ef483723ac88d655dfc5f08537cbc7ca6bef3ca2c2f34fd1ade321156f4efe08

Analysis

max time kernel
504s
max time network
511s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 13:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5Network.dll
Size

1.3MB
MD5

3569693d5bae82854de1d88f86c33184
SHA1

1a6084acfd2aa4d32cedfb7d9023f60eb14e1771
SHA256

4ef341ae9302e793878020f0740b09b0f31cb380408a697f75c69fdbd20fc7a1
SHA512

e5eff4a79e1bdae28a6ca0da116245a9919023560750fc4a087cdcd0ab969c2f0eeec63bbec2cd5222d6824a01dd27d2a8e6684a48202ea733f9bb2fab048b32
SSDEEP

24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI

Score

8^/10

discovery evasion persistence ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

000.exe

description	ioc	Process
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\B:	000.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
119	raw.githubusercontent.com
120	raw.githubusercontent.com
140	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

000.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

000.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper	000.exe

Executes dropped EXE 1 IoCs

Processes:

000.exe

pid	Process
1884	000.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exeWMIC.exeWMIC.exe000.execmd.exetaskkill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
1756	taskkill.exe
4804	taskkill.exe

Modifies registry class 2 IoCs

Processes:

000.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3756129449-3121373848-4276368241-1000\{460E4183-C790-4C8B-A8B0-C066EB6BC901}	000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe

NTFS ADS 2 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 301310.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 269233.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	Process
3512	msedge.exe
3512	msedge.exe
5108	msedge.exe
5108	msedge.exe
516	identity_helper.exe
516	identity_helper.exe
1188	msedge.exe
1188	msedge.exe
1292	msedge.exe
1292	msedge.exe
1532	msedge.exe
1532	msedge.exe
5112	msedge.exe
5112	msedge.exe
2736	msedge.exe
2736	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4720	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

msedge.exe

pid	Process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exe000.exetaskkill.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeShutdownPrivilege	1884	000.exe
Token: SeCreatePagefilePrivilege	1884	000.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5060	WMIC.exe
Token: SeSecurityPrivilege	5060	WMIC.exe
Token: SeTakeOwnershipPrivilege	5060	WMIC.exe
Token: SeLoadDriverPrivilege	5060	WMIC.exe
Token: SeSystemProfilePrivilege	5060	WMIC.exe
Token: SeSystemtimePrivilege	5060	WMIC.exe
Token: SeProfSingleProcessPrivilege	5060	WMIC.exe
Token: SeIncBasePriorityPrivilege	5060	WMIC.exe
Token: SeCreatePagefilePrivilege	5060	WMIC.exe
Token: SeBackupPrivilege	5060	WMIC.exe
Token: SeRestorePrivilege	5060	WMIC.exe
Token: SeShutdownPrivilege	5060	WMIC.exe
Token: SeDebugPrivilege	5060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5060	WMIC.exe
Token: SeRemoteShutdownPrivilege	5060	WMIC.exe
Token: SeUndockPrivilege	5060	WMIC.exe
Token: SeManageVolumePrivilege	5060	WMIC.exe
Token: 33	5060	WMIC.exe
Token: 34	5060	WMIC.exe
Token: 35	5060	WMIC.exe
Token: 36	5060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5060	WMIC.exe
Token: SeSecurityPrivilege	5060	WMIC.exe
Token: SeTakeOwnershipPrivilege	5060	WMIC.exe
Token: SeLoadDriverPrivilege	5060	WMIC.exe
Token: SeSystemProfilePrivilege	5060	WMIC.exe
Token: SeSystemtimePrivilege	5060	WMIC.exe
Token: SeProfSingleProcessPrivilege	5060	WMIC.exe
Token: SeIncBasePriorityPrivilege	5060	WMIC.exe
Token: SeCreatePagefilePrivilege	5060	WMIC.exe
Token: SeBackupPrivilege	5060	WMIC.exe
Token: SeRestorePrivilege	5060	WMIC.exe
Token: SeShutdownPrivilege	5060	WMIC.exe
Token: SeDebugPrivilege	5060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5060	WMIC.exe
Token: SeRemoteShutdownPrivilege	5060	WMIC.exe
Token: SeUndockPrivilege	5060	WMIC.exe
Token: SeManageVolumePrivilege	5060	WMIC.exe
Token: 33	5060	WMIC.exe
Token: 34	5060	WMIC.exe
Token: 35	5060	WMIC.exe
Token: 36	5060	WMIC.exe
Token: SeShutdownPrivilege	1884	000.exe
Token: SeCreatePagefilePrivilege	1884	000.exe
Token: SeIncreaseQuotaPrivilege	2392	WMIC.exe
Token: SeSecurityPrivilege	2392	WMIC.exe
Token: SeTakeOwnershipPrivilege	2392	WMIC.exe
Token: SeLoadDriverPrivilege	2392	WMIC.exe
Token: SeSystemProfilePrivilege	2392	WMIC.exe
Token: SeSystemtimePrivilege	2392	WMIC.exe
Token: SeProfSingleProcessPrivilege	2392	WMIC.exe
Token: SeIncBasePriorityPrivilege	2392	WMIC.exe
Token: SeCreatePagefilePrivilege	2392	WMIC.exe
Token: SeBackupPrivilege	2392	WMIC.exe
Token: SeRestorePrivilege	2392	WMIC.exe
Token: SeShutdownPrivilege	2392	WMIC.exe
Token: SeDebugPrivilege	2392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2392	WMIC.exe
Token: SeRemoteShutdownPrivilege	2392	WMIC.exe
Token: SeUndockPrivilege	2392	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	Process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

000.exe

pid	Process
1884	000.exe
1884	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 5108 wrote to memory of 2608	5108	msedge.exe	105
PID 5108 wrote to memory of 2608	5108	msedge.exe	105
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 4048	5108	msedge.exe	106
PID 5108 wrote to memory of 3512	5108	msedge.exe	107
PID 5108 wrote to memory of 3512	5108	msedge.exe	107
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108
PID 5108 wrote to memory of 3076	5108	msedge.exe	108

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\ZRK 1.1 UC\src\PyQt5\Qt5\bin\Qt5Network.dll",#1
1⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbf36246f8,0x7ffbf3624708,0x7ffbf3624718
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2652 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6024 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6812 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,8434289479510565053,15648417526898347822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4640
- C:\Users\Admin\Downloads\000.exe
  "C:\Users\Admin\Downloads\000.exe"
  2⤵
  - Enumerates connected drives
  - Modifies WinLogon
  - Sets desktop wallpaper using registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1756
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4804
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5060
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2392
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /f /r /t 0
      4⤵
      PID:4672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4252

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38e0855 /state1:0x41c64e6d
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
25000b06660bcdfcb3bd121b3e5d693f

SHA1
37b179054012b7575fcc5e6d910899b07a93a3cf

SHA256
eafacf8df03ea2289a0e1613c9ec96b17b9edef1fcde499a7fb860809a6356f2

SHA512
293c31baea4d49188e0d5db646405998b8acf7e93c21e6d9f48238aeae95cffdb62d098a7dbf5879aec5f4a741a1c4f8ede8197785ba29d4d8e29495666ff451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
399f3261394e91f3d9a01e3a5978559f

SHA1
106da560b4a53c4292429d3c846339bee9b68f7b

SHA256
d9ad785699e609a9b6c2ad173559e15b3011a787aec1e1e36e3c3231bee608c0

SHA512
dd451efc59fe6563e97ed507a69b76ed46e45505ec22761117bbe19fc2d9fbf6317e94e9c5a937fd2271e19b1b51a54e155bb09250809f9cde75770e90d2e91c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
956B

MD5
ffffa727e97cd1f7a55649401ad8478f

SHA1
6a5d9b7e75af28f70be4d1b9cede6bf5b7f4457c

SHA256
776afc20d31df28a14fc5ef8232e52ad83e93b9c5e044f886f44afb838b59a8b

SHA512
9cd671ed00f11f369f65afbd757d6497393a81d0832d03e6c70552439137ce5330a66a48425fdb7b9ad16faa3f42b01e80efefaee80ec47031eef6095d59e5e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8caa98cb8376503b31d04fedae68459

SHA1
7c05206e9f8923f5f221b4920d202ebce55dfe02

SHA256
a355c5ec89b55bdff52f075869bd5704cf58edfddaef907bdfc83a815944b615

SHA512
7b60f31857b369d2c03f1729453648b22745736b241309b727008dc660ec4c7de2f2caca41cb13eb650b5c5cfd54c3f5547f89a96023e7c2a0acbc4eb6cbb0ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
60d9f00f03c9fd53d6c0b78976046ec0

SHA1
5b5032885c8559b5f0ea0889f15f6b0991e740c7

SHA256
032b18c30128f85bf98e7cba1d013e590227f003d49f2262374be4484964de88

SHA512
907b245dba2a1abab7a89d45010ef06e68746c59c3e3aedcc878831df76545671a151980520f5d270a2d6b91706e55900df9fde1649372693d49224acac59e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5d2774760202f31982804a86d0d903a6

SHA1
b7611a19d626035501d0716f485d74ff45539f67

SHA256
fdd8d208a9fa6fbf4f8bd032b610af89de92413a1a9552e5066741ef2798c739

SHA512
967bf2c7918bea158cf1dd9461b1b15f278bb579180d90cd6bb0055cd5b7986cbeffed8e363687f4b8455cd5ed7e8f0645aeefdc87921ac664f8d1338a852837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dcf481b6237cb118d94f7ab15b40d8cd

SHA1
3ff9e4dd3a638eb93fa7987c2ce3a773869f9240

SHA256
d2eec578dcdaed369ebab54e156f0a741b3b58b9e9b26ed5f19a165219c60e06

SHA512
32401ec05d7b78af0958d3038c5c13d03f5bb3ec6bb6aad25eaf59aedafbf973239e5f49786f9abbf71edbf1f3f2fe539cf161a84a6bd3ec0cc66c84b3b120df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e16cc73a692e59c8a95372379a88212b

SHA1
9e6ad428c25220a6893c145c5ae7d6b12d5b91e6

SHA256
45001b512c5073aff4ca2e89637162aa0feb88053721beccb01d4afdf9bcc25c

SHA512
b658adc016fbca9d499fba18ea1e5f93e3ee1c9ac94a2510c32b9d13a49e9d298483296d16a6d15bb1396a6a16700123f475e7e3aa2a02800284604c8aaa3697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
afd0b4457219ff12ad44c3648783094c

SHA1
0a427a92881d7c764dc60dd43bbd426990648360

SHA256
e9ef4b9cb00a6ddbd59fc7d73d37ccea232055d5017fb870afd949cc2edf63b7

SHA512
14414d6a4c7d3ff4e25e296d0040d2facc047d0dc5d25c6ff8cbe3cac10a46e1f42727495645f3a752ef604ac06a93f10dd6d59d46af3037498400b8daca552e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
964c256938a231cdb04cf44857207272

SHA1
d80b1ee24200c81f5ee65b2b530f4e2e4ff508b4

SHA256
b16ebbdfa34cc97132a40506b6a645374c637b9d297d17061888cdc6888e8e7f

SHA512
e62321f98cece98c24cb2f5510ae14c60a16dc54e677a9bcaddd798db589a5d58adf5254a4723416b4f616bb4cfbfe863cabe6e5eeccf61dd87f8415b9a8cbd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
595328b074313a25e1c49d9f6f6e2cbf

SHA1
78e9e88957211b81cc3725b114b602c3d9aeb553

SHA256
51a5d2937a319afa82458145b680b88ddd99bbf98bec12f3ce38d4297c6f0dff

SHA512
b86c7a3fae9bc020b447ae240aa37c1c21c2959f7e9ccc4efd38473e974e1eea427847f8c46c240dd3c62b6c50e7f6beb2057a3f3c69f53a658ccb5cf718687a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6e19f3b3559f1f6d33f7c5a393de145b

SHA1
c3a87d6066337c7260f7f25bd102f805d7afb597

SHA256
af3bcb93dd4e9be83d106b14ccc6bef0f3f6fae44eb674754620a5e24e48b24b

SHA512
b2363691247a8d9e725714e4ba70c8afc5db93b9bcff60ccabe92f8ad6c51c46126f64131ede79bac5e7f37347fee9cb99f84896139a00a48934cd1557117756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d67dea8897f4a0b369dcae4ce0a93437

SHA1
01c386dfa24c4a67300d57a8763ba7e04f63d2ca

SHA256
a0b274834e689196e3bb69ff0f6c9ed8594710041c5e5662630b4e0c27161459

SHA512
380b6cb1b449e2c1fb93226235f77b5f72cd68abe6137d09c858dcbca5a559487084cb9c937933576fd0432e5d1c6c2cfb97fcc9e2252c633ca76c9e9a7ef3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5d8f8b9f4dff1b898142d62c66ed5414

SHA1
f6e368d2e93bf4e616c97a4d561bb9e928a15d1a

SHA256
112786149a427142948cdeb6d43b3217bc31704a83b6c9616d86a478c4c0d4f7

SHA512
fd08e437961d0c811ba35bc242ce1e2d1a2505c86d86a2f39680441d09e1afba2c9146e91347f4e90ffbf2152779088c1b8c9e774da5e8044b35e39502bd0110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f6d2874caac717416380bb17e9eb7417

SHA1
c47f2483454b4f172736cf693141d17c8b0d356f

SHA256
f4befa3554ab417a67d91bf8738fe62cda60001540233648f60d8d97e9e0d2e4

SHA512
9bee8f372c96ef6df7ae2c2acd24d56f0ab29457e7187bb8801a87f0ec456adb98e0b8610c15a834324f702c9850c7d7231bc75e362e594c08223ae1ea832254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c3beea154878bdc0ea65fbbb983f6121

SHA1
b40b87848dadf09e7d97432c24b5f1eae8af1410

SHA256
7f5b259dcb39ccb4f7b81ce7757eeeecab719345792f97225ca4a200bc9dffac

SHA512
a320c888c864a330618b67719599e038c388cb60ec01a7348caf6c0b475d6fd9c7008c2f2bc84be687ba92bb0059c163296a7c1b6d3c0d0ad2551b19c930da20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ecaa45ea3f6a94156ff86a6c6ea9446d

SHA1
b91a43d89efa590202e3254aaf7dd7d29c2a784b

SHA256
073d8892c7465dbd509399d34fcb109f0df05be74895c96d6a15462b384dec49

SHA512
6205a570413aee3e389e62cb6cab0080b4a72ccbf96a27e87b9e0e1807ca925ac7ff3bba96d41f322003283286d8aac22ae4865272838d403c7e2b5ad371236b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8afc9578f569a4e18c5ec4ee660ecfc4

SHA1
f104bcad9da55b05dab17cdaa3b83807e0fe9989

SHA256
6528dbdb78377fd2807b067fd18b5f36871540e61fc22b3535857683a47b8c34

SHA512
ed944b2105b4ff3d51b1f54247e4dffbe3a1d61907fc023b99aeb32138f1aba0925cfbede67e48ab36017994f39cf775d311de65e96631d2df8c749c9c5a484e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bf5b7.TMP

Filesize
1KB

MD5
324024e9ccfc48b04679072aa7abc919

SHA1
5c483f702fbc1aadecd53fa57bed4af40e2429fc

SHA256
5556f77244f39590c5470fe6c6adceaefff5b45cc182cf24ebd5d8e3bf1e7df8

SHA512
fd4a721ee8071963bf8f23d8bcf098190e1e09991572ccc831f5032e55425e1228dbcb79c81b4ff0c073099fa561727a7bd8f33c79d7877e82af650282f4a761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
05c2bcea9c08bba51c0a3e801cc7085c

SHA1
f42836ca98b2891bab7a64fb754a0ad242435bdc

SHA256
c160a6208c89727ff491f013cdc88b8de0635917ca63f89f1de2d6c94758bbb8

SHA512
3c643324f675de4686982bc9f2c9542043aeefa6bcd349e01bdeb1e67464f5a2833b7fb913c2992b86c730ca991f3c14f6a7bdebb307362d06c06a1cd564a623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
53161e692564549925e28e437e3989c5

SHA1
44d5142b224803e5d2d1d41ac909e876cefe852b

SHA256
3e54ecb7aee4f1bc682d5b0252c45eb89e8439c92357df4f03049b81f79ba827

SHA512
5e02edc9b6ecc2c133d67b165f5792000fa8da3de2b2f6bf6630086ee9973cca973cefd9d72c123d2bdf8e5b22d4631fed61da1f9e4e59ac7e26a9a790ea79bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e26721c27850ae82ac6bdcd3001751a

SHA1
a5ebeae79b1c880e880a13440012a25cdd7c2171

SHA256
a9e7f767430d569d0c6d34ee28742d857db4452c63268e8b0a6f5eb2a1af168c

SHA512
3d05a3461e4a72c121002310950bcbb478a87157d9832031154c09beda3bfaadb4c974cb4227b9835599722a281402bcc00ac9c5cb04bc8fc3bd62f87c048a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
91dcd3dfd4415858217a8b3b616da4c1

SHA1
68966a558580d56332b7f680ccfcf5da2834021a

SHA256
2b9185f775db94c955904b3ba1337aeda6c4b8f8028ad343ce24e28aede34493

SHA512
bc547b9aeab9a4aa0a96839cb581053241a6889f7797a68657cb58c6219604bedce3c1d87cdd4a517b033ed1a22985946ce1e2da0598f1a8c0c0af553383f0e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Downloads\ChilledWindows.zip

Filesize
4.2MB

MD5
5806c691583167135665b6aac348d3b8

SHA1
34d14feafac0946097fbbc03e3be2b235392587d

SHA256
00cf66b0bab94b1ae74d534160a801315df8a7efea764cda906af49f99be54e9

SHA512
dbcda2362ba5aaba904087a512e3423e2356f0e824e4bd4de99f277316afb32e03d6f8ea109d4d046ba9f14fc32f21a5d80cceb982fbce529c6f15abd7c6fa7c

Download Submit
C:\Users\Admin\Downloads\CookieClickerHack.zip

Filesize
20KB

MD5
a7bcca47b5413eb92250a45f86d1ab75

SHA1
915ad4c18ae188da9ab338ced6862c4efb670091

SHA256
b7f82523253c3a1f18de5c649a96132820d89274cdf7a8c5cd3f47a79e76ed39

SHA512
4a666fe25bbaf41ff217a07bdd19fd9e2f57dba228511d9ae92d3ee75adaeb952fd91d4d4472e0c73babfb86806d54ddbe3d603ae124545b89ebdf570db19d87

Download Submit
C:\Users\Admin\Downloads\CrazyNCS.zip

Filesize
114KB

MD5
7d8bc2a98305a035400b785fb6d58ce9

SHA1
5ccf2ac2bc11bafe3c687ec7ce984a7bbfff8038

SHA256
1fb2e772832631861fdad6fc83202b652c2057e70876156dd02b2969cfd5f3ba

SHA512
5deae715434466c5b8a4dda4b53fc4689782fd9192a4146f0f692b0bc8c66a6294bf23a219682bc4b4e35e5d08c1f86c70b837e788062dd51cc492dc69f354a6

Download Submit
C:\Users\Admin\Downloads\Popup.zip

Filesize
364KB

MD5
fceafeb5366fde06752d7249463fbdef

SHA1
4a4663496aa3a84ed23df76cd1ad6b6582c7130c

SHA256
dbe313c710acfb75149045d93887aaae8b62cf8932951baa82b2a995fcf6fefa

SHA512
de03e23d7594730b42897c0afaacaddaa181334efad4a35fb7df21fa0d25e834b391b20ab4e612a4a17a1b0c54a1e33d9be3d1efed4170a86de81eb67ff98f93

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 269233.crdownload

Filesize
111KB

MD5
e8ed8aaf35e6059ba28504c19ff50bab

SHA1
01412235baf64c5b928252639369eea4e2ba5192

SHA256
2d2a22db20a44474afbd7b0e6488690bad584dcae9789a5db776cc1a00b98728

SHA512
d007c96b2fad26763d27be8447ca65e0ab890deb6388b90cf83c0b3431e09b225f7424098927b54f15fe34eae953b61b45371b0df4b2d89c60be9c006ffe9034

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 301310.crdownload

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
\??\pipe\LOCAL\crashpad_5108_WBJQEXDBMGNGPOSK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1884-833-0x000000000BD70000-0x000000000BD7E000-memory.dmp

Filesize
56KB

Download
memory/1884-837-0x000000000BF00000-0x000000000BF10000-memory.dmp

Filesize
64KB

Download
memory/1884-839-0x000000000BF00000-0x000000000BF10000-memory.dmp

Filesize
64KB

Download
memory/1884-836-0x000000000BF00000-0x000000000BF10000-memory.dmp

Filesize
64KB

Download
memory/1884-843-0x000000000BEC0000-0x000000000BED0000-memory.dmp

Filesize
64KB

Download
memory/1884-844-0x000000000BEC0000-0x000000000BED0000-memory.dmp

Filesize
64KB

Download
memory/1884-846-0x000000000BF00000-0x000000000BF10000-memory.dmp

Filesize
64KB

Download
memory/1884-845-0x000000000BF00000-0x000000000BF10000-memory.dmp

Filesize
64KB

Download
memory/1884-847-0x000000000BEC0000-0x000000000BED0000-memory.dmp

Filesize
64KB

Download
memory/1884-838-0x000000000BF00000-0x000000000BF10000-memory.dmp

Filesize
64KB

Download
memory/1884-805-0x00000000063F0000-0x0000000006994000-memory.dmp

Filesize
5.6MB

Download
memory/1884-832-0x000000000BDA0000-0x000000000BDD8000-memory.dmp

Filesize
224KB

Download
memory/1884-804-0x0000000000CE0000-0x000000000138E000-memory.dmp

Filesize
6.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads