hxxps://whorecraft[.]neocities[.]org/fakeerror/

Analysis

max time kernel
202s
max time network
204s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19/06/2024, 21:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://whorecraft.neocities.org/fakeerror/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rundll32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633051406913325"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 6954bfd38dc2da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000141bd5f4869d140e36a2552839f0c32c1cf254567a28be6353d11dd1c9f25cec5c3af5c3ad5fdb86b8fb0bd0e34e65e7b436b44a74464d8069c1	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 47d575cf8dc2da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Pack = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{3843D283-D4D7-4881-9B2A-E1F5D1271FD3} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3580	chrome.exe
3580	chrome.exe
4572	chrome.exe
4572	chrome.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5116	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe
Token: SeShutdownPrivilege	3580	chrome.exe
Token: SeCreatePagefilePrivilege	3580	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe
3580	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4620	play_me_loser.exe
3664	MicrosoftEdge.exe
5116	MicrosoftEdgeCP.exe
5116	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 1004	3580	chrome.exe	74
PID 3580 wrote to memory of 1004	3580	chrome.exe	74
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2300	3580	chrome.exe	76
PID 3580 wrote to memory of 2152	3580	chrome.exe	77
PID 3580 wrote to memory of 2152	3580	chrome.exe	77
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78
PID 3580 wrote to memory of 4660	3580	chrome.exe	78

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://whorecraft.neocities.org/fakeerror/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8964d9758,0x7ff8964d9768,0x7ff8964d9778
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=2212,i,13055241198288596415,2393279090258720272,131072 /prefetch:2
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=2212,i,13055241198288596415,2393279090258720272,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1804 --field-trial-handle=2212,i,13055241198288596415,2393279090258720272,131072 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2932 --field-trial-handle=2212,i,13055241198288596415,2393279090258720272,131072 /prefetch:1
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2928 --field-trial-handle=2212,i,13055241198288596415,2393279090258720272,131072 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=2212,i,13055241198288596415,2393279090258720272,131072 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=2212,i,13055241198288596415,2393279090258720272,131072 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4660 --field-trial-handle=2212,i,13055241198288596415,2393279090258720272,131072 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2212,i,13055241198288596415,2393279090258720272,131072 /prefetch:8
  2⤵
  PID:700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=2212,i,13055241198288596415,2393279090258720272,131072 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4428 --field-trial-handle=2212,i,13055241198288596415,2393279090258720272,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4356

C:\Users\Admin\Desktop\extract_me\play_me_loser.exe
"C:\Users\Admin\Desktop\extract_me\play_me_loser.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4620
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:2520
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:2036
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:2032
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:4420
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:2008
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:196
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:204
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:2932
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:4156
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:1300
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:1768
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:792
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:824
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:4512
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" url.dll,FileProtocolHandler https://files.catbox.moe/3f53a3.jpg
  2⤵
  - Checks computer location settings
  PID:2184

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d0
1⤵
PID:2980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3664

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1640

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8da02038ac2087a3b26f92914ed32400

SHA1
ec024cbc00229f3d2b075a1e48a003afaeb3f9a0

SHA256
48f29fc7a3221e22b95b111747eefabe1dbec2c1fa03796bcadd43a62425d89e

SHA512
c8ad91d1aa10062fc4e6667d2b591f7acca5fdee624e79de9a286817fa070e6a36e2461bc90985cd310f7bc89100b8878c8f0dcf9b7405b843dcfab0cd13eefb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
704B

MD5
61b0c1c5abe6d9b9bca5adac142e41ae

SHA1
45bf7f7572b41184e3cb8ef9940dd3050a58f2bf

SHA256
cc4502ac6d6efcaca6a75cd21ed1a5a24ce64997f37e400ec50142113c3c849a

SHA512
360d885806be306c21f0ea8f018518e420f88dcc17e009744c84ed6de637e912381d9d20a3c3479dff0e66435bcaef29ff6393b6860abd16cbd115f956d06675

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
48c49cb5e29d3e1fd69814db11c04af6

SHA1
8ce4dbb84ff582ad357c43722cf2124314347076

SHA256
e911bc59debafd2a19ab23daba8d081080ca9d034e2a963eb33e180c91dea7f1

SHA512
10e6aaf7e7b050f45c25035946c6d325865069192bbbbcf53b116bc8bc752ea8972af185fdec045b659d3c52c366f1f3c6fbb0ceba1b87bc1924274308b8f43f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e25ff9689a515fbc899dc8fc94842b79

SHA1
e13936109bd0c882be04a05702428e11e025718c

SHA256
a0f55c38a63dd245f701e9f92ff3020b93d8f6667fa23c65333b62264a548a2c

SHA512
85241c86772f94611fb5ab912bca53517f316bac36791806bbb743793a529e0989d38f2eae83adea9d920ec70ffb702f2bb8d11c9bc1ae7574ca3b5f48603f81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
85cc16252f10687ba6bb7810a99eff82

SHA1
75db5f831111a914ee0ad52712f2ddc89ab74099

SHA256
43fe3f8dcb326515cd4b09d4da34ede524d0594e83f8209c06675ad3970ccf01

SHA512
abac46651415570b6c8ae3a81fa024a25b1c97ab0385b5d53e49c209981466f50af5ac3b44ab4cd00bd40dd182fd4be82a5f4b8e6fb39f46ebb91cbd1a112f07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3c0ae75af307d231b4c396b1cb755ac3

SHA1
0acd15cd6cc0860e769ff8cf1a1b875b0c9c49a4

SHA256
329d169a85f41c195b4cd677bb8865531a8270749bf70b82716dec9f292773eb

SHA512
96e43bc84b016ba3b339776a1ed832fcec1dba1f03d18171af98729ad626530fc8a8fceffb6e314d2b05be49d98712876fb0815bf96d6c6c5e574c2cc9df6234

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
e5d232641604f3db2ba259d5238c8704

SHA1
0fdb441548657b5092a3399be8c55fb7bd8bcc94

SHA256
104a971ac45644e41474b7988f41629c8351efe336b8a76883b0446d0284c596

SHA512
2bddee7949d3300f965f3930a826d3b1ccf89e07ae238c1c5567420f7e22d3ad50a76a6a6a6ad0a48e8de72bac0e2af6338163235d8374254d08f0d1ca9c5bcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
b703ed62f044e8518abc668d00b8307a

SHA1
356d9c6a6383b23a82a428038bb016bdf1fcddeb

SHA256
b2696b5de91c6bbaa8003810daae6e39a636a2a41aa00d6d4657bed1ed312ba0

SHA512
606e0786d81832317960aac448274b6f245273e9a1d2070bcb93d60c72b1b6e4100bbdee27b8eb1e9087f02bdb1b584118bfc39442f696fef15590282e4c1194

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe587da7.TMP

Filesize
100KB

MD5
4421808e78517a9cabb6282224aa445b

SHA1
356d5281b1cc24b1ea2423acce15a81c07f1f14c

SHA256
da506966f88c154852304b6e857c07ec56d19f844ceb04edaf6cb6b5e45a8083

SHA512
f2a502cf3b64a877cfb778f0ebba34e56a60fb3a5cf5af45c5f3e114f20b76c16bde15fb025c27215e7fcff99c74ddd68662ee166341249543be8ccb1f1adf90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\FA7OP11H\favicon[1].ico

Filesize
5KB

MD5
6c5064b85ac0ca9ca7176983f4e1ccc7

SHA1
35e2af3b324604e6fd92460cae86265352574f5f

SHA256
6d6267ff22032bdca0f0363f159f5dd485271b8c60bd4635ed13926666f62627

SHA512
22402b999c86569085d9805ed2bbd747f45cd5d94c999ae165352a0d8ec54f872453a5d169e835193a52304da2c02eb0a082785ca37801c05ecd43ef955304cd

Download Submit
memory/3664-99-0x000002B371520000-0x000002B371530000-memory.dmp

Filesize
64KB

Download
memory/3664-134-0x000002B36EBC0000-0x000002B36EBC2000-memory.dmp

Filesize
8KB

Download
memory/3664-162-0x000002B377AF0000-0x000002B377AF1000-memory.dmp

Filesize
4KB

Download
memory/3664-163-0x000002B377D00000-0x000002B377D01000-memory.dmp

Filesize
4KB

Download
memory/3664-116-0x000002B371630000-0x000002B371640000-memory.dmp

Filesize
64KB

Download
memory/3664-177-0x000002B3758B0000-0x000002B3758B2000-memory.dmp

Filesize
8KB

Download
memory/3664-184-0x000002B36EBB0000-0x000002B36EBB1000-memory.dmp

Filesize
4KB

Download
memory/3664-180-0x000002B370790000-0x000002B370791000-memory.dmp

Filesize
4KB

Download
memory/3900-149-0x0000029C4E0D0000-0x0000029C4E0D2000-memory.dmp

Filesize
8KB

Download
memory/3900-146-0x0000029C4E0A0000-0x0000029C4E0A2000-memory.dmp

Filesize
8KB

Download
memory/3900-153-0x0000029C5E4F0000-0x0000029C5E4F2000-memory.dmp

Filesize
8KB

Download
memory/3900-151-0x0000029C4E0F0000-0x0000029C4E0F2000-memory.dmp

Filesize
8KB

Download