hxxps://www[.]yandex[.]com[.]tr/search/?text=bonzi+buddy+download&clid=2411726&lr=11508

Resubmissions

12-08-2024 19:12

240812-xwgb2svglq 10

12-08-2024 18:30

240812-w5r98stdkn 10

Analysis

max time kernel
278s
max time network
289s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 19:12

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.yandex.com.tr/search/?text=bonzi+buddy+download&clid=2411726&lr=11508

Score

10^/10

discovery evasion persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	000 (1).exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	000 (1).exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
5160	000 (1).exe
5968	000 (1).exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	000 (1).exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	000 (1).exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	000 (1).exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	000 (1).exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	000 (1).exe
File opened (read-only)	\??\M:	000 (1).exe
File opened (read-only)	\??\W:	000 (1).exe
File opened (read-only)	\??\H:	000 (1).exe
File opened (read-only)	\??\I:	000 (1).exe
File opened (read-only)	\??\P:	000 (1).exe
File opened (read-only)	\??\Q:	000 (1).exe
File opened (read-only)	\??\R:	000 (1).exe
File opened (read-only)	\??\S:	000 (1).exe
File opened (read-only)	\??\T:	000 (1).exe
File opened (read-only)	\??\Y:	000 (1).exe
File opened (read-only)	\??\B:	000 (1).exe
File opened (read-only)	\??\E:	000 (1).exe
File opened (read-only)	\??\K:	000 (1).exe
File opened (read-only)	\??\N:	000 (1).exe
File opened (read-only)	\??\O:	000 (1).exe
File opened (read-only)	\??\U:	000 (1).exe
File opened (read-only)	\??\X:	000 (1).exe
File opened (read-only)	\??\A:	000 (1).exe
File opened (read-only)	\??\J:	000 (1).exe
File opened (read-only)	\??\Z:	000 (1).exe
File opened (read-only)	\??\G:	000 (1).exe
File opened (read-only)	\??\V:	000 (1).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
323	raw.githubusercontent.com
324	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000 (1).exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper	000 (1).exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
948	taskkill.exe
116	taskkill.exe
5300	taskkill.exe
5284	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "198"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{28D995A3-F72D-429C-A0A7-153F03A5AFE8}	000 (1).exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{931B5D6E-C299-42DA-A8F4-9BF3C96CE6C9}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000 (1).exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 256946.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 922111.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4204	msedge.exe
4204	msedge.exe
4600	msedge.exe
4600	msedge.exe
2880	identity_helper.exe
2880	identity_helper.exe
1508	msedge.exe
1508	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
1412	msedge.exe
1412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5160	000 (1).exe
Token: SeCreatePagefilePrivilege	5160	000 (1).exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeShutdownPrivilege	5160	000 (1).exe
Token: SeCreatePagefilePrivilege	5160	000 (1).exe
Token: SeDebugPrivilege	116	taskkill.exe
Token: SeDebugPrivilege	5300	taskkill.exe
Token: SeDebugPrivilege	5284	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3492	WMIC.exe
Token: SeSecurityPrivilege	3492	WMIC.exe
Token: SeTakeOwnershipPrivilege	3492	WMIC.exe
Token: SeLoadDriverPrivilege	3492	WMIC.exe
Token: SeSystemProfilePrivilege	3492	WMIC.exe
Token: SeSystemtimePrivilege	3492	WMIC.exe
Token: SeProfSingleProcessPrivilege	3492	WMIC.exe
Token: SeIncBasePriorityPrivilege	3492	WMIC.exe
Token: SeCreatePagefilePrivilege	3492	WMIC.exe
Token: SeBackupPrivilege	3492	WMIC.exe
Token: SeRestorePrivilege	3492	WMIC.exe
Token: SeShutdownPrivilege	3492	WMIC.exe
Token: SeDebugPrivilege	3492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3492	WMIC.exe
Token: SeRemoteShutdownPrivilege	3492	WMIC.exe
Token: SeUndockPrivilege	3492	WMIC.exe
Token: SeManageVolumePrivilege	3492	WMIC.exe
Token: 33	3492	WMIC.exe
Token: 34	3492	WMIC.exe
Token: 35	3492	WMIC.exe
Token: 36	3492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3492	WMIC.exe
Token: SeSecurityPrivilege	3492	WMIC.exe
Token: SeTakeOwnershipPrivilege	3492	WMIC.exe
Token: SeLoadDriverPrivilege	3492	WMIC.exe
Token: SeSystemProfilePrivilege	3492	WMIC.exe
Token: SeSystemtimePrivilege	3492	WMIC.exe
Token: SeProfSingleProcessPrivilege	3492	WMIC.exe
Token: SeIncBasePriorityPrivilege	3492	WMIC.exe
Token: SeCreatePagefilePrivilege	3492	WMIC.exe
Token: SeBackupPrivilege	3492	WMIC.exe
Token: SeRestorePrivilege	3492	WMIC.exe
Token: SeShutdownPrivilege	3492	WMIC.exe
Token: SeDebugPrivilege	3492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3492	WMIC.exe
Token: SeRemoteShutdownPrivilege	3492	WMIC.exe
Token: SeUndockPrivilege	3492	WMIC.exe
Token: SeManageVolumePrivilege	3492	WMIC.exe
Token: 33	3492	WMIC.exe
Token: 34	3492	WMIC.exe
Token: 35	3492	WMIC.exe
Token: 36	3492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5256	WMIC.exe
Token: SeSecurityPrivilege	5256	WMIC.exe
Token: SeTakeOwnershipPrivilege	5256	WMIC.exe
Token: SeLoadDriverPrivilege	5256	WMIC.exe
Token: SeSystemProfilePrivilege	5256	WMIC.exe
Token: SeSystemtimePrivilege	5256	WMIC.exe
Token: SeProfSingleProcessPrivilege	5256	WMIC.exe
Token: SeIncBasePriorityPrivilege	5256	WMIC.exe
Token: SeCreatePagefilePrivilege	5256	WMIC.exe
Token: SeBackupPrivilege	5256	WMIC.exe
Token: SeRestorePrivilege	5256	WMIC.exe
Token: SeShutdownPrivilege	5256	WMIC.exe
Token: SeDebugPrivilege	5256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5256	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5456	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 1688	4600	msedge.exe	84
PID 4600 wrote to memory of 1688	4600	msedge.exe	84
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 3656	4600	msedge.exe	85
PID 4600 wrote to memory of 4204	4600	msedge.exe	86
PID 4600 wrote to memory of 4204	4600	msedge.exe	86
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87
PID 4600 wrote to memory of 3064	4600	msedge.exe	87

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	000 (1).exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.yandex.com.tr/search/?text=bonzi+buddy+download&clid=2411726&lr=11508
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffac8046f8,0x7fffac804708,0x7fffac804718
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5276 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1376 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7492 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2128 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1412
- C:\Users\Admin\Downloads\000 (1).exe
  "C:\Users\Admin\Downloads\000 (1).exe"
  2⤵
  - UAC bypass
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Modifies WinLogon
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    PID:5792
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:948
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:116
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im regedit.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5300
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im ProcessHacker.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5284
  - - C:\Windows\system32\net.exe
      net user Admin URNEXT
      4⤵
      PID:2692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin URNEXT
        5⤵
        
        PID:5860
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3492
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5256
  - - C:\Windows\system32\shutdown.exe
      shutdown /f /r /t 0
      4⤵
      PID:5324
- C:\Users\Admin\Downloads\000 (1).exe
  "C:\Users\Admin\Downloads\000 (1).exe"
  2⤵
  - Executes dropped EXE
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2051742250508264854,6184512742044020025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1
  2⤵
  PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4788

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x474
1⤵
PID:5600

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38db855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
20KB

MD5
af076fce47d859d009c16f2192bc94b3

SHA1
2f56c334cd6338b69a0f39c3edd6ea0a5b21bbd8

SHA256
d36457358687310d026665a3aca628637697a703adde698287a3ea25ed49497e

SHA512
d89b829f8292c2ce770b54c86eeeacb0f59e251134c17fba214649b132a10b99adf120b45b6c3c939b1846ada1626b683cabcd6313748c6fe62e1e72086f1a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
63KB

MD5
67e59a06ec50dcd4aebe11bb4a7e99a5

SHA1
5d073dbe75e1a8b4ff9c3120df0084f373768dae

SHA256
14be8f816315d26d4bc7f78088d502eff79dee045f9e6b239493a707758107fe

SHA512
6364515e92ed455f837dcc021cc5d7bbab8eac2a61140de17ff6a67dfdbbd8fbdded5ce739d001a0ba555b6693dafdb6af83424d6643ff6efddc46d391b21d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
67KB

MD5
a074f116c725add93a8a828fbdbbd56c

SHA1
88ca00a085140baeae0fd3072635afe3f841d88f

SHA256
4cdcda7d8363be5bc824064259780779e7c046d56399c8a191106f55ce2ed8a6

SHA512
43ed55cda35bde93fc93c408908ab126e512c45611a994d7f4e5c85d4f2d90d573066082cb7b8dffce6a24a1f96cd534586646719b214ac7874132163faa5f28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
41KB

MD5
a7ee007fb008c17e73216d0d69e254e8

SHA1
160d970e6a8271b0907c50268146a28b5918c05e

SHA256
414024b478738b35312a098bc7f911300b14396d34718f78886b5942d9afe346

SHA512
669bec67d3fc1932a921dd683e6acfdf462b9063e1726770bae8740d83503a799c2e30030f2aca7ec96df0bfd6d8b7f999f8296ee156533302161eb7c9747602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
1.2MB

MD5
9f8f80ca4d9435d66dd761fbb0753642

SHA1
5f187d02303fd9044b9e7c74e0c02fe8e6a646b7

SHA256
ab481b8b19b3336deda1b9ad4680cce4958152c9f9daa60c7bd8eb6786887359

SHA512
9c0de8e5bf16f096bf781189d813eeb52c3c8ec73fc791de10a8781e9942de06ed30ff5021ab7385c98686330049e3e610adc3e484e12ef807eec58607cfae63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
73KB

MD5
cf604c923aae437f0acb62820b25d0fd

SHA1
84db753fe8494a397246ccd18b3bb47a6830bc98

SHA256
e2b4325bb9a706cbfba8f39cca5bde9dae935cbb1d6c8a562c62e740f2208ab4

SHA512
754219b05f2d81d11f0b54e5c7dd687bd82aa59a357a3074bca60fefd3a88102577db8ae60a11eb25cc9538af1da39d25fa6f38997bdc8184924d0c5920e89c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000040

Filesize
27KB

MD5
c3bd38af3c74a1efb0a240bf69a7c700

SHA1
7e4b80264179518c362bef5aa3d3a0eab00edccd

SHA256
1151160e75f88cbc8fe3ada9125cc2822abc1386c0eab7a1d5465cfd004522c8

SHA512
41a2852c8a38700cf4b38697f3a6cde3216c50b7ed23d80e16dea7f5700e074f08a52a10ba48d17111bb164c0a613732548fe65648658b52db882cacb87b9e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
e4877d8659b414b2131d33c72f7bb2d9

SHA1
ee416f0315aa5c6946b15f6527a265aa11e02b31

SHA256
55dc194aca32398316fa31182ba2eff00055e2aa3d41790757a17587dfa1ba20

SHA512
1a67d4a67441db7b87ba3dd137af3bf3c83f3eadf401be9f8c0aca20d5840047fb03b1acd44c1e9ce484c823de2affaa9fa040fd513c971620776caf61fb9edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
162e3c09bd59b994d1a086d88d330144

SHA1
d770a6e71c92c9ca6455c89d70ac0dd2ad6e0d26

SHA256
9ee543692adb60019053350851465faf8f1f7e03504e34a7f41dd61de450bf7d

SHA512
fa250661971b5eeb425ddfeee1faf56987ef7d1128c730161be5c34c935d2be9653c21f626c237bd6c19ec9781f55d909642baf8b10ad67e6e535d3b29d68199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
990f65374783f5dd84c6c81ca653da5c

SHA1
d1e3edf89e2199bce763e607112c4808ff8bcfdb

SHA256
d570a9ae96eccb1c74c5658f6adb23282310c852b931348a9f20140b132649be

SHA512
cd5124dc78d76dda391d8508b37ee3a0db7878172c8c3ed5d8b4e64ea23dfdd2e9c5d1ae97fa9aa15634c44a09a06ed63f1e08a824f17521be3dd6513e0e0807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e870a6fc7cb96b2677f31c41b9e2e396

SHA1
971754782b43610d24d2dceb37ae9780e1c35080

SHA256
8068dcc0cdadfb359140043787f1c15d2ff2daba2432fa6479db466109814c27

SHA512
b4f7e7b41763cfb6092c584b5759ceb89419b8efe1758bb035a661938b4b10e39105abfc12dbe058b41a464bdc2b19f1c0940bf03e04110a28558eced4ef4b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
a89cca30e0a46f8914d336c6c52ffddf

SHA1
0c1d50137a8f9b9c98b4daeec147b593affebd8d

SHA256
b5b94bcca190a05d4a36334e48449e215c25b3bb8a9093df164b3e7a41631daa

SHA512
f8c19f89ae6299310ff31fef6a5bf313b62e644957a256a113043b4bfafe705fcdd7f997a0295d38a921e8b8244a8ef286e13db7aa7969524a2cbc5e6b631c65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
2e4761e7923419967a5d2857f6c0beab

SHA1
7a037a962a2fb38f51b212b590fe0e796e9398c8

SHA256
18a2aac92e096b2e7d8743c40c148fcbafb177c91b6651745cfb5dc68f7e76a1

SHA512
a6a246cddec9b49c6a0f3ca16419814ef48eed1fc01397d07a9d79d9ad3bfb01a482cc93c23bbc79c658ba7e61a008aaa1b1fdb5f85afd5d5ab744d342299e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
4b4f153e5b7147c7408377b3559f29b4

SHA1
209f0dc4fcd80c89c4c38ccac697d16cd3b641ea

SHA256
2575c5ae801334936a9d2c019ff9b9d6f226494ceeb156181864710cf670d574

SHA512
257556aee78c9756d5f104a0c69bd56b43925ce4a5372e8e5ba98b488804c315fee15a0c1ab3700245a1db01de33f8982ce32920c5af05f00f40593fab77fbfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1016c6313311e54d30f1035873636c83

SHA1
95fa8247b396da5953f3227b3be04da510f51d90

SHA256
a3089e966b986f4db5abafc9e56d57384102097449a755978c80497728bd0cca

SHA512
26b5b10d08d78c1f39763ca09d5977b2d27387c87212affe9df55738490dd7b6c77c6627fe6c63ae193aa3ec8bb3886ec575002e28ecf7d9c04defa52416d116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ab4c6dec6d6a52e8f15a0793462ce4c2

SHA1
906f182e543f0a600e4cf87937cafda5bdc76c32

SHA256
615e260794521d803f2eb1e5bc6b8ca6302fab31964657404cbfebf1621b9e43

SHA512
c55695be3ed7d1b689d52a770bd6cd73081bf84f94d3226d1693f9f3793de0bd27e75ea96d9ed9c224e3835f3fa16df994b58a2d1444338ffacd8c43c7228642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
fe8b234456f2ebde9a236f7db7d53125

SHA1
2e7ae6b1768f741a592c0f1c78c2011c410064f2

SHA256
73805faac654631c53843b07e95efbcd5b2edcc75b7dbcc79a8dc3832728cad6

SHA512
51264f7a25cb680898c27d67be863692af4b12cfebc258fe60eb61fc6fb31a94cb719c374a86822e9d9d8b0e7a68deec8688645ee30cc0581157b2f6ade1fc2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
aa1ffbca7af102273f0cede384f56d52

SHA1
35f08282e2470dcb9f6c4fd44d44227937469f1d

SHA256
32725f95ed74d3671d1193e51db42b084603d74b5a6d70213dad4f7db4d12155

SHA512
65f30c85aa53c139aaf9815a7611ad8656fa252f1419067046a73fa930e9e8652b8ef8637ae86b0f12784ef8dec6529df2c3c20f447dd3f6b9552b5f940822c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
25b1b843a6f5430068e6e3c2ae8ec3ef

SHA1
eb15465a41fbce58deacc09c337206f5adc036e3

SHA256
046225f8f8e83480e8f274d9f784b47fcd90816f6eed8ff924e942b28eb1ba0b

SHA512
d139d6765b89fb7bba4c0f9748cbd168d8ec7fab83e268cb5eca8a82a13aeaed0c6661a384b4740dbf2f33fe17478f408107b4dcce04d0ce2d4cc67bfe638281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
61cab7cb10266d479d42ccd02d52025b

SHA1
481747fd0783efbccc126b7d127c935f6f1682fd

SHA256
c9ea8a83cfafcf038295d8ab5e51c72fc17a576fb9c12d67fa60b313b420bb35

SHA512
9882774f5b28573c70518242d794868ceedb5d55d6051893e607235672f342650df3aa78a3f53332551cc96da2f59fa998dee93af5469cb4d595cd0a903de11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6c870f496a2ad57d9a19e1510832418d

SHA1
b3cc0b5924889a517a9bb44b826643eb5af1c5bd

SHA256
e2d61716829d5a15a6b17c17240a9acf1d66816a9b7f6807358065f517855458

SHA512
ef606d2e4c5f16e19cdc8f96074bae6ffb50ea89b9b90652fbf8c0ad2bc21633aa73cac0ac0c7ba3f608c97a3d4207e607784ffa47aa9987f2a651da005ff3cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f6f7584872301d01ab1893a36da55fa

SHA1
d429332bfd01d1a71e26498f32ed10b538429b7e

SHA256
d8fd3328908711c90c7bc10cd97894a418a1337829871c5eeb160afe25438b53

SHA512
843bea8de2f210973131334849262d24b344fea66b0426a71f954f9cacd17134e4afb6205ac734b2fc31655bd82406e557d9eea9f8121957a1e58781f29a68ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0a64661114e7190ddd13aae9b087e8ed

SHA1
19a51d78ef67e9cdf55ca2f014787ab478a4aa3e

SHA256
a8a91941b3d82d78957e8b1da9b5c2f1e3476de4ea781cc18bf08f6b7fdcdee0

SHA512
e3fc4886eb3246cb81ae2b17703862c2420f89eb24cd0a88dd04596d50418c9fa500acb72ea9db8f2d69ed2b5c2c59b680dbe5b068715829a4ce114a3711cc36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
ed07330467dedcd3f0d2de8c1ec023be

SHA1
36e7bc1810c33103c6fce77228db8a112e946f00

SHA256
a09c1495c48bccead583da4cfed0a0367e5073158418cec3d633d95af38f5dc1

SHA512
49805e17611f4faa66922e619b38fe4f479a46e19ff6077c3abb5afec536bb43c3aa6c8ed9b99ca6f5e61333f7f85819e43c53f360bda4026090342c5d46b603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
8ef47d5904cb46f71913f6a2fa48a44e

SHA1
481fcdd42880166ba4175c86d471b23eeaa39bc7

SHA256
6bff472572be4b2ff4e1447cb7b33ab9b49154921933733427611a8559138b31

SHA512
f70d2e30c6102a9dc72f3d8528a42ba6a9ead15f5878f359d06d14f63d31fc1ae1fa55c48d2d740c23faaf877b4071a5cc7d52f443a0ceda3868570631c500d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e4023f6393ba0399558508786ff15f4f

SHA1
1a6a32f5e29b11793bfcbdc8a701cfe0953a24df

SHA256
867dab6381a935f9083c18975182358437d5e5b357f6b6195e8e2a61fdb1e2d8

SHA512
684e11757af66cdfb8ff4ed431cd73e439dac278dbcfa66a39c27ec2279dd090bffa267998b38f8c3f712759adb9cbbbe6d60ea385a5024359379d51e7411490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8ce354bde0c79b7abeb533873e3daf2

SHA1
7a89078375bff1b44d4c74c1bb8dae8dea5c27ed

SHA256
50340e1d1f73085f6b5d504e38c6cb7b733cfbf67aee93a1a69993172c1e0c51

SHA512
bd223ac0b77e783ec272fcd2c895fe8562ed3ac6d3d740e18b276d963d9db1cb0707e2ad2a47856d57e5fc98638539e690c9b9f09cc3fc022668e05e0e1444bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a095a221a9d050be410a709838b20a82

SHA1
7ca15501fb3646534fe5145ae8544a9d462f97b9

SHA256
bbe02d1c1abc71cd32f971d7f28da35e3155b0fa669a8d229a6335634d71f362

SHA512
a542bf377e22117db61679eeeeb71831972e3e817901a7541e7d261c91c2507989a5900cce20e5233b7ec28785bc5ad411bac8255c942286facf2e0468246a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1ba0883bc4d0cc834c690f62adf7e979

SHA1
2d979834da2413b59cdd1e6461df855c6b436be7

SHA256
dbc7fa0db3f25f983c025aaa7abd4e1f05025d1f78bac0f9dfe2804c551e45b0

SHA512
acdd33b9dd9ec1d5ecb28b40a603cd3bac4beb7b7a8b43be8c24ba7d3a6b3f9ebbb28c46886149361a5f4cb7006b761957015643b7816a344b7444345a3a6a63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
ae43e6e854665216a3ecc20e7b836b9e

SHA1
4a1f007c350c823c7252f0b2f777acf7f1b5b2b2

SHA256
2da84f4c2271a573108bafd83ac962ffc259ae145510a0cc7b46cb36cfe9d698

SHA512
5aef6ca117011d75a908bb6cc400a9c392599c29f060a7e6a5e45ad3ab221ace562cdbd8b936303cafdc47fc746df781e18d0529b7ca8360f8c78f2664e0e8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
ed7720f158034e433ca32a1a5bc56c93

SHA1
101673fb49316848d7f1cef885760b10a3d29481

SHA256
9fc761066791651d3d6f485858a20f62567d23d74831ab18305951b16148e4c8

SHA512
69a979cb985fa799b3a22baa06cfe4fc07f222e5c4beea09b6df7c977710b6fea0d874c5fc29bb2b15f45ea05080f803e13b11634b2dde898ca155a5419b0976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fa3fed3c2bbe7700148bb59902a49cc0

SHA1
a7ea42386bb2608ce7c7848d3146c7b1aaa280f7

SHA256
09f5b2a492950cefc60867aec074f23c25d64f245c7fdb1cd07f4af2ce3aa8c5

SHA512
7891b46dc5a030b7d174ac0c01afa8b4290dae6590dd8d1fc14cb0add910846e89860d000ef0163b8b01a8fcec61abf8d0a27f52ae00d5b7ee73cdbbbfcd2325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8c54c375efbe09799afae78b410b1e46

SHA1
52763202db38017e46f18f53ff8c02d126ccb105

SHA256
2170b1a4b46fded7312d94fd6bf2837a6fbd1997d57925c9907437484d8314bd

SHA512
b8489155aabab27881b9b0a8b52294f246feedbbf9cf716abd828b2aad861a8da4ba0abf996564815fc0763d4195093bfdc31fdbc76ddede84c9919d9c37c440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5ddeb5f0227961950ac832c1b3e9283f

SHA1
6cc484c7c4029003ed1116b48e3472e84c30b39f

SHA256
ce6f330109d9f9fa487af6e61ed594b41b3d7ee805ea6aaa47feb2081d433fa6

SHA512
3ea9f37fcfe79848b5ee6aa8c77d85d07caa286bb981f54939075402886ac97351edbea5250abc989f88fb06d5fe9c7a0769fe89c617d6fffd4e5043d82b36a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e608c63dbbcc55613dc8ba759b72611f

SHA1
2deffe4afc63ba16ec885a1cd9522c8fae86a3c5

SHA256
653fd6368b6aa4de4ad4d349001a0e3c60c3c0d08e90cfe8e0fc451294eb666b

SHA512
c8d6e82dedaed463420bb561b1721faa53a6eb7ccda5f1ce10605121e8487eada7cdd0d66c4ca8a4173fd79b3d746e539e4977534ecc2503cda599b4d2516bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
57076516028749d6c9e87e62d298470c

SHA1
1d8f6e76afd47ad14d4fab610a2d6d7cce660c91

SHA256
3bb3f7849c07f4ce2b1d26a9441cbe68e82c12ebde865e437e9db872c66d4b81

SHA512
ead81db2e24c562b44cab0ed227e289d83e851f43b72ca0d9b14f0abbc672433008cf62e026794d38fef1cdf1a806716600a07c55881b816ff16fe17e04841da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
28b277fa4345eb0a4b527e4db970aa55

SHA1
1f9eb762f4e7317363a23da95e3363e032b6fdff

SHA256
8d5a0f80f7ff3a9fc568d2b18e4391d42d0daa06357267bf30726120153a3238

SHA512
7bacb8ca86367b410ccb0afc08d1a05e348c85445730fc44917d9ae3eb1dbd1f7e8509d302f15e0507b776b5719950b3e82a373934b66676a3a4d81871b473a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580fda.TMP

Filesize
704B

MD5
323cc05b1fb8bad654684eede4162c8c

SHA1
95d82ba190b0b45d37129589ee6efa01824a8407

SHA256
8dcdc63090dad47c740b81c839a99bd4998f5267c0ac32af7d5c0853517f786b

SHA512
c47798b9d46e782dc88a1d9bf63e50644c23b099778fdc52107b77f3b499bc97e001de4ed6146bf5313e35076b8d4f5b392bb808fd051194ae1627e4fad80e63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7f02fb1d7de0fa1d542dde91b45f6dc4

SHA1
a2e25eadf01041b9bbf10bcc6c34580ac9ca6f4d

SHA256
286f43183afb09b6ef75a676a032397d93efadf82abc3ca6f7f3d23b221b152c

SHA512
6a3ff77c5bc48aebea8ef875edec0a6df92e425caa37ee5d85afed807c45cd25fa8ae535f6dfa398e66c6a65352058a76ce245b23a09d380529d3ccf92320635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fd76b036040c023e7f78da8b4ab15466

SHA1
2b4ba0b86bc7caf90492167e6b603c2ea249c381

SHA256
e074748a239cb5bbaf13cfccd40ed65f1af04641763830fa50cb8063614e0367

SHA512
9338d25eee2fc2c45c8ea992d90106ed80a335d0beb59af47a74d15cb56086e284b8dd9ff3c3668227e3d87e104a7fd500a1068e8415702e2e03704f60c05ba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
75db9af14c1fe2ee923ced02ca2d8f92

SHA1
8225f5af6e45dd001bda8a0ef7a85f7e6ab15ddd

SHA256
79189864b519c29f9c61e40ab5b1a5f794134ecb2a50a48f874ebad5adb8a5d4

SHA512
d913c448f811f0f973d1affa0880626756c6e67ee00849d76adcc5868dc0587f8124a9d82a45acb56df9c253478b7b03e44fe1d6154df7782924942d0ebb3c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1979cbecef0547cd67a021948ef80b06

SHA1
947b05842956ca054285fa1ac30ccae44df87b73

SHA256
1c9c101acc7f6c94974a5df0182d6a9ec6733f3474418d07f05fa7d1326ce690

SHA512
36ac6283f75a5981e82547777c98da1af89f5332fe681d2dca493847213d8980db88de3f10c223d795700889c253caa88261394c5e4d95b2d92e6a73709ee069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
26360da18d94619853096b4caaab94ee

SHA1
8451da86939c2c9c3e01029a4ffb133ab74092e5

SHA256
c2605672a80089943a8831ac2a13005936fcdb614cf95c0f99ca3ede2a7d2228

SHA512
02b1da6bc69f50a111abe6362adf752f85b1ce83d1e10a6fd43fa0a0661df5534f9744bf0b988a2da04d658a1204eb6fb6bdb006d830f50822d9408dc922edf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
605701a9212655836fa5d17b3c3acfa6

SHA1
522579be7bc06a38b2305c9f45a8b74f80fd34d0

SHA256
5b87b95bed6d7ac81b4e3927c41fb5d0e5cf0df7a4098e2c602395a5ecb8726a

SHA512
e5d8fb9a7c459eda9c9437e8ce7bbe67bede58184b15aced0aecb04e84586a3de1cb5e89454a0c8e0beab254f6c61a97b5c6782466b46c15e26cee472830f7f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
400B

MD5
5e163b1f0c2e5bc318b58d39fd34acce

SHA1
af9309ded2d9ba50e51c83c791ac6aa6ced07fc8

SHA256
ef2fd3a239aa65c7c9cb204e5ae003ddd6a80d439c59f813e76d4e68987a259a

SHA512
5da736740a1259a8e481aa4e6809f080ee18153767ccaab985017e695cc2a355c2c9e309e7d774fd3a2901d801627af1eedd6928373badc4d14ca67baea64369

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
394B

MD5
b35ffe3dc03de62e10b5dc3f5fa5e77c

SHA1
775254045145cd3a0097fbfc7b069a62beee134d

SHA256
f5f56b42be58680d2f666321e3c1d1d16e6b41406250e5226dfa723faef797cd

SHA512
79d8f79e879f8c603d88aa34844d7f857668d9da8bcf8ededba8dd4f745b2ed5bf20e9ded70ac268119a68e524e12e23023edc451a576e4f22fcfac0f1b79ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
720B

MD5
b73032c7921e596509a179f1e0780029

SHA1
f155b7685b9e5b63fefab9ca0958772fa81876ce

SHA256
b18604254c223c6b3b56b10bcf3caf9b07ac967d6c0626a5ae8472ec44cf8bd4

SHA512
90ba246ef548036d6c8894891987658456e3bd85e2fe79bb2940e2d93ed74d512263670ef6af098181ee724dfda5192c659b8af4bbb4c36a27c3d135f6bfba12

Download Submit
C:\Users\Admin\Downloads\AxInterop.WMPLib.dll

Filesize
52KB

MD5
16dd12483e8a85de0bbd31b0c7d50660

SHA1
e879cc25fdd4e11a74e973b33df644e602728650

SHA256
910e370790c67a0882e352134744fce3d6fd990208a6332a6aef28cb88198491

SHA512
148955c6bdf8fa39a2ffe1fda36a444163e57dc8f95d4a16dd02822d7bf9ad878d74bcf9f7b80856af5e8a71ccaff2f4e32be556e70e7d0863f96ae5d1834cdc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 922111.crdownload

Filesize
6.7MB

MD5
27f84a42d581880d149185494ab621e1

SHA1
2fe06b762ea303d0824b15d02aff68a321128095

SHA256
5eed2b5832483191e67f2ffbdcf349a6256039a8a7f934fb6bb9188873f8a73b

SHA512
9896bed08127c0d30a38b7cf0a039161b26e64bc16d33357a46c890f14c0214d6b1a78999c5da5a4b1a070edc1fb49fa3017f092b1ddd6c1e5e7920f5de305cd

Download Submit
memory/5160-1664-0x000001FE39AA0000-0x000001FE39AF8000-memory.dmp

Filesize
352KB

Download
memory/5160-1662-0x000001FE39A20000-0x000001FE39A34000-memory.dmp

Filesize
80KB

Download
memory/5160-1658-0x000001FE1EE40000-0x000001FE1F4F0000-memory.dmp

Filesize
6.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads