hxxps://ptoszek[.]pioterontop[.]rf[.]gd

Resubmissions

02/09/2024, 14:56

240902-sbf4bstejb 3

02/09/2024, 14:52

240902-r8xlxasfmp 6

02/09/2024, 14:47

240902-r6chystdjg 6

02/09/2024, 14:46

240902-r5b6sssepj 6

Analysis

max time kernel
55s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 14:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://ptoszek.pioterontop.rf.gd

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3704	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2704	msedge.exe
2704	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
7988	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1508	1420	msedge.exe	83
PID 1420 wrote to memory of 1508	1420	msedge.exe	83
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 1116	1420	msedge.exe	84
PID 1420 wrote to memory of 2704	1420	msedge.exe	85
PID 1420 wrote to memory of 2704	1420	msedge.exe	85
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86
PID 1420 wrote to memory of 5092	1420	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ptoszek.pioterontop.rf.gd
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfad146f8,0x7ffdfad14708,0x7ffdfad14718
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,13942665848213031644,2557625901461758843,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,13942665848213031644,2557625901461758843,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2560 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,13942665848213031644,2557625901461758843,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13942665848213031644,2557625901461758843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13942665848213031644,2557625901461758843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13942665848213031644,2557625901461758843,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13942665848213031644,2557625901461758843,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:1000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4244

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4768

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\bat.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\bat.bat" "
1⤵
PID:4760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1708
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5140
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5148
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5184
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5956
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6132
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5284
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5304
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5328
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6172
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6256
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6288
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6352
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6428
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6620
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:6776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:7356

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa391a855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:7988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
4c1ca2049df7951170152c207ee6e872

SHA1
deae3a021f7ead940a7ce3115b98dde23e60c1fe

SHA256
599eac48041f8f97157a5d3b4cd3e778023ec17560a0a3501330a8aa4fae398e

SHA512
7254cb737fa181682a5463b322cba3fc433372aa33e34f110775ac93413b57a66b50cb44b982da76cf9bfda904bd11994a23d1ba43b37db9459a3e9045a5c95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4717d903c92501535ffd42205804419d

SHA1
fb2eb7935ff1499615a6f21fa5e106c880a6b4e8

SHA256
fbdbc1c94dfe0648c990770062feca365341f65f4e33bb28a640f861f0a1bbde

SHA512
95669f8f0fe68072af78a5088d0f0796f3b09f6c1d2bfb5a220b0661544de562f1f8927db1a74eb9c6250e91b88b168f49a16d4fa951a04b2ec016f35fe0288d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
335c9808a6657f796f3908c422cd3506

SHA1
fe9f6c0b4960e1be8d595a01f9898d08e314d094

SHA256
2895a0507fe288702e45086f27133c1e1f94ab4cbbc705e35c68456b48cdca2c

SHA512
75a4af031731d621e4f45df1a58e827bb2942a24c065e1ce4dd079b5eca42ca85193c14617872702f510b907bace4a08c894c542abc826df6c602c7992629f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d1c0462d651212929cd02ff032c55385

SHA1
bf47fabdd90dae725e5e4a0a4cfb37a24a2cd9f0

SHA256
692f859f6adbcf098fb3cb491309bf22cfca4a8e10067c1994d9d0d953c0847e

SHA512
c45641ed52784c109d046ba3262f0f0b062717b2c9ce28c5ce60edbd6f8b8505124a1800875c28b06d6c145b8d64c282559dc2dac7229709b74ab1eeb8dc960f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3536e7394ac78da9787514143872e93f

SHA1
dfaba173a7b37dbdcd1c118ebc5900e91448648d

SHA256
9589d2b8e8df37daf854e7b61ea9b15226617bdd9d2809d00d418ffc040dcb0b

SHA512
43fb8592459d026e56b0066ee22d35b54df6d9439d5e78a984b69b0ef54b48ff2d8bbc7178a67bf75ea544732a9bfd41ca6f2c9abba9055a027252b3aef2a0ca

Download Submit
C:\Users\Admin\Desktop\bat.bat

Filesize
8B

MD5
3a8cca39e439efb7cbd606d46fd8e258

SHA1
445f4863cd3bf533fa74b5d3dc2d60dc84cda75e

SHA256
6b3b864ffd9a54b9778688ba39ab13c6f7b5ba4b8f8c9073bfb68d8df3ee3b4b

SHA512
aeb060f92165fdb8cca86d7a0eb73c045b3fe7fb8af9d9408e273e64c5a1ceb171884cff178219e7105204acf7ab1accc551a245604505939836b8e68cdbd6d4

Download Submit
C:\Users\Admin\Desktop\bat.bat

Filesize
31B

MD5
3028a7bb0cae12689cbc6d6001c34166

SHA1
917f3f0955e24e578ea2c069961d1bf4186c81f5

SHA256
1b35b6a8770078e8c67b722d1e2cbbecba6abc859e6f097e526757a10e4324a6

SHA512
c7cfb845c0c32da86f59cbff88e7253a76ed934864535dbea68406bcd248259f713d65684638100c17e2a86f1123dfee2eeab960646ccbaf11301fca6ea9c625

Download Submit