cryptolocker | hxxps://loot-link[.]com/s?fJjn&r=aHR0cHM6Ly9nYXRld2F5LnBsYXRvYm9vc3QuY29tL2EvOD9pZD1iMDdkMjZlMzU5MjhiNjk3MWMwMjY4NjZmZWZlYjlkNGI1Yjc0ZWRmMzNjM2Q1YTQ3NTA1OTdhYzAzNDdkMGVhJnRrPWoxOGQ%3D

Analysis

max time kernel
214s
max time network
215s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
23-09-2024 21:28

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://loot-link.com/s?fJjn&r=aHR0cHM6Ly9nYXRld2F5LnBsYXRvYm9vc3QuY29tL2EvOD9pZD1iMDdkMjZlMzU5MjhiNjk3MWMwMjY4NjZmZWZlYjlkNGI1Yjc0ZWRmMzNjM2Q1YTQ3NTA1OTdhYzAzNDdkMGVhJnRrPWoxOGQ%3D

Score

10^/10

cryptolocker dharma bootkit credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (570) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus (7).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus (7).exe	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus (7).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe

Executes dropped EXE 20 IoCs

pid	Process
4908	CoronaVirus (7).exe
6920	msedge.exe
1100	msedge.exe
11824	msedge.exe
4388	msedge.exe
26728	msedge.exe
27960	msedge.exe
9300	msedge.exe
11416	CryptoLocker (1).exe
13408	{34184A33-0407-212E-3320-09040709E2C2}.exe
17912	{34184A33-0407-212E-3320-09040709E2C2}.exe
14848	msedge.exe
26844	msedge.exe
10744	msedge.exe
16604	Krotten.exe
14092	msedge.exe
14788	msedge.exe
16836	msedge.exe
6188	PowerPoint.exe
6232	sys3.exe

Loads dropped DLL 13 IoCs

pid	Process
6920	msedge.exe
1100	msedge.exe
11824	msedge.exe
4388	msedge.exe
26728	msedge.exe
27960	msedge.exe
9300	msedge.exe
14848	msedge.exe
26844	msedge.exe
10744	msedge.exe
14092	msedge.exe
14788	msedge.exe
16836	msedge.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus (7).exe = "C:\\Windows\\System32\\CoronaVirus (7).exe"	CoronaVirus (7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus (7).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus (7).exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	Krotten.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus (7).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus (7).exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-131918955-2378418313-883382443-1000\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-131918955-2378418313-883382443-1000\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus (7).exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus (7).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
74	raw.githubusercontent.com
5	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	Krotten.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus (7).exe	CoronaVirus (7).exe
File created	C:\Windows\System32\Info.hta	CoronaVirus (7).exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7ES.dub	CoronaVirus (7).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\lt_get.svg.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-string-l1-1-0.dll	CoronaVirus (7).exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\SpreadsheetCompare_col.hxt.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat	CoronaVirus (7).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll	CoronaVirus (7).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png	CoronaVirus (7).exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\km.pak.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Design.dll.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateAppIcon.targetsize-48.png	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-200_contrast-black.png	CoronaVirus (7).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil_2x.png	CoronaVirus (7).exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	CoronaVirus (7).exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\vcruntime140.dll.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-ppd.xrm-ms	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	CoronaVirus (7).exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-timezone-l1-1-0.dll.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XDocument.dll	CoronaVirus (7).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-focus_32.svg.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\ui-strings.js.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\ja-JP\PAD.Console.Host.resources.dll	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_MAKC2R-ppd.xrm-ms.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\ui-strings.js	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardPreview.styles.js	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Shared.v11.1.dll.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_bs.dll.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\contrast-black\MicrosoftSolitaireAppList.targetsize-20_altform-unplated_contrast-black.png	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-72_altform-lightunplated_contrast-white.png	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateSquare71x71Logo.scale-200.png	CoronaVirus (7).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\license.txt.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ppd.xrm-ms	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\System.Web.Mvc.dll.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ppd.xrm-ms.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_altform-unplated_contrast-white.png	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeMediumTile.scale-400.png	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32_contrast-white.png	CoronaVirus (7).exe
File created	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_en-GB.dll	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus (7).exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Numerics.dll.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_LargeTile.scale-125.png	CoronaVirus (7).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\example_icons2x.png.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DcfMsoWrapper.dll.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libstereo_widen_plugin.dll.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.targetsize-96.png	CoronaVirus (7).exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-bridge-office.xrm-ms.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-crt-multibyte-l1-1-0.dll.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageWideTile.scale-200_contrast-white.png	CoronaVirus (7).exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NameResolution.dll.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\ui-strings.js.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\ui-strings.js.id-58F893D8.[[email protected]].ncov	CoronaVirus (7).exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Web	Krotten.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus (7).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PowerPoint.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus (7).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Krotten.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerPoint.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
25364	vssadmin.exe
23788	vssadmin.exe

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WallpaperOriginX = "210"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\WallpaperOriginY = "187"	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\MenuShowDelay = "9999"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\International	Krotten.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\Main	Krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	Krotten.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	Krotten.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "244"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-131918955-2378418313-883382443-1000\{E5CDE581-4A4B-419D-9D30-08908DC97527}	msedge.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	Krotten.exe

NTFS ADS 26 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Krotten.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 704468.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 573013.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 831772.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 993631.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 623533.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 197497.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker (1).exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 532765.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 523390.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 317621.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 205434.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 184329.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus (7).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 167335.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 609224.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 384765.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\sys3.exe\:SmartScreen:$DATA	PowerPoint.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 133947.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 843719.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 223928.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA	CryptoLocker (1).exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 408592.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\PowerPoint.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\sys3.exe\:Zone.Identifier:$DATA	PowerPoint.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3748	msedge.exe
3748	msedge.exe
240	msedge.exe
240	msedge.exe
3964	identity_helper.exe
3964	identity_helper.exe
4628	msedge.exe
4628	msedge.exe
1400	msedge.exe
1400	msedge.exe
4636	msedge.exe
4636	msedge.exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe
4908	CoronaVirus (7).exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	6440	vssvc.exe
Token: SeRestorePrivilege	6440	vssvc.exe
Token: SeAuditPrivilege	6440	vssvc.exe
Token: SeSystemtimePrivilege	16604	Krotten.exe
Token: SeSystemtimePrivilege	16604	Krotten.exe
Token: SeSystemtimePrivilege	16604	Krotten.exe
Token: SeShutdownPrivilege	6232	sys3.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe
240	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6508	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 4712	240	msedge.exe	79
PID 240 wrote to memory of 4712	240	msedge.exe	79
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 4716	240	msedge.exe	80
PID 240 wrote to memory of 3748	240	msedge.exe	81
PID 240 wrote to memory of 3748	240	msedge.exe	81
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82
PID 240 wrote to memory of 4332	240	msedge.exe	82

System policy modification 1 TTPs 37 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	Krotten.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://loot-link.com/s?fJjn&r=aHR0cHM6Ly9nYXRld2F5LnBsYXRvYm9vc3QuY29tL2EvOD9pZD1iMDdkMjZlMzU5MjhiNjk3MWMwMjY4NjZmZWZlYjlkNGI1Yjc0ZWRmMzNjM2Q1YTQ3NTA1OTdhYzAzNDdkMGVhJnRrPWoxOGQ%3D
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffa86153cb8,0x7ffa86153cc8,0x7ffa86153cd8
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
  2⤵
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7184 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7312 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7332 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7708 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7456 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7496 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7764 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7328 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7860 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7404 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7432 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6980 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4636
- C:\Users\Admin\Downloads\CoronaVirus (7).exe
  "C:\Users\Admin\Downloads\CoronaVirus (7).exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4404
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:5048
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:25364
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:13416
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:24604
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:23788
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:24376
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:24100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:11824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7616 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:26728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:27960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7824 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:9300
- C:\Users\Admin\Downloads\CryptoLocker (1).exe
  "C:\Users\Admin\Downloads\CryptoLocker (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:11416
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker (1).exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:13408
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000234
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:17912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:14848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:26844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:10744
- C:\Users\Admin\Downloads\Krotten.exe
  "C:\Users\Admin\Downloads\Krotten.exe"
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:16604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:14092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7800 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:14788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1828,11917566843367852228,14398567972951529866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7700 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:16836
- C:\Users\Admin\Downloads\PowerPoint.exe
  "C:\Users\Admin\Downloads\PowerPoint.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:6188
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D4
1⤵
PID:1140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6440

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\14f4582e01974623b61f7e33ee10a132 /t 24048 /p 24100
1⤵
PID:1684

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa390b055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:6508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.2MB

MD5
7faa5ffa86c7629b995db9db9de5840e

SHA1
a5b83fe6745288cb6fa18450b3f9ad918fe90970

SHA256
ddda6f7397e8ebe11981b6ba137af2d99a72fe3ac1b14afee00737eca6738ed3

SHA512
7aa8e32117951be916c8f829f1f7ebae999292edf45abd4dc8ffab5a21a87ffdc956246b1c2aa62ece63fc39ef9eb7ee0d51fc1a797d0f5051ce0b9216e2633c

Download Submit
C:\Program Files\ConfirmWrite.bmp.id-58F893D8.[[email protected]].ncov

Filesize
4.0MB

MD5
29a2aa7c35df4246a24a5a4f57a3face

SHA1
0ee4c96c9e96054520c236222e79f2e351a10aa9

SHA256
1cb2aa469d054c5e88fa3b7dbedb61cd8af3712158addb16cca8942b1765c9b8

SHA512
90ce2a63662a3310a45c42e4641d5269306d9c8d8aefc7b70fbd2a0a8fa4c127d951df470fe469513f29b1d22ef9198cef72b44d37be099bfb0a7e6edcfd3d19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\079b99b6-7708-462f-b2ba-e765b1dd0638.tmp

Filesize
6KB

MD5
a2eee0e357ce1259bde4d289158307fd

SHA1
f6ec6777ba160e1ba29a85c932ff4c4c1e5c6f06

SHA256
50f0959565b4ab4c9e879eda8d6b7cf5f8841ec7fcbf788995ebcc5017bc492c

SHA512
d302623fa1461f802fa1165dc817224e2d445d6544fc69122b62bd38c5e78d9efb58629b366d3858b2af78726c24205f56a039ff7b01d8efe094c2205c631b73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
1c50e6925493c9a7753e4b50fa6d3465

SHA1
31706af4a26f443c2da24eed676a7850da34cd44

SHA256
0ad3148c69da7495db62c3c1d8afad145f28bccfccbc61f3e6f5692738028e05

SHA512
c5262807deecdf82c096aebd0d741abd8f2cc8fca2609c17a81f89ae526425b06bfd2ece5a7ca3f9ab46336f6a420eca014853b089f2d9ed5a86aa89ae6f5607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
ef3bb2a8036df95a5d1eca13f8758f88

SHA1
b951868f755fbb1186ce6f3911254005022ba411

SHA256
30db7ed60e60abca42d4acef20dbf7cca6f5814dfd5bc1cc99c2707ebaba2f93

SHA512
d4221ab5d42816dc5bd663a8e4c137b50f88d3b641d995e3e5f73868ebae680a0c785bb3d88b0d039ba30ce5d442a805c5ea141f80dbb7c206ede799e14a950a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
27b1d63def25e2dcb82d897311f436a4

SHA1
70ac963bdad62844ddbd8f80d5aa806883af7eaf

SHA256
b7b04f221e24ad2bdd27f4c83312c6d161cabf79fe2131efe2d8bb1672bfe774

SHA512
fba383b79cee243361b4ad6150457c62439296c52bb336a0c88d199fbbfab62576c784317bba3dce29912f30adbef010e24bf847e68ef0034dceca7cabaa690a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
28e869134525a9585999c45ac6dbd5ac

SHA1
c9a3415d06c21c0d77608f7356c1a05923f530fc

SHA256
0402ab0c0a0152b7ddc68b648bf6fd71a0bdbd0e0318a64e5e8e140a08af11c7

SHA512
6a6cdbf4e15924b7949b18635f695b226ffc66a1c0f9fdaff232503db492f99bf83b4f9ba60ff92cf5f8bee76db11ec3a53f5e9d7be8b29864f736030d380f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3ac568d59226508d3a889f0b44726bab

SHA1
e463af23fcad89841f9adc500729f42a40e4f3f8

SHA256
6f95c8ed5e18403468b5756275f61ef3300b000afef480c812303a118acf6623

SHA512
e839b9ea427d7a8f52bccdec80f050ce5ed9ae3d05a72d8527165923d6cdbf89c31d41764c94ec937a9d8ea381e5abf18fa4f94e9edfebc8f2e5ac58739c606b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c4455a4d62cf45d605952f43126eb501

SHA1
4b9b5fbea7348145fed8e5e70d9bf2a969ecf8c2

SHA256
f0f3ea1419495f6d434da8558bf673671d43b7d4c28df66747d957e93d136982

SHA512
d12011cf9fed7012579b4e307dfde5aa36ec94391718a48405c25dea27f98f42f936953124301ed001a67734f0b9f91e1ad80e88a0ab718f8cb8d0f111bbe5ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8da325ef434d117aeadabfbed4ef246b

SHA1
93a0848f7f2878bd3da8e95914ce037e4e0d1a2f

SHA256
6bd38f5b2d5e180e800607b0ba1b24ba92911b761ceb595d47d04cf264f7693b

SHA512
95b73cbc1f5fc0527c1a8756f365baaa06b823ac7f6acd79901f3371bee10571d96c7a4e7dab6cfcc50e17a46793d0a429d5090f532cb40a3c4451d9248b62e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d0374a34f65007d344716622dbda618c

SHA1
227f3730b86fcbeab609e0aa12467f128f500d5a

SHA256
89db36c0c686253c6473f991561568dc195ff20c069691cab53fae6b75a8becb

SHA512
fa28dfbec2c80d0c31970e43570c83b84a7de7ec8818746f421a67cc018b9880c671ebbe09478380faabca1939d98ab2f916437ddb6cc02f95c351600ddcfb9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2d31c11a2ee5633810560f0c067daf53

SHA1
b23135eb27bf9d6d5dd22915350644014f65d8d2

SHA256
59cca736b7b5a23d123c15a022813364b114e7561cc743adda1efb1cc5e294fc

SHA512
6c008c42350a7e402efcbabcf0a23e6fcf7a0f263f22841141642d1335d70f332952a7a80412810291bcc4e4d0da06c53f22090546a051b631111bcb1a0b7541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7efeaea44c4e956de604d763df32ef27

SHA1
85f3dd8205bf287df38374187092b44ec8ce23ef

SHA256
6da696ce06d73c15cebeaeadc395dfa0ed073d0e8d489b7cdf70d7417afd658b

SHA512
1203048a999d66682543b8b4cf9b9367fb40862ee8b26b8171c91efef1e16ffc08d99654e4ccea7b14432c53829a4e72a2b243a07575c0153f178098949f431e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5f115b006da7d731981d48f581b5e086

SHA1
2885b36c1ec4dc9d6845bb394f924a91096142ea

SHA256
b7d9c8082750c1b7ec2be13fa3e1e82203795a9e19fb124ecb041d81a8db2955

SHA512
dd82735f8dca2df5e898f55434d68dcb1e4877c27afa128de127517a84e803fb74352ed9e5d0639896fbd208fb5d02d9c8dada38eaf863b867ce84491a42d75c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c4f15db83bc2521ad1732bd3a11a135f

SHA1
1fb20ad6d0efcd2191c22772aff3f8a89cdb5014

SHA256
c062be4e9a1d74501e3ba878a6698916360c967317e42b292a565a0c3022be9a

SHA512
981bb408168807a6352118c56c86ab4ec102c12d0fa8d2abdbd68428e62119098f2b4f9424f2a67319e20cb7886b3bc093b524873d26f125ae828aeb14669b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a3d8a62083b23f46cc82b40c04cf5efd

SHA1
b1e8bcd8931d015e4fc3b0e4bb74806c67b95f12

SHA256
553407b12bd579a1a5b66d1ff3798354e74f2ae11f4db295dbce8451ac033a37

SHA512
3927b3ac49504162c5d9e67cc89b7de930c5ba279a1125054134486b9859026abc8a930f1abede335d2a2646f6eb02d6de0b687f4aae7695d163e7e6a39b16f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
882dddf52ab94ca090b734b0a5241e15

SHA1
6201e8ce067af9c06c130be55ba290009b840e05

SHA256
6370f660447cbf2d7454ae337565d48281a11117631af5ec92fdcc36d68a8cff

SHA512
ee27ddaa8f8e637ee8f355ae6f80ee1d630876d3f370589c17f3f025a4b382215bc98930208c0204cb4d98fd488cfce55a95bcfdec10f459d62cf12359dbb5fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e1dee04d7ba8680e9ad972bb0464505a

SHA1
39c6f417ceb951c7a302c60bfda1361e0d013a7b

SHA256
de24b9ca5b9fe4a3279373cc48e72e68106ebd907cccdaee16aa6902137cdf39

SHA512
71bf2e37c51d8d173cc664def1823e9c43e1a3b6f0f2903e11cba9cc67a6908dfd54a3d804e783a9d09b76ad877b1d780c52a254809d36fa40eb0869f23a7f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ea89c39f40821ac5f0f98f9a8b723853

SHA1
6da2565d37ca776fff19e8fd5157734e0e7c0f67

SHA256
88314e240ec559d26b01b223f9c5d6a6b9479804c71d3dfe96061132399abc9c

SHA512
05998f8f1266e7a180fe34a82e84b233175df80ef9bdefd6fca482f8ca62b2b5681f4580841091c9007d7f0ddbcba8b618b437d47da021259b7d2f02eff26b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e38dcc3305ad6736068e1162ddda747a

SHA1
562e8cc9fe124a44db8389b536fdafb9db312710

SHA256
2850db304835d09029d10c545d353d0dc7e8520efe3864aca71cc5399f76d973

SHA512
04746415b76fca35a02f57d2964a2b8f35b15f7b0bb894587c4a1096d32b5b441694a052e8c963369815ef890d199330521ceccca19c95803a18d00623061739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5844a5.TMP

Filesize
538B

MD5
e72ad87272871e96921156290ff42253

SHA1
1eda33a04d48fb59efcfad9bf52443fef3d5ed51

SHA256
b933a3533e668875ead7aba141dff225e360c478394f6f2305d2af6800be487d

SHA512
ae28971dad19b7b701a1bf67cbfe6a58e3b44ed049312b24c51cda34de3cc1e1a2712ce6ce0e5f62e94f7244a54862b27a7ac62ebb578fc15f6f197e38b60408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5970f0.TMP

Filesize
1KB

MD5
61efadc68ade611869d9209312805c29

SHA1
4a415590eb8e3155fbf60067c4db3a20220b6ba5

SHA256
3d282610899655428a7731fedc69a377fd64dd3c41edea3716ad466b083ccc0b

SHA512
2ff8b5de5d8ccee89e7017a7b1e7214933271b4d3aa03592a5f209b96aabec8ca13004cad6d2679d92695e5e95af52ad15bc9e012cb3bbeabe0652ad659533da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
269398e429e452f9b343630e9826523b

SHA1
5fd699cc224910d7d8198fbbffec9116343197c3

SHA256
c5a63cc7e92d9f1801f9e08e1f3f4fd4fb6f4f1077d94ca958c72ec3568d0fe7

SHA512
e21bb5d8ae862da40ef9382906c7ebf6ea12e070ff8f75b9463697ebc056caab688da50101b7b720e1c707edc2d19e1520e3e68d767229fffff949d28cd4f81a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
52db69a787918433c3d2ae2659a17b4f

SHA1
a95a48b2e5dafc0620c8e4404667be047c12e5a3

SHA256
804dc58f9bb4c9c07e77154866ed979d71a017a7595495a9336b3a7243788668

SHA512
5ca46d6f1283c92f53c9da8ba67da7a855f2062d4ab397d4445f4edf38edbcd1390b6d27b06ecce4187f78e3ec8214802ab7d7067e2e1ac50e596955d062ca97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e51e6ea1201740f03780bffcc9b92a8f

SHA1
cecce79f3f270761e299a67f1d146d31ce5a9d2a

SHA256
7462383a99c2ef7a4c9e8808a2b382813c3322ff88b66c9d5bbaf482b826a9f3

SHA512
48ee48e1ba1bd91456651e14b2c60181caa9486310ac147101836f661dd64f0caceb6c017b681ab2c8caf1685e0c4c59f2d825c8c52d7f68759d60d813b6d119

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
07023624fe52afe82b1604078fe092b6

SHA1
57fa83238bdfdfbd04bf5e6b3bc2f87b4bc7a0fb

SHA256
eda10305fa06de466ea1deb4b449db85ae28b9be2aab244afec2ddc27e82466e

SHA512
f5b8e291ae7f64ee41c80932542824030263a4aa018567c8a4f3ed19ffd4c251a01e26f32621a29dcb2cb5ee8d639a340e9488a770304abf9fd6efb91483b082

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys3.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
1KB

MD5
6f0a094da6849d8e134de29386c2580b

SHA1
ee037aaf597534b205722680612176e470dd270b

SHA256
e1eb30489bdb52e911242db0f97bfc1fdb8f393a78e1e515f17edddf543a8eb7

SHA512
1387e49eb8be133dffdff83ade0fd827d6a53076f6d1a9a83c561ed5716b9e031a71ab83000a577ddd0d43f553fd6eb5be2c737affc7db3742b8f9d414c0cc8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
5KB

MD5
e7e2125c41fb63fdf0a6a605d6a16396

SHA1
9ba647e1685931b0065cc28c0bfbbbbe84b1f96d

SHA256
87d142d025a91c1b6e152bb931037b8463f8b059b9a404e0d592fdb51e846f7e

SHA512
a07708676fd477187d381992f4fb071a51df273cc289430df10922f621e4d9484c26cea1ec4001c024fd878d91ea438d2e3f5f6d6a53a8352b48d9673adc6155

Download Submit
C:\Users\Admin\Downloads\CoronaVirus (7).exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 408592.crdownload

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 523390.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 609224.crdownload

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
memory/4908-5279-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4908-722-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4908-712-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/6188-26186-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/6188-26192-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads