528e67e76515486028198477c264393c8ddcae1061155b3dc356d9d8b148706c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
32KB

MD5
f7c0e32a054c3cd01031b0fd27754927

SHA1
107441264051a9079929ed661a901f9601386586

SHA256
928e8a9bb9407148b2ee34c6a1884647afcb19664dd04c88e73cfdf05e24819d

SHA512
2f0c49d25b7e88b56ca378931f23b35d09c5d4bee54aec92212dc36563b1fe7bd99533557d6b11ea8170c52b5790c755350eb499d0ea965028dda5ab982bd834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
74KB

MD5
773647c3c088ffd8e3f2d6381df83b24

SHA1
78dfbfc2c596cfc908277167e146270927bc3dbd

SHA256
fd3212ee53caae486cb2674aab45c1c93fc69fcce9c3b5d5983a0640ea6cacb3

SHA512
14f0da16e695c6fe94e066468637ca332788e473518753f2595ad26fabd97fa22a9f4735a655f0f1dd3872cd6ad4afeca38b560ebbdc0bd3193fa317892d9eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
fd7e5b7384363002eec5ecc3e8e35379

SHA1
3adbbba9e1614985407c9a7ed3ff7e41d8b54872

SHA256
479e0072fe21847a050db3de80fbcb2bfe44052da79d583580c64bf2b71e343c

SHA512
bf8aaede89f6a43fd2e37ca9d0e88bb5f39f0fce6a5ba39ccfef4f0301591f1582e9951799f0dd6c8f7f64d1248bdb15680627bcfbd35feb2a6dceb41851df65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5f723e6b69935ee11520b2ebdedc80c4

SHA1
21ec38ec5ac1df40bb594b05e90e21d489540f99

SHA256
97cbd6bbece18d8573867108f948d66f39e458fc827efce8e9dacdb6830124e3

SHA512
a302adebfd1e0386062d37b46c12f3bae95867af40fc006c78149fc84993b8b7ba6d16e87e6766300a26c8a7e6857efe7e8405d57da83924e945c1116c773ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4546e51be41e9f13c5ee3f57310a0840

SHA1
476695fbb6a434a524d2e09217807995db8aa739

SHA256
bb3aa774b55de05ee154cf83a4b46e211408837cb80f82da3b693d78a9f19fb6

SHA512
a82b0af8e189dd0790e7e0f3807135742416848e6b7545013f2bee0b71f34de933108e4da1c3ab5785d574a59dd5ca3529ee73e57570c55e3907d9f8cd16106f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3924009ab71036ab95c3e9b80002592d

SHA1
8d859847dd6f4e2f3232aa3c22201e17860b0f9b

SHA256
9b2362b04a8242988e1c57d0ff4bcd83ee53839b6a59d5180c0ea68949da6087

SHA512
70ea2b30dac76ae654ba499b4fb7ad542b09cbeec221e0698baba1214730cde7a55b0a3355477d26c84c3ac70af72d09918ca5fd286236e38bb7f6117b07abd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
696e28b41e3293e0ab7502a22177a5cc

SHA1
11bb1b00141e93a6dc216acdb250881ea0e67e21

SHA256
c25c7a8d47df6ae362fdd3010bcce5b30470020a61d667f0a0f5a964d9066334

SHA512
3862dc6ae90d66203fe24ebafd781b841f40044b6a12407079b97080d400955d2040d93612022a92c47d2bd59ac606565820a5d038142dbd98bcbd4e8f4399c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9e9a8607fa0b71696b6d1d629d43789a

SHA1
499ae7123ce2175efaf8aa6802a31d1bd5751bcf

SHA256
b41c3275c34c1854f177ef1182d6dce7d570348eafc7594231fb7abf933757ab

SHA512
69b280d6fdcc44eb02d2413c1d140d971980d7b3acb13992f755a7d76add85d7b1299d09a9be99ddc0620ee6ea5677deb6277c4fda348ab99d08a04432ece782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b44dace4ae8521dcd8443bd2f4f8a379

SHA1
1bc302f7d70982bb1f106513afc26f5487f670b5

SHA256
61ed12b2da67326c1f18c404721f4ed82d3cc1404b14451e8b499a7b45657370

SHA512
bf6ab6f8fb2fdb8c44e66b350cba5d23366e379b90e19245af3e88941ae76d6b07b2539dd1f0ba9504d7094a0f275fcd131df7bee4be669f46454f960913ad2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
53bc116032155aaec914bda996425e89

SHA1
74f811f2052f45a1e59b74df0819024d1eb2a5db

SHA256
1f2bb1a6b814e2e8ccfe0aca5d8c57ab03f874d258ec13a4f1d9c2a6298ebade

SHA512
bea278a55bbfd4a670ecd99fc3fdbb5ac247b41d05b6387ff24effb70f1e5935752b9edaaaef05e20aef54dc13e9d88fd91fae84887e2510690e507a42c673bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6b26715c768aa3901fb6cc8074deb963

SHA1
9dedaaa3fb671d066e67032061fa46c8e245f93a

SHA256
cd21ec3356394b4442cbaec931852b56d47d45cfc7af794ec01cb9eb8245a4f5

SHA512
326ce196d40cd779f6c5b2eb67e2b0e287a1f023b4bfd088bcee396e0f15de35f1d59afabc54b88051ac26bc21c0e6d1a09d4e76f8047d16d131b7e06a469fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe578f8e.TMP

Filesize
48B

MD5
f58319ece6083c856e3ae08d5b02160d

SHA1
32ae6c99b7b707c892dfe78fa3f531fc0a4b3c6e

SHA256
8a7c2c00ba29450bacd8af75328b08c83cb9dcd3d7613ba0ccb87163e53627f4

SHA512
00f0c8ead09c52771cad0b74c257d7c635ddca424d2de52cbb93d42f20515f211250f64726b0e6261bd36fe3b30c4649b436e05c9b26915cda447d27230fbaea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
66219d8e57462966febc198e423cbdd2

SHA1
5e577a7200886de6c0c3390f4e4257061a2b6819

SHA256
0bb86270d457902ab7f838d94e7727cf5bc04bee93ce31132a580c45d39209b9

SHA512
810b758db1edf14bb059a42f9e49246dfb2c16daf1dceed8ed6df817a6ee25961e4c9c9b4ef70af569cc4dc7fbc19c0efa2e8085dc7974874cbe330fadd9b883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7061309c86024cf31259cb1af2c68d43

SHA1
6b381f0b42af97ddad6fc9476c4a023dcb68a911

SHA256
ea634169825ba7ce4a558f9d7efea21865007a1bb2f96f2073048cdf09eb4f73

SHA512
ca448cfe9d206b1ace7cd5a25017abfb053bda21a8f58debe227e3e7ad9e233e93fedf868d9015e00009c70c95cef3381999080491c14f162d6bf0411a17dc08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4edef7a3a6fda206dcea483a350420b5

SHA1
7b0da50c5e0b310baffa857d65f87b7d443947f8

SHA256
547ae69ea36b45fdf5dc2090e301eebc5519f3144d23822e1d7716ec444d83ef

SHA512
d35c90463bc8f1598cbb05070410f0780195d7b9471cf332905438385278c1d4d8f57719ebe4696f7caf3a6c1abca2e1af5ddaf9dddf30aa20d7e8ca9cef01cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bf411c740e500ef0377e713b97a0a332

SHA1
e5c2e6e678fd98891df2a7e54f5213639d45b324

SHA256
2562aa1521a3f6a129965883a1bca04eef89eb66f63f999712aa20f47941592a

SHA512
b552bcb9a9f36d55fc9419f92438b861bb9da8bf8d86f2094b3043c542b0f66247acb41fccfdc5a1bc1d530925aa4e2d7d1b95aa26cc60293820d31b527c30be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4abafa741bbbe10b0fa7545e20d61911

SHA1
a44b7af86b41ba3d0fc514bc84560998f606c673

SHA256
2327cef50f4f7fc94a78a580851afb453c14ba7b3cd9744159ae7188206cebab

SHA512
dc76aa5206c76610269e8e8d83ad8083706f3c3af276f2c743f08587ed03cdad00e4ca1a4d7bbb66e047deed485635d8c6d3db1b89dd492b8172cbf8d1c3a1a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
0851ead2c3fb8fbdcdd75fd630308e2f

SHA1
16d2fd729ce15e052e3d464532628f43d0b2f856

SHA256
0b4dd56c1ff28081d3f606a5f0c491259fd3f5d0d88799f038f0341240396f1d

SHA512
5ca0fa0cd1a3fdab32e97ef779cf888a3aab118495ee4148587e9c6a2c378e4c296507c766970021a0267243b1aa149100c44ae591f1ded5fa2bc0af40b23e24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bb80.TMP

Filesize
1KB

MD5
b7f789359660e2ad4301314dd6b0333f

SHA1
34f196f802f3894cae94c704cf52364802801eb2

SHA256
4eb77cb01bd27f08a6f0cbf7644d25d61b282b5c5cfd79fc853d2234987b71ca

SHA512
66f163e37e6ae119b07843bfb80f27ea8be5ea83f88afe072557f272dc9e5c8c88f8324e4fe23d74e017226af419fdf4dfd6530e219024733c6c256070f520aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c6d2dddfabfd0c465d4b6ef76d37a749

SHA1
afe9acb7a7d046cb69ae4d25344a375767d8ee92

SHA256
bf0af93244705f40883a4657d064575dd7eb2b9e504793955b2b5fc2af253fb3

SHA512
438a407126e7332b5d4605682df72d257ef1417374ce3fcb9c2ea64ac461d9abd6d884294fedb438a9ad545a18c7300423ab5148bf3cf02eda2ef7583dacf6c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
09595566aa3767cf0de68cae811916d8

SHA1
312a72b7342b951695a48384088a78d1ba229a6e

SHA256
0dc2f7519c7f1563634ca8775ab264f489adeb0fc614f78c496bf4e4a1f8a0cf

SHA512
3c856b5e92d6127112ad4fee8dc0b55436189f53d33d094f193688f8b4b50a3cbd8d7f3204b97178f99fc057523eb0151b8bd08203386a7d8041b7ff94febba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
ce9658c4ce329b26c799c2d1f59dbf96

SHA1
1424913861fe22265f647c9d94622420118bdf30

SHA256
410907e3aa3df7f245ce357eec6228baf5ff6a4919c3fad3de405ab5629c0633

SHA512
7defbcc3828e7b5cf12c86fe474a0ef6a86f7b80b4b68598848cd81baea742b08d15d2de43d6c4f485035806ce31dfb995a49d105b182aee697c45435e9788a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 519569.crdownload

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
\??\pipe\LOCAL\crashpad_4548_FPLXAUIASWZYIVRE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4144-974-0x000000000B270000-0x000000000B280000-memory.dmp

Filesize
64KB

Download
memory/4144-975-0x000000000B270000-0x000000000B280000-memory.dmp

Filesize
64KB

Download
memory/4144-978-0x000000000B410000-0x000000000B420000-memory.dmp

Filesize
64KB

Download
memory/4144-980-0x000000000B270000-0x000000000B280000-memory.dmp

Filesize
64KB

Download
memory/4144-982-0x000000000B410000-0x000000000B420000-memory.dmp

Filesize
64KB

Download
memory/4144-981-0x000000000B270000-0x000000000B280000-memory.dmp

Filesize
64KB

Download
memory/4144-976-0x000000000B270000-0x000000000B280000-memory.dmp

Filesize
64KB

Download
memory/4144-979-0x000000000B410000-0x000000000B420000-memory.dmp

Filesize
64KB

Download
memory/4144-977-0x000000000B270000-0x000000000B280000-memory.dmp

Filesize
64KB

Download
memory/4144-971-0x000000000B1D0000-0x000000000B1DE000-memory.dmp

Filesize
56KB

Download
memory/4144-970-0x000000000B210000-0x000000000B248000-memory.dmp

Filesize
224KB

Download
memory/4144-947-0x0000000005920000-0x0000000005EC4000-memory.dmp

Filesize
5.6MB

Download
memory/4144-946-0x00000000001D0000-0x000000000087E000-memory.dmp

Filesize
6.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads