23678203b2cd5c342b12eb50c6a244199fec932d8f2c7f0d910165d8efefceb5

Resubmissions

24/06/2024, 15:00

240624-sdl3cs1gml 4

24/06/2024, 14:45

240624-r4p19s1ckk 1

Analysis

max time kernel
292s
max time network
294s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
24/06/2024, 15:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sample.html
Size

494KB
MD5

8ac1b1983aec7beb13ccd9b4c7bb7d90
SHA1

e341b40132f45bb3fed3dd1ec2cecebc415ee7b3
SHA256

23678203b2cd5c342b12eb50c6a244199fec932d8f2c7f0d910165d8efefceb5
SHA512

3f9c05ac308d57f7a5f9444d429032f6a5416092c137f7c406a7e2b6f3a30b36d004625e0756d0906538f5129dc643e3fd0e41995a0fd5f84a7085686db20bc7
SSDEEP

6144:J2kO8yO8wO8NO8qO89O8pO8FO8+O8iO8CUZ:JbOBONOsOJOUOMOeO9OBODUZ

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "250"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1328	WINWORD.EXE
1328	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1888	msedge.exe
1888	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
5100	identity_helper.exe
5100	identity_helper.exe
1552	msedge.exe
1552	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe
1360	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2032	MiniSearchHost.exe
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1328	WINWORD.EXE
1360	msedge.exe
1360	msedge.exe
4824	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 2612	1360	msedge.exe	77
PID 1360 wrote to memory of 2612	1360	msedge.exe	77
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1152	1360	msedge.exe	78
PID 1360 wrote to memory of 1888	1360	msedge.exe	79
PID 1360 wrote to memory of 1888	1360	msedge.exe	79
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80
PID 1360 wrote to memory of 4768	1360	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb0aa13cb8,0x7ffb0aa13cc8,0x7ffb0aa13cd8
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1900 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
  2⤵
  PID:104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2652 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3700 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10605473238054339671,15937269928469153939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2600

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4092

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:2884

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:4836

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:460

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4676

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:5004

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5072

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:2992

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a32055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d84d1490aa9f725b68407eab8f0030e

SHA1
83964574467b7422e160af34ef024d1821d6d1c3

SHA256
40c09bb0248add089873d1117aadefb46c1b4e23241ba4621f707312de9c829e

SHA512
f84552335ff96b5b4841ec26e222c24af79b6d0271d27ad05a9dfcee254a7b9e9019e7fac0def1245a74754fae81f7126499bf1001615073284052aaa949fa00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c705388d79c00418e5c1751159353e3

SHA1
aaeafebce5483626ef82813d286511c1f353f861

SHA256
697bd270be634688c48210bee7c5111d7897fd71a6af0bbb2141cefd2f8e4a4d

SHA512
c1614e79650ab9822c4e175ba528ea4efadc7a6313204e4e69b4a9bd06327fb92f56fba95f2595885b1604ca8d8f6b282ab542988995c674d89901da2bc4186f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d1a9672010d5e24a267f27b87a43507e

SHA1
3b47494e86c57823719661707a196aa128bd8d36

SHA256
9e7db70ff34e23b3e8d96e384083706b08d88d3d5ca64c5e52267ec875f00e1e

SHA512
f7edbbc22f0da4fa9f8ae5ff1ea27d78c8478f942e1955d1fe97d04f987a083e8944529c4221a4088cb199c78ff70f044c231a0a6673957968b2727b77b23325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
795d18054f376c0badf6f8f07a9ae624

SHA1
5c42a712c45c5daf5fc53ef955829da13a76ec48

SHA256
fd939fbf0c341f9056e32a53f7a4fe5795ec56a275a29657a795454ec80bef17

SHA512
b0de1ff92a655fb1d92e97defe140c91083a83b8643f2b4ea709952911ef1cbce1974a101efa538e3e44b67668ea548ab37f28f89a2d2d114569e2cd0fb35478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
290ec4e223922a0a5bb5f65c5d3fa27a

SHA1
ba6735297b4e62e418c518519f757ccf33fc0f32

SHA256
e99bc6d4360e79a6d5c1cbb863dfb5cdc69724d86bc7e33e45ea4277d1d90d60

SHA512
0d9bd3d16f77831a74c015ab148eeb5af48cf91881b66c73b0cf31de24645f68a76d011f5490e997f40b1f84dc566ccd611434b39334eee41689252a5d5d9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
719040201291df1ac2a36690af035dd6

SHA1
7f87bc5654cefd92edc4e4be26dfaefaf87d4c2b

SHA256
69329801769e1305dde606657d766e45abf7e2e9be6a07a28e560a5f9b0b22d3

SHA512
ad329b0537d5f34832ed71fec7f2f990789a71e9bfc1edf9aae7fcf0af3acf1184b2fd1a2e5e898bc03628abc4f313e308a0f6da7d4dd3c7d7284c235afb3435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9016b6c887a82701c0ed59bd9e166d26

SHA1
38d15282264169df3930ef67e5a814b4d225b9a4

SHA256
e1465b39cf361030c39f99e058298fff896a53fcbf5c3a473b8796f51cc511e3

SHA512
661b757333622ad11221777a3f274c1a0493495318ff15e0e0cbceda6805961245049dc2da78257f8e436402ad1727508a8fb6c7108a471674f52c25a1778e2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d715ae93adda79d62a9f89f17c1545d3

SHA1
0012fc4c022be98d99b5c8545f7a3f3c5a1b1212

SHA256
8d3a2e4663b51cc644aefe102adcae4b26d935fae9c8aec11e2ee0ffd41d8113

SHA512
c7cfbe7c9260c8b29e0d741cca1c23e3068e62f950f0c3925136380a67e9ba2571a17c6cc6087ece46b115bf0a5b8aff1864faf88d0499f4a80a0eadfc8c7a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
bdf1d5b16b6e8006b61029d56dbab7dc

SHA1
1e752d36c404b84163ef67d1243158dfd185d42a

SHA256
44431968df380c3211b7c5e152eb7114ab8994ece771a6fd73defaee8daabe22

SHA512
94d8aa94ccf3816b912785f6f9d9abd04ad47ccfe4c7528c3ae4877dfad895fb8570b2b75f9655b29e5762fb78508aae084353246368d09ae8fd13039bcd9796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
a45841ab9d9bf88a0ae1c97aa27a391d

SHA1
cfc923110e80dab51e1078ef69c2ac7920c7a44d

SHA256
6ecc8b360e2b1989648ea643d0e23f603b521a87b4bdda3cbad21e6fa40fdb78

SHA512
a8a0a2d2975a929211fceca5482d249e683d3d3317b36df4373a95d1a541be2edee7b1fadaec565c592d07304c0458b998406985bc775fee2b2fa77c845ee358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e5c68c61f338f7d17d8320f08c87603f

SHA1
3972eee95f54e1d22b738335b5b5b87a835aee57

SHA256
1bcafe155f5f8284316a30f98d6c82b1d665c5e258b0df418f37392629d8fca1

SHA512
c0f86050f5be7aca52e82e4ec7fd8f8e804de2aac09fbb41b23f0d4fd5040d446560b3b9f857ea30e7cd89fd97e16affa654526fb6e72b653bab783dd860c1ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4632231af980985ce99882c881200fe9

SHA1
b5d914752b48b9d7bf3c5e482a743e059818cf56

SHA256
a89f4ca1e930e2d5b6c3f31dd8f6eb7f61eead24fea51721c9b9319c9dd8153e

SHA512
3dfb45d066e515ff14658279479284aa4eefa8051ac3bc2045c176fccf77d11ae00c1a1b90d4b305547671ac0df66d5f9c9be2bbb9742282f82138b48e37a36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8917f8c37e6e5681c7bf9c29a1c5e652

SHA1
2fd526cd2bdf6f0f08516f8b859b9f88c02664ab

SHA256
698fd83a23f2ebded5f62470198b279852236cc2ef5a25321ee1c7e9418bbeef

SHA512
5215190a6aec212c16fbc924b9728f1ed2e6a08a87190c1995a219a1112a1e4b13b26bd956ac4d37600560d57280e03fe1dfe16b636ad43a13256319ab18da60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
25b177fd2d7431ed5e1c5c1cc2e99ce2

SHA1
f512cbaf283394b3a69f072a5ca7e7f895997149

SHA256
3dfc9ea855d99882670b8fa1adf4abf01f190eaa9c31d47a916437156544319f

SHA512
cb510f4f34e449409055909e044387e70308c137bc423b05af8922dc720c55b42160419cda2e6aaf922f908a929ebf855aeabaf0022d590ad8b11af6436f3ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4a758e0fa7c66d5aa729787cacb466d9

SHA1
0e45b20e76505863afecfb53c9d47b83a196da95

SHA256
5e226a4cc160f319ed59f7f2d470137951c18bc92612bb87b91a629be2b4e0dd

SHA512
e6f92cabb8699de947c886c1a7f47ff44b15c8ab1e7321546c3b265f48a1c1280d31c4a78db0f79896267632ac8800327227f87615f43b41afaad3d08747331b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
9af84e96eb7a751809409b6da7dc40de

SHA1
ef26472837b7268be04e2234f3697dc7f121d6ca

SHA256
63bbd27338f1a4feec094659402a18bd8828ca0ceb1f5a03df952bbfb0990112

SHA512
d0e87c7e7e99bbe30a8d9fa9d53e58935c23c00e9b17077b8fc6bd882fbc039aba150a60f9fc2a40ea4219a6a663dca346d508cfd937b47a35b47f23db01ab41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-6-24.151.2884.1.odl

Filesize
706B

MD5
089b0710960d5205ea04998f4ecf3298

SHA1
b53df0f1aa5518b70d21244c4ac404a867e22411

SHA256
62e55a440f19c6d177aedfb42d406e99dac973d0ad5c6c94e30805ac6c7c50f6

SHA512
4470c8bd633d7888bd695d1948f37a2d3490375a45e1783efff8d25ec224675f67133c1c7002a5f73a955e29d1bea23e512f2b3c77069a4334aaec4ec4ab1186

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a71ab244d565671f741686cb2c5ed11b

SHA1
b6e766a85f1f878d512f752df2dd4873971755e2

SHA256
06a5716962f3b50a8aa3acd30e33d6c75664465c3d795196ad6dce5e33a80faa

SHA512
0826c8e52b0f5dbcbda745f06390fd59ce9eee8e0e845cdb007f4a97b19065f2544ca63226b34d361adf9e1cf26644672abfe5dcfd75651cd2aeb1ae27f16f84

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
44408d8bcd8c4ffe97a60ddf16281885

SHA1
ab8773e27c92a24e12969dd4dc6bb8422f15d589

SHA256
a6047cddc1126bc128da907db3550e725647640752e6a5c71ce9445735a9e83a

SHA512
ff4e382bd3d00515f57bb735c6ffce35afd9f63a8def25ba18f722e618ac9f107e31e0ab44ff7758394e9ca7f52bc67b0ba70710c4dfd6afdb470a34093a35c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
202B

MD5
4566d1d70073cd75fe35acb78ff9d082

SHA1
f602ecc057a3c19aa07671b34b4fdd662aa033cc

SHA256
fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0

SHA512
b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
a918656fbe118152989cc5094b2930f2

SHA1
dc625b60d671fb9c972ff5a15b128baf26389424

SHA256
97c5eca08fbabefd96fdf76f73575ee873b981e39d12edc436734aefa1321578

SHA512
721693b17a7154bbab8312968b839c54dd88b1928a64da436e611d8de0449f95cb1d26e96dbc9f24a71c1dda8c5f6a7c7b56aec2526ea2533bfc1d7727572dba

Download Submit
C:\Users\Admin\Desktop\ApproveUnpublish.ttf

Filesize
843KB

MD5
93cee00c7aee1eff8a2f7095398b7aae

SHA1
2b279f6ba5a2b05c0746359a9c7e5729baf8d3e1

SHA256
514b58ea8e714d4ff8bb2cbd00ef53c135d2af4e33e595639d46b01887396c9f

SHA512
d1d2da1305f260d1341f4efe40e58abf95496aa42d0036065cd5e7f5c1960e1cf9453808bb62b28ca5c58804d82e26cd5b9b05cac81a038d88680c269bc2d6fc

Download Submit
C:\Users\Admin\Desktop\CheckpointExport.emf

Filesize
799KB

MD5
614d039a52cea1550c3d6998113f92d7

SHA1
55795c967662884fdbe9f8a10f4e82e503971e22

SHA256
2098eb44ed0b00a02225757b386f4023ac52ae206f9dfa37472d4e0d157fa051

SHA512
cc2b4f8ee6f3839c384ceb521c8948b2baab101f56de6582321156058718e49bb48ee079b4b3ef48ff105e8fde018aeac66e97cd907dffbf6693214415df2862

Download Submit
C:\Users\Admin\Desktop\ClosePop.wmv

Filesize
712KB

MD5
b1ef807a4691da6c54c302ddb906016f

SHA1
def7496689b0902f0b9bfecb7b0683c5a582f344

SHA256
474d9d7ab1ec246ebf6bddfc7dfc6a523a51c40a57a9a6315360d996ab3c5977

SHA512
d5434b0cc05c5f90b462998c15774caa326b028811100a9610efa680398e751e7f4aa721569071d47811cdc8b43406cb94aea9642071284077e84f8735905b04

Download Submit
C:\Users\Admin\Desktop\CompressSubmit.bat

Filesize
778KB

MD5
e66da3f71c115883089559b30cbd4a13

SHA1
0c6cdceeb93b84aeeb473c449d50ae3ec2a400ac

SHA256
573bf780cb3c2234928edfd211046c498dce9d1bd539ceb66bee35cb42fbc929

SHA512
1b0b342b92f9f7868ec18ae411ec8b4eef479541f21195d7e4db569c807b64a922fe0a7d50a022b054b0cedc33fdde3586fc073f3f2a222849006810c14445b6

Download Submit
C:\Users\Admin\Desktop\CopyConnect.avi

Filesize
383KB

MD5
072701193499501387013abc2fa1e86b

SHA1
b93f121370f064d4e25945f04b4829591604680d

SHA256
acfae4f077c9af52dd268e2cd12cc25546da985bccfeb042ea8d9a8d3adde650

SHA512
72e0da5aca6dc3a1a11cd240367a268fd95156888e50f64fd1b4f90202e2df12da011e5f1d27ab7059b77f16108d3b04910470b0426b5d4a0f011be3ec144b84

Download Submit
C:\Users\Admin\Desktop\ExpandOptimize.ico

Filesize
646KB

MD5
9133054ba010c6a50a93f129ac50a125

SHA1
657444d89820b22ab2bd39e548dd021ccb019292

SHA256
6d078aa5ca9e430a8a958758c28c652b42f32286b65cc1d4d70ae56e104d1fba

SHA512
660bd9bf4cc303dced21e880c45006f6ffb72f71dbeb50c039adf16204139c6898975c56f87e53a453b74a230022fd9fa849bc1cc5b1ee19c0b73491e49eb5ef

Download Submit
C:\Users\Admin\Desktop\GetLock.wmv

Filesize
887KB

MD5
5779a2567754c5247add6a6de36be249

SHA1
11a00b93937755cd353fbc96789fab42fa5ee53b

SHA256
95b1c6555a1a7808e2ebd53b1872a52a92e45e13b92f0d400f5d52cac83b0c08

SHA512
2c6554400536472f3bd5a8c2a0a0827bb7dc9974323bd18083effd7d3f363348bd5408226cb05292c7c89b796b51cda85c771a8086616298d984332b6bd366c4

Download Submit
C:\Users\Admin\Desktop\GroupRestart.vssx

Filesize
734KB

MD5
2a6e8149fcdcac07d6a1e192ef60013d

SHA1
c142c17b4ecb78089fc4ad3b47d9263c7dcadaf2

SHA256
875e2d171d7fa0682fbf78ac15438a1e560deccdf804a253c848c74d4a0e2d2b

SHA512
d5b6290da77ff4005b73f828a163c6319483e067b2a7f35d9fa428a72fd3cd278ccff579250c57a61557e8d0943a07f03e9b4774855845dc90981429be11f8dd

Download Submit
C:\Users\Admin\Desktop\GroupResume.potm

Filesize
536KB

MD5
8f0196d610982d4b4602474a7c683579

SHA1
f31f46b7a9e8ef0a33033b4d9ff6618abeb53e13

SHA256
315c967b7b7544c6df7a8433956099a840d5801066c384d333c837d6d20b7127

SHA512
87e0cce2f369ed29f87d63a06c52e13a38cf3625569880345806c7e15003499c0020d9633d0e24235363f6b5dd7c2425d8b1429f54da2b6b6c9aaa37d56245b1

Download Submit
C:\Users\Admin\Desktop\ImportShow.xml

Filesize
690KB

MD5
4b79cdf9bce38e934a38919f8fbd1bb9

SHA1
1f3467c526a8e6dc22cc52ac8820342028084510

SHA256
b7fb9c5e3418a189578144d9a833cdeb2c93a1f92d2c387470a268fc0b560c3e

SHA512
2481b56604d61d34eb60149e8dd503952c9099f6a14ee9b354110ca92e25ee8ee676d743ead8f07124e4bc3fa80a4bf515c897d8d4ababb9d4c83efa39e07ec9

Download Submit
C:\Users\Admin\Desktop\JoinSuspend.xps

Filesize
427KB

MD5
c7ba34871703544488bf4bfd80a6d559

SHA1
f67d1fbfcc852970c60ea2c2c807f02df2cc597a

SHA256
97c0bb3af25b84a5b80ef1e91afbba17b4de9e943d7f485497727f128e250436

SHA512
66f38daeb842daddb026833a0c03ea3769abf0288f66683a95e134784ca20042e273599ecafa8c01e2eb15e68ce2f3035417178ca654bb398f02667761ecce7c

Download Submit
C:\Users\Admin\Desktop\LimitUse.mpv2

Filesize
515KB

MD5
4bd65506a4e63d1f1115ea03dece8de9

SHA1
f47de31636a5591245d78e5977afc4bb4bbba65d

SHA256
b6e369ebc026257712c06a02d720574fd47b8e26a7aa4dcdcf45ab3b28a7e16c

SHA512
8bad12d34b307141e3ad2bea2f1f4c12abe7eed1acb2663f2a3830e74f8de0bdc2577cca87f84901b58b7800015eed4a72a0a4b63bd5d54ebe1800bd5726637f

Download Submit
C:\Users\Admin\Desktop\LockResolve.cr2

Filesize
449KB

MD5
e535953a2d9b3a649c45e8caae78fdc0

SHA1
f7041f7a3553cd2cd9767e430841ae2f6dd4df95

SHA256
4a92fb03c82612f55c1c8e5099ecc780447d174f3ce519a59f03dfc34fd2ef7f

SHA512
37f64e4fa8b92aa271bd11605af67fb911af9dd23cd6d9a3759802de8abe0a35dcfdde3bf5b8d59bdf002eddb73a8d899a298276b72749c30e3139519c5976ff

Download Submit
C:\Users\Admin\Desktop\MergeEnable.mpeg

Filesize
865KB

MD5
3be32d6a85a8d7a4f79c5825946e4ae4

SHA1
cadaeff2e8a56065ce5cdee8071da74ff07a9572

SHA256
fbf105e0f97877abcd8a3bb6c8b97e1dc6701d284deed4ff83a2caf75a397f43

SHA512
d9dfd6253c97e77058f263e77ca7b5eec1be0b78ca770e5f63549b08fb9474bcd238d56d5186df326409f7f7f086d7545187becf1a144e2b4ef846a4d15d8ca0

Download Submit
C:\Users\Admin\Desktop\MoveInvoke.dotx

Filesize
471KB

MD5
e9951f2baaeab5974ad81be7df48edab

SHA1
9e160dee04b73cc820f12b0af5920d47cb3353d2

SHA256
ccd0d8d84096ec388a0f1d9db07c376cc52049bd6991fbcbd4832d7ce170128f

SHA512
d37f77f8053983dea4b91ef7beb71ea5abbf1a85c271c8d902f7a4abae4516baf69278dc8ff0586180f786a666d5a800c095546ff1273d93d10dad80b8153020

Download Submit
C:\Users\Admin\Desktop\ReadStart.wpl

Filesize
361KB

MD5
a706436e6c9892da843dfed4d3030ee7

SHA1
b7c40139b95bbacd416768141fdd281ac89bdcc9

SHA256
277f8921647db6be5d7521296a841856eb167f444ea0a6b66cd51f21afa3b659

SHA512
03ec803e83b0b3bdd92ba851e3b0d2f769220a84fcd6cddbb32c48fbd14a6c5d36d864856bed4ff29c09518fcd47e3cfd9bb923f170b54ecc01b5468122657ae

Download Submit
C:\Users\Admin\Desktop\RemoveReset.svgz

Filesize
405KB

MD5
1e8c9be7d002c3591cf37917102e7d36

SHA1
27d0be4682a5364d2a1d76bf05b3ccb94a130b65

SHA256
c34394bc586517ac6ea8bffdcd216cffb0ed51bf5659f9ffb4da94403a57329d

SHA512
505c38459285fd00f48bf64ab5aa2e0758fa58d70d74d856b964a93e6f17ef4d9a8ac2a40d0c46d07624c801b6006fbffcdbee63b74cd9c0cdf3f02f054e4752

Download Submit
C:\Users\Admin\Desktop\SaveApprove.mov

Filesize
317KB

MD5
fef95e543759525633f1340c30e2dc41

SHA1
d2c008016408b59c5cfd723a65b928f4d1efb0a5

SHA256
3428f9968453563328232161172d2c46982ed3a6cca9fe227faddd071a9ef68c

SHA512
940b2ee1d0f60623045c9b071d6c23ddfffca163a1e34ec1a2826c9dc9da90b3efdbdd368353f6e3e6ed72c7eeb40566c68cb5ce7f57599e73b1fc2a86277bd3

Download Submit
C:\Users\Admin\Desktop\SearchAssert.au

Filesize
602KB

MD5
1988dfe311b11b2e62eed4f86bbba7ae

SHA1
b594d494cc50d0c15c1b7c8bf6b3335424c522f2

SHA256
288b76bb8c6fda68cadcc75c26459be1cb9b0fa60027389627fdf3e9ede42464

SHA512
9ca63eff0709027b88148f3261307db6fd0b77a4c7a8426e880a945fb2964cd33b60406fbbfaf0ece6f0a92a698d9e201747c08d9feee0c70b3bb74d259aed64

Download Submit
C:\Users\Admin\Desktop\SkipCompare.vsd

Filesize
1.2MB

MD5
24a12184102846d988e99a5e031a71de

SHA1
6177c08d2e7083fe2c93a6291ac71903e3f87528

SHA256
906415500642362297cb704041f7c7ed7002971b4029e51efbe39709c46ee4f3

SHA512
9da99b5b75361bcd98b98bb4351941ccbf879d8e6d38871b6cb6b716c1d96471beec6afd7d5f94de4ff3d7bb84ab76d01b369a19baefbeeade95b4b768c23cbf

Download Submit
C:\Users\Admin\Desktop\StepUse.xltm

Filesize
756KB

MD5
25a1b92aefec36aadf84915c28a8436b

SHA1
8d7c34b2389b77083623704cdc63b3bb03ce085b

SHA256
f01a2f5c1210f4d74bc23ab6aa571579943073209c63ee124c4092aab780ad43

SHA512
81ad4033d3df2a64bdfe41d6f936a489aec4528d4284432c920079a665477a1e2156fe3f146e0c6d6f976a2729a5f527fc9687891dfa30381958992595939713

Download Submit
C:\Users\Admin\Desktop\SwitchReset.3gp

Filesize
668KB

MD5
e73b3918795040f1184bf77b66d98abb

SHA1
6487acb25f0a5cf8555cd262ae992d5b25f83d46

SHA256
86b269f4b51dcbb74f6775793e8c82a5457056ad46a8fa1eba8416f2e6272d6a

SHA512
5d75b1295e0f6355935e563b8848c1b415ce1488b78fb15360382232de01cd907323d1a8eace20d4734ff804599431a5a437bd30838f9e02bf24c149a3197520

Download Submit
C:\Users\Admin\Desktop\TraceDisable.exe

Filesize
493KB

MD5
1a99b615cbe4ffc947997b49322bdd2d

SHA1
70eaa5a458cd8c00ecd6ed1711755e82d9199ee0

SHA256
c6c5e3d74c2a6b3d8486a45d5d72f6c8837e03743080c7049d8fc41c1b9776d1

SHA512
2da70aca5e4113a9b7420067cc800433a0c7687b6b27f5676fff9287c5427e14961e9ee5cbe37c3f3d1a9b12022257da08b1a25e38a55df729d9bd8568683daa

Download Submit
C:\Users\Admin\Desktop\TraceRead.bmp

Filesize
624KB

MD5
2729a3b6bdefa6559b1d2fbad95a4da7

SHA1
d98fa5384ead7e6e260d7f560b5be0ebb82e3a7b

SHA256
5cbd4ac3c0a5d5eb1be42ff01ab12f8961691a75dc1053ecb2e6beaf6b02f2ca

SHA512
730187426336cebe749bab63d9e3620dcd7bc6db99630df8eb75617d838d20afadddeb033f30cb033df0fc256cf28a08e196942b47f5e9229bf158308aa2ebf3

Download Submit
C:\Users\Admin\Desktop\UnblockUninstall.rm

Filesize
339KB

MD5
8bbe7511a076ff4edf994f02ff6d1bbf

SHA1
04dceee15abb9ca54529fbfe9049883cb50d2899

SHA256
3f2c6d0c03661b6b6e90b444f793053323dc4c0e19bfc296c37f882e56534ff4

SHA512
31c915e4d8f30d85321d944129647ddaf7a0f68e70e8cae8a18e83cf61a26b1b6aaecabe5b1aba1cb5dbaa10fbf013f2081f3144d6288d01c4a9b66df25e0b61

Download Submit
C:\Users\Admin\Desktop\UnlockRepair.mpeg3

Filesize
580KB

MD5
6a04acf37ef9129ec8fe566fd29503d5

SHA1
b83d1ba85dffd246a476bfa99e59dfc46822e633

SHA256
df0040f1c4d92baa400647d29bb691c8c5eb43f579d653b74aa9d66e33fb52d1

SHA512
3edde34a364585d1b249466d6b03785164cd18480b38ea2c6544642927098b137751359d6e8ce56edda9b479b72c3a7a90ea20ea9da10dfca4fa667021933e48

Download Submit
C:\Users\Admin\Desktop\UnregisterCopy.emf

Filesize
909KB

MD5
347fb7f4a8d824315b4c6d862e93fef7

SHA1
6b5f09e068241c6a4b3e8c7654457c6ad6fc3367

SHA256
f1550e8828f842fe5484a5fca444a13b4c55f40023ac58f7a0736f63b2458571

SHA512
c7d1d0c35920dc33e39bcb0767fb373e47d98bc418e372e97670d04ef6b2dfc4807e76ea907ab10f542c247cc776b9f5fc121477f86c9f56d7fda1cc9652e58e

Download Submit
C:\Users\Admin\Desktop\WatchRequest.mp4

Filesize
821KB

MD5
cc6c74671872f03b25e15e60305c6c38

SHA1
24157c835b5f6e5bab043a5b81bd5d36b372706d

SHA256
1da3a8021305751eff23d4d2dd78bef17c20280e5da56af9066095189926e0de

SHA512
3fb30c694fb60f3fe6b5dcd2b03ee6b89af2794a83ba69dee2fa5cd48a83af03effe0f15826cbd1bfe17070e4d2873cf69186fb35414daa01f0b480eaa48200d

Download Submit
C:\Users\Admin\Desktop\WriteRedo.mpg

Filesize
558KB

MD5
59c0506fc4e439e9a38deb02c3a2e421

SHA1
268d4cf6bb67585f381c3c11cd92c2cec131a588

SHA256
337fb83c076e8f31777015311ccea81525dbca286a30ec87bac3317e1c3e7066

SHA512
f40962451d6fee0e739eb52f0a4b308b1e26856f5b8216b27d9b3b441ecdc8baa5fcbf1aae494bac714b77f0cbf194cd0913d6d3e83e7a5703ee8ba3ee909c35

Download Submit
memory/1328-237-0x00007FFAD9A30000-0x00007FFAD9A40000-memory.dmp

Filesize
64KB

Download
memory/1328-296-0x00007FFAD9A30000-0x00007FFAD9A40000-memory.dmp

Filesize
64KB

Download
memory/1328-295-0x00007FFAD9A30000-0x00007FFAD9A40000-memory.dmp

Filesize
64KB

Download
memory/1328-240-0x00007FFAD7670000-0x00007FFAD7680000-memory.dmp

Filesize
64KB

Download
memory/1328-235-0x00007FFAD9A30000-0x00007FFAD9A40000-memory.dmp

Filesize
64KB

Download
memory/1328-238-0x00007FFAD9A30000-0x00007FFAD9A40000-memory.dmp

Filesize
64KB

Download
memory/1328-236-0x00007FFAD9A30000-0x00007FFAD9A40000-memory.dmp

Filesize
64KB

Download
memory/1328-234-0x00007FFAD9A30000-0x00007FFAD9A40000-memory.dmp

Filesize
64KB

Download
memory/1328-294-0x00007FFAD9A30000-0x00007FFAD9A40000-memory.dmp

Filesize
64KB

Download
memory/1328-293-0x00007FFAD9A30000-0x00007FFAD9A40000-memory.dmp

Filesize
64KB

Download
memory/1328-239-0x00007FFAD7670000-0x00007FFAD7680000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads