hxxps://drive[.]google[.]com/drive/folders/12_8O2o_9tufEE5Dvup-uVXVdvSsp1JfE

Analysis

max time kernel
432s
max time network
433s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 23:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/12_8O2o_9tufEE5Dvup-uVXVdvSsp1JfE

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3000	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
14	drive.google.com
15	drive.google.com
191	drive.google.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\JJBotv3\runtime\legal\javafx.controls\LICENSE	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\conf\logging.properties	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\ucrtbase.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.xml\xerces.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javaw.exe	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.prefs\COPYRIGHT	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.base\cldr.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.base\public_suffix.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-console-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\conf\security\policy\unlimited\default_local.policy	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-file-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\keytool.exe	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\jawt.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\lib\psfont.properties.ja	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\lcms.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-synch-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\conf\sound.properties	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.desktop\freetype.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-process-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\fontmanager.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\javafx.graphics\mesa3d.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\conf\security\policy\limited\default_local.policy	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\zip.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\include\win32\jni_md.h	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.xml\COPYRIGHT	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\lib\security\public_suffix_list.dat	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-conio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\javafx.controls\ASSEMBLY_EXCEPTION	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.desktop\colorimaging.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\net.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\decora_sse.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\prism_d3d.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\javafx.fxml\ASSEMBLY_EXCEPTION	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-crt-multibyte-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-libraryloader-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\app\JJBotv3.cfg	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\lib\psfontj2d.properties	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-processthreads-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\java.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\JJBotv3.exe	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-crt-stdio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\include\classfile_constants.h	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\app\JJBotv3.jar	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-crt-process-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\splashscreen.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\vcruntime140.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\javafx.graphics\ADDITIONAL_LICENSE_INFO	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\lib\security\default.policy	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\lib\jawt.lib	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5a56cc.msi	msiexec.exe
File created	C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\JpARPPRODUCTICON	msiexec.exe
File created	C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\icon1735593305	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\icon1735593305	msiexec.exe
File opened for modification	C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\JpARPPRODUCTICON	msiexec.exe
File created	C:\Windows\Installer\e5a56ce.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a56cc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI597C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5739.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e7a671f193ce7b7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e7a671f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e7a671f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de7a671f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e7a671f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "242"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\41E9151D0BA2C9837BDA155ED73C2CCD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\PackageCode = "DE93FC7454BF4194BB87A0F843899217"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\Version = "16908288"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Windows-20240805T231625Z-001.zip\\Windows\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Windows-20240805T231625Z-001.zip\\Windows\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\41E9151D0BA2C9837BDA155ED73C2CCD\DefaultFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\ProductName = "JJBotv3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{31987E50-09FB-4EB1-BD40-99630AD9D4AF}	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B1423C193BBCC4D34B6F4D3AA87894B0\41E9151D0BA2C9837BDA155ED73C2CCD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\ProductIcon = "C:\\Windows\\Installer\\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\\JpARPPRODUCTICON"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B1423C193BBCC4D34B6F4D3AA87894B0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\PackageName = "JJBotv3-1.2.msi"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1580	msedge.exe
1580	msedge.exe
4896	msedge.exe
4896	msedge.exe
1956	identity_helper.exe
1956	identity_helper.exe
4980	msedge.exe
4980	msedge.exe
4676	msedge.exe
4676	msedge.exe
4676	msedge.exe
4676	msedge.exe
4072	msedge.exe
4072	msedge.exe
4040	msiexec.exe
4040	msiexec.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4368	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1808	msiexec.exe
Token: SeSecurityPrivilege	4040	msiexec.exe
Token: SeCreateTokenPrivilege	1808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1808	msiexec.exe
Token: SeLockMemoryPrivilege	1808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1808	msiexec.exe
Token: SeMachineAccountPrivilege	1808	msiexec.exe
Token: SeTcbPrivilege	1808	msiexec.exe
Token: SeSecurityPrivilege	1808	msiexec.exe
Token: SeTakeOwnershipPrivilege	1808	msiexec.exe
Token: SeLoadDriverPrivilege	1808	msiexec.exe
Token: SeSystemProfilePrivilege	1808	msiexec.exe
Token: SeSystemtimePrivilege	1808	msiexec.exe
Token: SeProfSingleProcessPrivilege	1808	msiexec.exe
Token: SeIncBasePriorityPrivilege	1808	msiexec.exe
Token: SeCreatePagefilePrivilege	1808	msiexec.exe
Token: SeCreatePermanentPrivilege	1808	msiexec.exe
Token: SeBackupPrivilege	1808	msiexec.exe
Token: SeRestorePrivilege	1808	msiexec.exe
Token: SeShutdownPrivilege	1808	msiexec.exe
Token: SeDebugPrivilege	1808	msiexec.exe
Token: SeAuditPrivilege	1808	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1808	msiexec.exe
Token: SeChangeNotifyPrivilege	1808	msiexec.exe
Token: SeRemoteShutdownPrivilege	1808	msiexec.exe
Token: SeUndockPrivilege	1808	msiexec.exe
Token: SeSyncAgentPrivilege	1808	msiexec.exe
Token: SeEnableDelegationPrivilege	1808	msiexec.exe
Token: SeManageVolumePrivilege	1808	msiexec.exe
Token: SeImpersonatePrivilege	1808	msiexec.exe
Token: SeCreateGlobalPrivilege	1808	msiexec.exe
Token: SeBackupPrivilege	2500	vssvc.exe
Token: SeRestorePrivilege	2500	vssvc.exe
Token: SeAuditPrivilege	2500	vssvc.exe
Token: SeBackupPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
1808	msiexec.exe
1808	msiexec.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4772	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4092	4896	msedge.exe	83
PID 4896 wrote to memory of 4092	4896	msedge.exe	83
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1948	4896	msedge.exe	84
PID 4896 wrote to memory of 1580	4896	msedge.exe	85
PID 4896 wrote to memory of 1580	4896	msedge.exe	85
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86
PID 4896 wrote to memory of 1628	4896	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/12_8O2o_9tufEE5Dvup-uVXVdvSsp1JfE
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff90a0446f8,0x7ff90a044708,0x7ff90a044718
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6620 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6632 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2248 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,7298661543221314977,11007646328601404434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1436

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_Windows-20240805T231625Z-001.zip\Windows\JJBotv3-1.2.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3416
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2F93B9C1D24E316950D62648E4186C89
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4368

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3924055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a56cd.rbs

Filesize
54KB

MD5
1d92f6507699331e75d956b2f768f57f

SHA1
7aaef00d8ec0a379a1458745ae4ec41b4150cc4a

SHA256
9e7599b7d81eb7e4fb6cafb189a30a846bdc19588b6fc42fc2dae7423ee7270b

SHA512
1b73a2ed2562c5cc477af6809d57c8c7d0f176bc81e2f639dddc5d67bcbb7d083c51100f89b9897c8d521e57ce030af9bbb2a4f9581366233f891dcfcffa86b2

Download Submit
C:\Program Files\JJBotv3\JJBotv3.exe

Filesize
566KB

MD5
ccfc78420b2af4397bc801d6984cb233

SHA1
634b548812570b28eaf01ddd7dc5e8b1c778332f

SHA256
cf890ee78014d4d0c072bc7a7ac84c90f9d25eb837b70b892ef1be4c876214fe

SHA512
47b84cd94df6c31b9e6024eb13550bd98a377d073bb30b31e3d11f1e6007560a47c83e6dadbc16897a3f87512503fe52fdf30c50e96a4aefc1672e46fabc592b

Download Submit
C:\Program Files\JJBotv3\runtime\legal\java.desktop\COPYRIGHT

Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Program Files\JJBotv3\runtime\legal\java.xml\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
ac059f2ea0faa0872a653fe1e14d7fcf

SHA1
48b92febebcaa245ec45b5c89507f784c4b9e147

SHA256
842dfe408b43cf636cd441e8b7d92feec84887b4df5341d1f3f9f9344f96d71c

SHA512
97c96bd70baaca4b52eca215932a75e7226a77b53876f028f7e90cd02e82b9e73d55906e5f076e831998c9d8ed66736c0fc5f36b19e21e715a73ccd1f73a185f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ada0e0990b755e0df0c6c7913ef96cf5

SHA1
946fa56b352ee550c50777af2463f139979e609f

SHA256
f496f4c0c254b520c1968de7ce43a20933c6aa67577b812689b997f3c705c7ca

SHA512
73335a8dbd01eaf73ea9d78cff3b8425df89483da732e583769cb000a53cb3f64e6e18a37926fe71597ce8170513aa4902d95c723d9666f26fccf75bdc352d1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
086af84e1bb303ed52c0884ae2d27ccc

SHA1
f1fda99cc3a5ec5ac169a8c202626891d95ec0e1

SHA256
e2fb9097acefe0a849856646943f4a87e37ebefdb089e7f1f03a0a9c2629c9ee

SHA512
fc6251d5e29dbf46da7ca0ff080d7953dc4ef9459048665ce9c60d83cd8cfa5410e0191a7051acb46f124b335325c37ab3589c6b454feb2e6ee130f06a0089aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fde77540ee542fd777b479dc7d3d2c0c

SHA1
25294aa05c1e352e3a2aeed1e1181071e3723aa9

SHA256
d8b32f672d33e8c6e6c122eaeb7a46b70932db152a9d545aa8a173b936869108

SHA512
176e428dbb19afb323f93c70f318ceb700cfb707bbfdff914b478cfd974d896505c1cd0e05bc02ff0b30f7c24a8b21d48b50617deb9f9d5ae18de1f1bb5133af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3336fee288fd2b97e60a9868da59dfe6

SHA1
099ca643e6ca394c40162a46c8f6d1d22b1b93e6

SHA256
44654f6def334413d1c34f5fe85b73d7f86d75b051b92cf6f16eaf6f4f2bb819

SHA512
6bae6c95a76689d27f7ab02bd62bff1b168a03d83131f6ef8f1df0cf282ef6a591306b6608b521bd2d4e8c7dcb2b37d4a43f8cfd820e58737c2461aaac43bd6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
85f810b493ef5d9561723ee6bc7926d8

SHA1
0f76ccfbfc123eed11e6a9a3f4727146700dcf5d

SHA256
6cf87f34e703c11d50ff2c1aac47065d33c90f53ce773930aff3402285540582

SHA512
f87d37c234689da42932e3727f53c93cf8e0c326fec2b13b8e9f3f6997f23ce86c451625f6ed41ed7ab85c4472c3017f715325e26721812996a6216323bc6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
90c76b5bb03788b81d5345d920f07b13

SHA1
bfda55d59f9130efb5a2b5ac8af889b73fe15428

SHA256
51c99cb91b444993fbc176af87b3cc16c0fe1954c0e59c6eb192382d07f14fc8

SHA512
23775256f41061361e2649133f960b799fec404c94d5e0f889a15f5a4edaf4ddfc4cc0017e8cd20d3dc72f2625f76329b9e382ebd6b7d3edb836b8594feb8887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
877b43c22e39a186ff9001823d948b35

SHA1
636821770f1a97dd377a7398a92a516e1d890850

SHA256
ecc3e08e5efe8edb0d08756bf43ac19a93349c80921b57e617891b3ddd8e6708

SHA512
27ef653bd995c6dd1b152eb4b379d225936b21341ed3a576d69231d80b8518857ec9f1ad4702a1e90bcabc1d8f6fed5377ec578abfeb9b45d052ab7cb98a76eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a4539e4d554f79b7040624901abe2150

SHA1
db342d9f46f90428600a98ada1f829538d2ea9c9

SHA256
55ead1f533ee337ec9403aae57af30e3fa52d2d0af63c3ddff96c68186be93af

SHA512
dce41193b6e2d204d3844567eacf3552c64945bb14ba9f00dc7e7f52f5b8846b13911a658fcf1d0abbab7996b642fbde5398da20f5045adefb3236b85e6a4f6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
3378590b45b1f7e440081f5c28ff911b

SHA1
f6441b773e28ac8a83285a6a175a5148428990d4

SHA256
30a020f3b35c74fadc5891993d4156e3be5a96bdc69a654ca073a135426fb9b8

SHA512
0a5b1ee830370cda6aea6a8f1106e8ed7c97ff48a7cc1769ddd32c8dc050e50d002a3b21812fab5932e3a96cd3553cc9a7b448aae158008963209cef2275f75f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
85a86afc4cbe26a28b20ce1f8aead2e5

SHA1
d97e2c0f466ea6956158286aa3f561bf8827a2e9

SHA256
000df77a2c31095f8d1be13e6190597141d22156e4401b7118b888f1ed7efacd

SHA512
a584213b0e3b521b94ca7a7a01bdb70164265bc0aadfe4e7e0f6f53d30692b1397b42de6bca43a411572aba4d27918b179d7e6fc8fa2c2b9eea178f23b6e92a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f4ec95b22a4f86a5eef5da6f3228c3a

SHA1
b980c2ccc689b198d6c0aa4fb2b67dc0634be802

SHA256
d4a5bebff01f7cd4c8989d9905ef8b655c81cf7fce2144413dcc2b6fec330f6a

SHA512
fd52256b9c5537bc004ebb029caa558bc55f4f6094aaf967fe5985f9aae3f0402e90b92e7f23127d7ec13e740d5257ff36c7675d5b6611d21920ee0ce7dafadb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
563400a5a5e67ccdec5226bc46579185

SHA1
2afe1dca7125db07aa9e00c4c4744f2ede046dc6

SHA256
7d8aea658709fc9583f3d1dce29c8b5a863aaf066fc0e1305e5d240dfd02e01e

SHA512
4c2d6c8e3b6dffcbd949e106ec3b3fe37eb0bdce36af95fac241ef840c5ccd90ce6b0ea5555b6846fac69b51c4113206542508afcf51b4ccd564cf1c50b177fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
c1cf4c71a323df1b3e7a91a7fbdc26d9

SHA1
e5a27e653b99f5eff191fcb42ce2e19be97d8848

SHA256
cafbbb366883409eca0cad7deea71fa4827b43440b8bedb589d4f20293ad9d99

SHA512
25a985f3c174247fbe47cf34ce075ab6ee98c52f7c8a7c8df8cfba4109d59827ee34b358a74eb0df1ca54bdb36d0d4da0bcffbbf5fc62931c7193cb8dabf60b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
25d0bb412a0c338fcd1b0e8c4ca123fa

SHA1
15f1222e907ef0d7f2e776887e4a5a55140b3697

SHA256
7f285c8a4fd5c395814f447fb6fec636c30b25d286f722bdcb8ede42e083785c

SHA512
4e265b2a2d29dbbec1777e5dd96e6c6d7454e8e62fd2f2ab68f43f31441800c48f25264e702ae2207f4600c179750e976c062d8b6ecf7422fe6dff4e04db4596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d6f023cb6d86585ed8f177e6007a1043

SHA1
143a6da8239994adcb0eb583d596d4b273cfc6b9

SHA256
ab472421fd9348bfbdd1d88c4a36a4d76adb7e7a9afe7b4e1c655e60a6fe3fc8

SHA512
17d8cbd0e316edb39c46b0a2aa25c821cda1a8e5ded6127ae78d335c951f1885a0123f393a9cbc701031e409a207e868e7c62641a945f3847835e840ff0bb393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dfb5465f7634830c109a08308d4e7906

SHA1
904287efe71976f761493ee258ec406d7827fbc1

SHA256
0b434651fc1c7788ff20964806695f5bdfe1fccb0ebaa4351d27d439d62d0258

SHA512
f3033d83025ab9baf1a0a1f1587750ba0d868aa3d8632a2071ee6c3a4190ea11db95f661091ea423b5426fe5809122f7216588ec93d20f798b6497371215e911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b0ccb27145db4fda6b6e1dbdbd58cf9a

SHA1
79078a0a7cdffa5e4305de26593ec396ab0ec710

SHA256
90580bcf7e3b4c69af4049922ab8e7afa2a4b5e9671f320c1f11aaee3a65292c

SHA512
e588ae687d63a7a662d6d45ec338b54d12c5b8a2e0f78dceb64bfafc497ac432b1ccf608ea3239d6ed25a4e039ae746c3ca58463be8fe926892fba64cb68e508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1bfd23103604bba998a479965ecff6f8

SHA1
26ddd9af09a8236054c6d8dfdf727e9f765d53a1

SHA256
59a78c3304637ada4e7c74239c33b6d3348bbbe5e96abfba875ebe8032e267ee

SHA512
c45dcaa7cd2280c23388d1d3fd1a5c3bed32752d5c35448e3d36c8c9c4b9a87cf0cb8a8375ac20cf9131e4458c61b8c62f31f421f1c69cbdeadba5f304e0b2f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5d599c.TMP

Filesize
48B

MD5
83ee3b31f100a727a2e603f2452fa797

SHA1
d34bb6af7d002ec071d7f1c96e9db1231dcba76e

SHA256
734b5b4bceafad877efe9357ce2f788be970f800c8df06429f06a9f4498d6b46

SHA512
6dd679f1eae01025bf90077baa411ec61a553ba5eee465771c565b4e49aba1a4c45c2b4c6e11a3822dec6f7817109f25b9867af9c9db97ef510ec8515dc5919f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
86ef7f93723f96c96d4fd8e302f02d46

SHA1
440bc33242b3df6bf4fdab93b6f348df5f82460b

SHA256
e67c95670cbc0b8605f52d3e5b93e73b746b65f3d44c1786eefd99a3aefbf07e

SHA512
c55d7f7a55ee005687cbb246352411b65afbc87180d0c5c86047a2df05b8f40a2d3f18e1c4dfba3534f07e67e0c6c5cc73700eff90b0fb28e0c975e4ce22960e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f27d7fc4d9bebbf685db285ee4ecf41a

SHA1
fc259fe5300c3a108027fb7039343a5241ff71b3

SHA256
3c907a67f898c6d58e8554b9e80cae9c46d200003e6a36490d61bc5d61b5f534

SHA512
ec3b648109c34b1ffcc475c90bea4557cfe53e73605b7718d52fc76610d8b1d6d682411fa9d1e90a2b7e1b86e600954a495093b3e9c86295a3153a7c97af8613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f5ad0be0bc180a7af5cc08fa02d60f3

SHA1
15cacf035d73d68bd957dc903696fcdfa84b8c67

SHA256
bb66072cb6f7e8b87628b93dca875d8becc46408f50e5e054c2bf33241151088

SHA512
75e88d50d76132e40c605e93dfa15ee82fe32b859880d54a39073b28704e08f03dede95463ce1ef6a4a102128ccc7c8911c1dd4e6a92e6df2fcd600150d2d8af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed79e850ce8f1ba12a23f581945fb59c

SHA1
4f5d2fdde6dd8b790ba8abb4f27088f9c437388d

SHA256
3cfc68f863889871cea11b8581b501a46a8ec7222127ccbc5e56ffcd5df96fd2

SHA512
abc5d58ffa540bc079f386dc53e79601bede556b26bc7f7e12d94575c12176f9878ddc5fb5290afefbebdcbee83bde7d43487364b45f771eb52d06f2d2f4b540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5fc2d3c6228243fb01cf3af915fa5234

SHA1
90d44b0c48fba20f49ad75696ed593279a2bb573

SHA256
b4b2a5d30d7e0ada4e469346780d823a209edadb028c78625c539922571dd4ad

SHA512
7b6347c8816ea57fded8c2627bebc64e9bbfbcc517e8cf48d8008bb790f426afd9b9bae08d99d818a616ef9e911917262eb165b943ee98cc44491de38e16fee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7fa4be5244ece1800fe39c9c8d617e2d

SHA1
a9601a5ad7341c6b1447a42009ee10a12d9018fc

SHA256
8c14f26212bbe691b208e4e47c31fdd4f789f32f6fdb871b2c4a61b2d69f8b66

SHA512
daf195778f96f202bdd436cc0dd42a831d4f806a37a4827d5c795c0ba64240df3b5b9cec65914734565be9fc4344b33f430a07de0aae9254c26f85d9a32c08c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7305a0b1769cdcb2dfb4d99cb3121fcd

SHA1
238bdf6259949d912af43b11fb1a70fbae799668

SHA256
8e3a32d19bc324c2732e249896518db5c1889fcec165a6fe42bf5edf951c9b75

SHA512
8213920f261cb0f80ce018dff6c7cfda210369327d4f73610fd391578ae1ede79bce36e4cf6938f5872fbdac811627307c089ea051f7626a6f399f63f6b09597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cca7b14b11856563e86cd576bf21e5c7

SHA1
3397cc26edcee6343752ba5963c2ce512db2c235

SHA256
89712fccead632cbe72e46d4b6b5a12119eca044572e5e07a82407eb2e7e8aa1

SHA512
d1c4bccbca18f0fd7ab9457fa5aa922ae212b9eb9fde0908166ac381a665c47f1e2f9ea430530d3b3388d49fa71573b3d30081e9bfd8dae0764a4b5c0db701b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
98c5ae52b147ed908ae1d186666ab69f

SHA1
d565d02f118c3c4b0094c51572b42992f21470b6

SHA256
988827befecf51d2f005f684826d2bfcc5723c42000b3fb4bc73bbdc4fbca9bd

SHA512
f65757bbfa7cf21ed6244b74e4cfb5b5e071e20f116221eac1a46fd10a14983bf4a915d93f0670f5b2ffb9b7f861a6d9d4d5f88526a8dd2daec395acb1b9128d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5a33c5a2625b70b792f53e032fc38159

SHA1
ad55bcd69de649eb6c60319603e41961cd0c5460

SHA256
987a78e8e6028cc524233614d12e21250835ec889481f376d5547f95aa66c31e

SHA512
2f4db5c0c03fb32d48f0128349018f5e778d69211c33e90f6c55049d10a0f96518df0296c522e06ebf61577c706f45bae87fdc06485b1569b2e3862d035e0f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a3b1f74a5e9d2c469141419d45c44c90

SHA1
37adac7b948e26ecb3ac180201214740298c8a49

SHA256
4866a51d7f104871c68b627fb53f4c5e2298838a421ca380b5728a7d2c6d820c

SHA512
860389dd746226f66cb7253168ca99a3b2b7d9a99e7823fe1000685447c2515d9b9b02b821990b969b4b24fa32fd3b4636495205d4db443afaa18c7feb3f82e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fd9c778fd9dd3f682553e6902fabc624

SHA1
e97002315c3007737b8f71b936589e60f6bbaaaf

SHA256
2dd767bce5d337f03ef74f5b28a88fa007f8507b86af3cf164819bdee6d41e68

SHA512
b093b8fa987fee06adba498e6ccc168592cadd2e54d1f201973339d1775301e98aba2c8c757342263e96c08b1beda9369fb30021f0b1dad54909ef7b666fae20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ab10.TMP

Filesize
1KB

MD5
4cc64640ca4f3d8943890e1f02fbfe16

SHA1
7a196542e8b0b339597f598bbba823f000171ab0

SHA256
917f52a61b75f665ae49fc510aab0a136d0de1a8da96e6c9bee9174948965c75

SHA512
f6468ae4f9eacf71c156ef8c2b6708c6409cdc2351332ef618e4675219afd92443a1fcd9b21561ea10c54cd3e495b239fca6573a36576da84d15048c54026ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6f7a2bf6bf288b43c63aa16170930e8f

SHA1
981319e439ba36fb95311e2be3ebfba2f53d7bc0

SHA256
508c52c4f15786e7f9d02b01253407f1559f88a64f012dae7bdcaf2d403259ca

SHA512
fe45c74f02af5283365a6a0d8eb2e85ae2f335c9d9ed1d057be6b220d1d639b01b37b192cc6dd952077f1cecea4e770364c7a369ebcec0cad969f1f6082e34b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
837089f2c445dbd8ed2ced6353f7b214

SHA1
a5d68be4572bfffdb56687586b1db1a8804ed244

SHA256
7c6c95b3b4eeaf9a4b1ac0eebecd25d57ee947a78f30f4ddac73df7ae5178143

SHA512
b02e5ccc528903fa4d606a33e5c17c255927187157e9b67fe8642751862917ca80d037e7d9da766391306970f489e8293e07f12fbc57275d77341acf9bf60ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5987711262ac4aa9e75b6fd1334a5a6f

SHA1
9398f5720589fb9bb8b0d6e9344e6904b1f1a97b

SHA256
c631938e297ecba8497cd762f8ce37f64274ba905d1a2525e8da6e25884c8840

SHA512
2b40718b8c003bd7180fd2234a189abea44b8bbcddb1801b7b5f22368d06ac0b6ab0c580a233b40e7600a8350e5e316f3a4f40269d8d337caf69fa23d916cdc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
64cb5c73019eacb05c9ca53d00e972ee

SHA1
908e0a27ee38b85e776878cce62826903eb17681

SHA256
e4d031f555cf63449b36caf955d89cc7dffeeb969a1020c8c4dedc9c3365d6aa

SHA512
242995769405702de97fed5cb538e80b4dc3e9d83b16ac3a3484d9967665665942c093fe4a6a84191c63aec1bb276a61722fe7dc86dcdd0fb27991e02aea0284

Download Submit
C:\Users\Admin\Downloads\Windows-20240805T231625Z-001.zip

Filesize
34.1MB

MD5
6497fd141cb795f4c7b62734985a2416

SHA1
637f16958af9ce45293071ac11ad89b94de35437

SHA256
e5b84b2bb51cff696416339673b7b9916f0fb33e500c882a9c827fc8761a834a

SHA512
9b4370d6cf260ae8d9c64c9e0e676049133588a2f462e7e33967753339c530deddc5fa62b83a6a9855c74f5f474e36aef69766c35ba9ff7895b54d5f751394db

Download Submit
C:\Windows\Installer\MSI5739.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\e5a56cc.msi

Filesize
34.7MB

MD5
a1b837172ef0f284c54d0f9238b6c6bc

SHA1
bc489940ab5cde8429914e6e86321e5fb9c0038d

SHA256
af86c253f2f1715e5b83543eb5c8162e2749b3380f6a5445583a971091ea24cb

SHA512
223f71fc235136bb14b4fb03cf2d8f4e70a54d7ae1376cf8b133249873722617cf9c04b2cdfe3217cbbcb45e3d05891a92bac45c2dc27d6158b3944873a5e4a3

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
b121f1b633341acf9514c594fb5824ad

SHA1
fad5950fa4f575fa38db647a146789bba95a8a5f

SHA256
528963358c5bfcb945594138141d152ec2d591533206252eff91d9d24f6d751e

SHA512
36063a408a27e1f854323d5864f21d3ba04eee5368fad302600b9e7ad77add4be334c087e298671e1deedd352cc8a16736e118ee592ec83f461d2956b1dbe64b

Download Submit
\??\Volume{f171a6e7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{34456a3c-e858-4d8e-9206-d5e06a0d0665}_OnDiskSnapshotProp

Filesize
6KB

MD5
e7b962bae3d4a4023c551098c82927a7

SHA1
c399df9986bac37d52935c25d9f2a239d15f72f6

SHA256
2c69a485ec0972e5c1fcb91c49466bd8e08245e481dfb2326bd2e494999a94f3

SHA512
5adbf0945461567dea9ebd8571ae818d049c3bc13beb69f986164e74f58c059429d06cd446456da61a50a8b59e93a8a1aa454714a6feee7e161363935472e1bc

Download Submit
memory/4368-701-0x00000241078D0000-0x00000241078D1000-memory.dmp

Filesize
4KB

Download
memory/4368-706-0x00000241078D0000-0x00000241078D1000-memory.dmp

Filesize
4KB

Download
memory/4368-707-0x00000241078D0000-0x00000241078D1000-memory.dmp

Filesize
4KB

Download
memory/4368-702-0x00000241078D0000-0x00000241078D1000-memory.dmp

Filesize
4KB

Download
memory/4368-697-0x00000241078D0000-0x00000241078D1000-memory.dmp

Filesize
4KB

Download
memory/4368-696-0x00000241078D0000-0x00000241078D1000-memory.dmp

Filesize
4KB

Download
memory/4368-695-0x00000241078D0000-0x00000241078D1000-memory.dmp

Filesize
4KB

Download
memory/4368-705-0x00000241078D0000-0x00000241078D1000-memory.dmp

Filesize
4KB

Download
memory/4368-704-0x00000241078D0000-0x00000241078D1000-memory.dmp

Filesize
4KB

Download
memory/4368-703-0x00000241078D0000-0x00000241078D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads