hxxp://youtube[.]com

Resubmissions

13-10-2024 02:58

241013-dgbcpswcja 10

13-10-2024 02:54

241013-ddzwwswarc 8

Analysis

max time kernel
158s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 02:54

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://youtube.com

Score

8^/10

discovery evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5076	000.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\Z:	000.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
154	raw.githubusercontent.com
155	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper	000.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3928	5076	WerFault.exe	125
4872	5076	WerFault.exe	125

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1008	taskkill.exe
348	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{1974AD51-414A-4E3A-90E8-C8D0046618D3}	000.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 856669.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4512	msedge.exe
4512	msedge.exe
4728	msedge.exe
4728	msedge.exe
2304	identity_helper.exe
2304	identity_helper.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
1916	msedge.exe
1916	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4184	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4184	AUDIODG.EXE
Token: SeDebugPrivilege	1008	taskkill.exe
Token: SeShutdownPrivilege	5076	000.exe
Token: SeCreatePagefilePrivilege	5076	000.exe
Token: SeDebugPrivilege	348	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3536	WMIC.exe
Token: SeSecurityPrivilege	3536	WMIC.exe
Token: SeTakeOwnershipPrivilege	3536	WMIC.exe
Token: SeLoadDriverPrivilege	3536	WMIC.exe
Token: SeSystemProfilePrivilege	3536	WMIC.exe
Token: SeSystemtimePrivilege	3536	WMIC.exe
Token: SeProfSingleProcessPrivilege	3536	WMIC.exe
Token: SeIncBasePriorityPrivilege	3536	WMIC.exe
Token: SeCreatePagefilePrivilege	3536	WMIC.exe
Token: SeBackupPrivilege	3536	WMIC.exe
Token: SeRestorePrivilege	3536	WMIC.exe
Token: SeShutdownPrivilege	3536	WMIC.exe
Token: SeDebugPrivilege	3536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3536	WMIC.exe
Token: SeRemoteShutdownPrivilege	3536	WMIC.exe
Token: SeUndockPrivilege	3536	WMIC.exe
Token: SeManageVolumePrivilege	3536	WMIC.exe
Token: 33	3536	WMIC.exe
Token: 34	3536	WMIC.exe
Token: 35	3536	WMIC.exe
Token: 36	3536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3536	WMIC.exe
Token: SeSecurityPrivilege	3536	WMIC.exe
Token: SeTakeOwnershipPrivilege	3536	WMIC.exe
Token: SeLoadDriverPrivilege	3536	WMIC.exe
Token: SeSystemProfilePrivilege	3536	WMIC.exe
Token: SeSystemtimePrivilege	3536	WMIC.exe
Token: SeProfSingleProcessPrivilege	3536	WMIC.exe
Token: SeIncBasePriorityPrivilege	3536	WMIC.exe
Token: SeCreatePagefilePrivilege	3536	WMIC.exe
Token: SeBackupPrivilege	3536	WMIC.exe
Token: SeRestorePrivilege	3536	WMIC.exe
Token: SeShutdownPrivilege	3536	WMIC.exe
Token: SeDebugPrivilege	3536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3536	WMIC.exe
Token: SeRemoteShutdownPrivilege	3536	WMIC.exe
Token: SeUndockPrivilege	3536	WMIC.exe
Token: SeManageVolumePrivilege	3536	WMIC.exe
Token: 33	3536	WMIC.exe
Token: 34	3536	WMIC.exe
Token: 35	3536	WMIC.exe
Token: 36	3536	WMIC.exe
Token: SeShutdownPrivilege	5076	000.exe
Token: SeCreatePagefilePrivilege	5076	000.exe
Token: SeIncreaseQuotaPrivilege	4144	WMIC.exe
Token: SeSecurityPrivilege	4144	WMIC.exe
Token: SeTakeOwnershipPrivilege	4144	WMIC.exe
Token: SeLoadDriverPrivilege	4144	WMIC.exe
Token: SeSystemProfilePrivilege	4144	WMIC.exe
Token: SeSystemtimePrivilege	4144	WMIC.exe
Token: SeProfSingleProcessPrivilege	4144	WMIC.exe
Token: SeIncBasePriorityPrivilege	4144	WMIC.exe
Token: SeCreatePagefilePrivilege	4144	WMIC.exe
Token: SeBackupPrivilege	4144	WMIC.exe
Token: SeRestorePrivilege	4144	WMIC.exe
Token: SeShutdownPrivilege	4144	WMIC.exe
Token: SeDebugPrivilege	4144	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4144	WMIC.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe
4728	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5076	000.exe
5076	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 1844	4728	msedge.exe	83
PID 4728 wrote to memory of 1844	4728	msedge.exe	83
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 2328	4728	msedge.exe	85
PID 4728 wrote to memory of 4512	4728	msedge.exe	86
PID 4728 wrote to memory of 4512	4728	msedge.exe	86
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87
PID 4728 wrote to memory of 4604	4728	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youtube.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc13cc46f8,0x7ffc13cc4708,0x7ffc13cc4718
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2184 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3676 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,10763440663584796694,7784924351802247124,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1916
- C:\Users\Admin\Downloads\000.exe
  "C:\Users\Admin\Downloads\000.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies WinLogon
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:348
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3536
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4144
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /f /r /t 0
      4⤵
      PID:3924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 4448
    3⤵
    - Program crash
    PID:3928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 4448
    3⤵
    - Program crash
    PID:4872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x414 0x4e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5076 -ip 5076
1⤵
PID:3964

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa397f855 /state1:0x41c64e6d
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5076 -ip 5076
1⤵
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1e162a52-2f4c-471c-ab27-e5877e2a426f.tmp

Filesize
7KB

MD5
cb2b2e824040e243df7cde5d1b7b7438

SHA1
08cb99b709b459087c84537c0040b85534e8a3ba

SHA256
849872b02fc90fabf40f2bee359d9be86e8c58d486d7755d0f1dc3bd08a2914f

SHA512
c77fffb6372ba86fd262db049535ebc572f91b697aacdacc070de719cfc50b4c2b54c095332225bebb1fe667c50304ee159096cf135be2407373a0a32d615a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
37569a8000f01c84503d15aa8494f008

SHA1
9e47e0bbffa7823a4d05e642f785f14c833c8c76

SHA256
8e45806a5ba734aa97ea777ac2a691001c966543ff3c04e039e4d100d7700746

SHA512
932d6fb4ba507212db53d43855cd767ea64b5939cdce650a7a16f06cb85c25cf7a51dedde8fd837353315ca11c0c4874b135311f242ab5648f224e9ca6d859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3972da5495626432f0d8fec7d9476537

SHA1
7acd969f533ee4c42973af2b275d2c08afe667f6

SHA256
c72aa2d7f8a7ca96cfdb4fbac77036111901719c4141b6a5b0e80e312554c538

SHA512
2d1a1e6d6cfefe4c2683b93c9f5d96f37fd4bd31e13cf75e901a7786c66b88462defa77c108bab410ec363fd14b4c442b12d9d582c6ebc79db274f57a26bd2c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3c88cccf46f62670ccebf3338273ebd4

SHA1
a6d2a9f5956124bab1915b24daeec8476eb61dbb

SHA256
9ee1e499661336040b620c4762dc6ad18114ee8db176a7fd21db98f462f0d85a

SHA512
b39d71f90ff904906bb8122fdba21c2e20282f7026cc93dd260ce6f711789b283b669ae145c5be017870b20ab98dce2b713b6ad39a6c3c71b8f5573f2ba035ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
ce0ff6fe92353a77d27e11f6956a4059

SHA1
35d27cf6d059d9ba3e1d31f72c31a987191d6b95

SHA256
ca0bbfec7c51a81fd8e8b58b3916f422a30a917bed6378bc7737b42389bd7853

SHA512
9d12849a50f05b48f0e5dde43b17cb727f057fceccc4433a78a0b5b7637a230312c32dd8fd7d142187ddd90ead73561afe70626706adf808094b84751701e928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3a4f9742a6785c541b738517375dd028

SHA1
eaef7a3478e99f03dde66dd5cb65baa5defb4562

SHA256
73edd778d7ae1c6557be1b6eeeb0494a3ece7b1210a9a9316642e590a27102f2

SHA512
2e6bbfa59d57fb8645b9999c180d4cdf500e6e74e3f677178064dae63dfe04cef32ccf1e9d6aaba1fe04e9a235b3de9d88bbe027ffa221ff25a9efa0c5b673bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a75e1b687b3072cfd52b32485e0ca65c

SHA1
c8ea2b8f12d82bc9faf56a0fb0e3c1797e281343

SHA256
716cec572000d06dba0524e0f557847c276eebf9a19b351d77ea96c93888d881

SHA512
2c8a4e95ad5c5fd202e5d9d02e94b6680304e4ffe1caf07266aabe03ffe0301ad1015ead67b8a4f3d09cc14905025b4fb5d9abb009977697e3b7cfba8bf29bea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1f122de0f0b5286ae9609a91abac9c0

SHA1
5f67aaa166539778ad0aeededc9d27836bc97a78

SHA256
ec8c2daa194e9726349861372071b8d8d103d0c439081cb552374d4ee0e65548

SHA512
dc7bd14245e6c2b351cc2318e3c5e6a13fdcaee64c992820eef76dc3990f9f33103a98a4b7695891d621a5e3466879b015ae7ba4a7f00be33ce5fb85f6f9aeaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
39b829f9d3c8049d4a958c4e3af9a772

SHA1
ef90f9e998bb9fa1c18b3d8ad1a6779ece2a896c

SHA256
02f7de06f30e55f62faa2cf761db142e93997897f624febe1a2d8d8462568e72

SHA512
4fea1a4fd85d32f9f8d76c8e8e815bd1a4f51ae476e26975755fd1de57846b9ce3b496a259f249105dc2bc117c69e1539fcb62868cd71bb6b32f4fe7d8bcc884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8da73ed9247b5b4585afdb9871db0f17

SHA1
b35bbcd71eb4a7826be5046e70f29c09a29456e1

SHA256
2e9794f79b0bf86db8b1204ae08a6962c903d51dae3c76dd4505ad3a62f13783

SHA512
e7fcdecdd6a0416d10188502da72ebfd67c9c0cddb4bca6814cc71acc03cabeb3a59083937ad243bd94df14d85a91f5b596498cf77401d3663e72298d7cdf4ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\181cb367-c18b-4f28-a84b-1f7dbdfeb69d\index-dir\the-real-index

Filesize
2KB

MD5
8e243c4028108a5795303c37c1acf771

SHA1
f6ef8ba1d1f6c9049f9b0ac442fcf5292b074e00

SHA256
9bf61dcd9da798b74aa05572df8c6f30d6bb19cdaa24d9fcabfd1c501bdc3124

SHA512
e43445be49784768e3437fb5648dd06af7e4799e25e6f3c05b9c70e9a0927f1041aa054f197afd1e872aa4421ec7b0cae0f6d568814f041ac4a77c6bb7cbea3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\181cb367-c18b-4f28-a84b-1f7dbdfeb69d\index-dir\the-real-index~RFe5823ee.TMP

Filesize
48B

MD5
2f6ab86c92f4d332761c162609ddbeaa

SHA1
2f2676d1884200029bc725885b43d7d49940ad48

SHA256
67dd32c742051e10d7a53ef210e9206175d45242f7ce131807acfadeca7874b2

SHA512
3e11d6ce75b2c3f8c8915db0acab1c7f51f946b23aaa997217ebb4fe147995a59d811e82c7dd51b91a00293ffde73cf7295292453a745e01eebb62505a0baefd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
67599fa257cc3db5ebca030c0dc2a66a

SHA1
e064a29927d4d7c5f6f39459ede2a184f901c1b2

SHA256
b846d1bfd2c81e237dfecaab4e5bdd5d2463ef7f723bf11a18fe2acb1d1ece7a

SHA512
e8bbce7c32a559ba40a04455c21f24efa3c0e4aee76f2b96b898f06b70846c96e047acaa770aa08efdf7cc1a89a7661e68f795a7a96390f9e73d82f7368a4a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
7c5ae5a5b7ac4e8f92e78bbd0919f61f

SHA1
931004e4685a2f63cf0afda5f52ca4349967dd06

SHA256
8c212e6eb6daada52f06118d4f40dee92504471b723493be7d63c26a94a2338d

SHA512
7562761b632cdbdb90dab9d20658b931b974c922e51c163f7bb5904dc8ba752fd9d83654cd7e90b97cb4d76167a3bcde7e0feb2c8576f29b7d4fd77227171756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
05bc534906ba832afea66a72da50354d

SHA1
d778290170f6eefcb3e6d5127dae87741a5b691d

SHA256
1b2f9dad365571ac34d9640fee1cb88e2bce184789d3fb224b64f72850ce9f08

SHA512
bd800bf0100cef496144481b1cb93f63741bd33a810ad9c3c74706f8004659df4ce02e1c3d6e68b03eb5b0c98c6d515a63fec1e2890097f34c9a9cb563d4161b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
d671615c0f8357d54ff5876df8dd375b

SHA1
c225f64328e48ee0658ece950ac35791d61c608a

SHA256
b57f8f9fb98b2d2c17001a53b1ec9abdbfe71c551250eff14e257152be302f03

SHA512
f9fc5584a20b610edea17cfff732f690f4cb3bd914454d0bc8ce204e19d8e715c6391be96dc16e1c2f38bbe4254d848da919fb893084d8446d3e607d2594af5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6b757494d6ac4def09b78c6f92faf3fa

SHA1
6ae26433832befade5fb21f30d060907abf0f6a8

SHA256
fd0cc4ae8dc0ff9ba5a170fa50f1eafb5058855012c50fd2f52892d9954391ee

SHA512
5f99e30c92502b4f54897879e103e2736d7e33a94e7190102ecc627f9a66e31eea38c8298de1f537c3ae005c464025462bca2928d3ffcbd3d3bd43a778d1a2ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581d37.TMP

Filesize
48B

MD5
109398e5c051edc891ee8b54827311c1

SHA1
0b792e6e313688f7f10b82fc93e548f57a7c300a

SHA256
349d2f571a82e8f9df1f62c423d591b7140498f570396c1333b3a4f48dbf7347

SHA512
5921d3e3703e7b7a8fdec601b645e1fbe48e4cea7ed5397508e2dc0ed0b5417fb14f35ea11f35a1ebfe50f64b8c2d3df989111f9dc8ad25998ffeb8e5ee72c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6246845d64f20ed6d6429e8f967b04fe

SHA1
26295bc5af6e8014ec47cb91603adb7795a596a6

SHA256
8ab255a6a22c02f6cc246ddb91003a5999a381be9f4de6683445a1ce2e20b161

SHA512
dceaea334da43264633633fe445b90240c7cba25baaac6adf6a3543aba1edc477c08873a2d990524056e2044c8edcb8144ca74b8e9ffa5caf94d2489d63f7b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
054e21c31baf437f49683101c369af9e

SHA1
e659ee005b0e051c119746d8f11fc9e5812c1427

SHA256
db2cedc2dfce5c95129b102df70ad8aadb754d2dfb4ad63aa1b403569830537b

SHA512
547a6bf10f4d94b1bb9cc8556cbb6482fbb6bc7e4ed9c771ad16ef9259aea4aa31529ce1d0d1c6303cf2b07e82faa23d0ccd57cb0b58576a5d63346ece1623a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
545b784ded82a746141ef90cae5ac898

SHA1
d86d3e74f238324e2d5280452a03d3ebee3abab4

SHA256
031f4dc757c8f5addcf56d68086975e89594b6b3c7a3964abe8c2d53b0a3edff

SHA512
c355555d3127f55b98b6d91a8f4d7075aa3b0f60c8f417634c650da9cfe80f26fb2bbf762e17e1865f960ce1c4ea0364749ff565b310b8759c9e10773b884bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581345.TMP

Filesize
706B

MD5
f11cabd687113c7a4a6cf8ade9921fd2

SHA1
39b340195a5afcea044726d865751bd9a40d53db

SHA256
5e407fd5e02977ded3a8e3cc3ee1f8e67630fd1d05b5d01f80dcf9e0208cc575

SHA512
4624625d185cb6229214356616186db01ab36decb754059219ec31ac5c395b15a329027b47dbfdf29485361997326cb6dca90fc541760a542b966fa5609e2881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d452c762-c2ea-45e2-a1dc-1d75c23b06ac.tmp

Filesize
1KB

MD5
44602e8b6c42c1f315a690929a5f517a

SHA1
1238a96df15af17ffea423f2a7dd4c2b370435b9

SHA256
e05762279658b8c69afb73cdac40a2ffe0bba8859374b4c8869f85f57e2e7cb3

SHA512
90e786e8856e7d008c03532307a63a286325a7ea60911fdf1b5135612dd3e6f9300b9150250294932900c37abd721058d5fb96da860d186517f39b332169048c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eb9612557dfef3d8a3cf749125df1593

SHA1
2949700596c02393ade6a4eb7da8356d23bd8cef

SHA256
2cb6b978be21f9b9a6de8cc7ef6455d43e49f28d9f0366db2be43c3590de6f24

SHA512
333cf1d61818d6ec10760e713251d65a4ff69be76353b2b0a5c9964942de0c7278c5cb10eacb34627f604ef8193fac6f32631b5aeba99b0a0ff39b42af68aee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
0b7e442162686b9edcc3079ad3678c01

SHA1
016dea0082f3e3275db721798cbc479751358a42

SHA256
1b67dd87d26fdc2530dc8f959fa5fee51db24fe810f422622abf666faed2c5fc

SHA512
b9d1ef70d2aac355354a8171262fb471fd8f194e0864a3eca41cbe45fa670b5a4f8f68e71cf70f289af281e883e6ed5e7508245b1b1ada94a9b2081e9d13a22a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 856669.crdownload

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
memory/5076-714-0x0000000006020000-0x00000000065C4000-memory.dmp

Filesize
5.6MB

Download
memory/5076-739-0x000000000C240000-0x000000000C250000-memory.dmp

Filesize
64KB

Download
memory/5076-740-0x000000000C240000-0x000000000C250000-memory.dmp

Filesize
64KB

Download
memory/5076-742-0x000000000C240000-0x000000000C250000-memory.dmp

Filesize
64KB

Download
memory/5076-741-0x000000000C240000-0x000000000C250000-memory.dmp

Filesize
64KB

Download
memory/5076-743-0x000000000C400000-0x000000000C410000-memory.dmp

Filesize
64KB

Download
memory/5076-744-0x000000000C400000-0x000000000C410000-memory.dmp

Filesize
64KB

Download
memory/5076-746-0x000000000C240000-0x000000000C250000-memory.dmp

Filesize
64KB

Download
memory/5076-747-0x000000000C400000-0x000000000C410000-memory.dmp

Filesize
64KB

Download
memory/5076-745-0x000000000C240000-0x000000000C250000-memory.dmp

Filesize
64KB

Download
memory/5076-733-0x000000000C1A0000-0x000000000C1AE000-memory.dmp

Filesize
56KB

Download
memory/5076-732-0x000000000C1E0000-0x000000000C218000-memory.dmp

Filesize
224KB

Download
memory/5076-713-0x00000000007D0000-0x0000000000E7E000-memory.dmp

Filesize
6.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads