xmrig | hxxps://gofile[.]io/d/FI8E7i

Analysis

max time kernel
390s
max time network
365s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27/12/2024, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/FI8E7i

Score

10^/10

xmrig discovery miner

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/4312-215-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/4312-218-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/4312-220-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/4312-221-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/4312-224-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/4312-222-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/4312-223-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/4312-240-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
3644	CRYPTED.exe
4944	CRYPTED.exe
5548	aaa.exe
2012	aaa (2).exe
1940	aaa (2).exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\POFE9BJB	njCryper.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 6060 set thread context of 4312	6060	conhost.exe	154

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CRYPTED.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CRYPTED.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a003100000000009b5992a0100053797374656d33320000420009000400efbe874f77489b5992a02e000000b90c0000000001000000000000000000000000000000d49a7200530079007300740065006d0033003200000018000000	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	njCryper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	njCryper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	njCryper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	njCryper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	njCryper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	njCryper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "3"	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	njCryper.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	njCryper.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	njCryper.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000200000001000000ffffffff	njCryper.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	njCryper.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 372610.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 639454.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 427933.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
4680	msedge.exe
4680	msedge.exe
3836	identity_helper.exe
3836	identity_helper.exe
5000	msedge.exe
5000	msedge.exe
5596	msedge.exe
5596	msedge.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1720	njCryper.exe
2856	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	4420	dw20.exe
Token: SeBackupPrivilege	4420	dw20.exe
Token: SeBackupPrivilege	4420	dw20.exe
Token: SeBackupPrivilege	4420	dw20.exe
Token: SeBackupPrivilege	5528	dw20.exe
Token: SeBackupPrivilege	5528	dw20.exe
Token: SeDebugPrivilege	2856	taskmgr.exe
Token: SeSystemProfilePrivilege	2856	taskmgr.exe
Token: SeCreateGlobalPrivilege	2856	taskmgr.exe
Token: SeDebugPrivilege	6060	conhost.exe
Token: SeLockMemoryPrivilege	4312	explorer.exe
Token: SeLockMemoryPrivilege	4312	explorer.exe
Token: SeDebugPrivilege	632	conhost.exe
Token: SeDebugPrivilege	3064	conhost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
4680	msedge.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe
2856	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1720	njCryper.exe
1720	njCryper.exe
1720	njCryper.exe
1720	njCryper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 2988	4680	msedge.exe	83
PID 4680 wrote to memory of 2988	4680	msedge.exe	83
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 3460	4680	msedge.exe	84
PID 4680 wrote to memory of 1968	4680	msedge.exe	85
PID 4680 wrote to memory of 1968	4680	msedge.exe	85
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86
PID 4680 wrote to memory of 1356	4680	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/FI8E7i
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1b3f46f8,0x7ffd1b3f4708,0x7ffd1b3f4718
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3476 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:3868
- C:\Users\Admin\Downloads\aaa (2).exe
  "C:\Users\Admin\Downloads\aaa (2).exe"
  2⤵
  - Executes dropped EXE
  PID:2012
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Downloads\aaa (2).exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,3961817291387356522,11583973915949385857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:5496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\Temp1_njCrypter.zip\njCryper.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_njCrypter.zip\njCryper.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1720
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hmg6lwft.cmdline"
  2⤵
  PID:5980
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE115.tmp" "c:\Users\Admin\Downloads\CSCE0E5.tmp"
    3⤵
    PID:6060

C:\Users\Admin\Downloads\CRYPTED.exe
"C:\Users\Admin\Downloads\CRYPTED.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3644
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 872
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:4420

C:\Users\Admin\Downloads\CRYPTED.exe
"C:\Users\Admin\Downloads\CRYPTED.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4944
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 844
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:5528

C:\Users\Admin\Downloads\aaa.exe
"C:\Users\Admin\Downloads\aaa.exe"
1⤵
- Executes dropped EXE
PID:5548
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Downloads\aaa.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:6060
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr.kryptex.network:7777 --user=4BA6joh9kMH4cyAv5RYz6YTTSVaPojucBjA41GA6TTXJ7x9csKDVxdyE3WAJGann6f2TqjUMcHi1EBNXAfKukkR28yiHzPR.sam --pass= --cpu-max-threads-hint=20
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4312

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2856

C:\Users\Admin\Downloads\aaa (2).exe
"C:\Users\Admin\Downloads\aaa (2).exe"
1⤵
- Executes dropped EXE
PID:1940
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Downloads\aaa (2).exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultf73dcf0chc223h43f9h83a7h740238b68055
1⤵
PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd1b3f46f8,0x7ffd1b3f4708,0x7ffd1b3f4718
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,9241338756326984602,5471822766235887979,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,9241338756326984602,5471822766235887979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault19709ba5h3069h4448h82a6h6d2b8ef79855
1⤵
PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd1b3f46f8,0x7ffd1b3f4708,0x7ffd1b3f4718
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14988349116575795945,3758084968915634586,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14988349116575795945,3758084968915634586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  PID:5676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

Filesize
1KB

MD5
7f1279328f01efa17495a99c422529e4

SHA1
180b8ff16bf263d2c54c8b1e2465026e5e5fce8a

SHA256
db7d69392e848177ee2dc5875b25d96626af59b23a07e95c808e8505917e9491

SHA512
f39d56a6ea3dab5ca57a0a3013f1b66081f18b4deeeb8ee7b065d9d172f08e506a6a37b90e363e6f3507d093f117e9b0c0b960c0ced843ddcf0d33c76374307a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
812beaa301f02357f91600da0d20ae15

SHA1
3e7705b88a3cea2903f2f03da3c155cd44676d22

SHA256
829e0fc21515ca1e6d53bbe32e1ebe1954ee4a32a6e6ec2230843c731d64e141

SHA512
04167b553521054dc1341ca6ef4b1cadee2b88fb7344ad729f79e0e26e30c558ffef39f84d7c97b3e5556b42788af19c1bbab5c9492e6a32c9b9968ea751b80e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b706e5e41e1a34467b236b1a5e31598

SHA1
0dbc51f2b35cc02c571f4e557e0b58ba3fbde7fc

SHA256
4c61a39ae135f935d91aa659db24b893bd50476a70553ab614f14116c2f015a4

SHA512
a59099a823fd938f733b62a7e0cc20834fbb93399949da91a87f1d1c52c781dad652ca34e0d43f5e6a9a8ba073c4ac2347e5016717a6d4db5ae557385d8e2762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
2a0b148b1f50d8d92ae86eb5e50414a8

SHA1
4ad5dcecf71890db8b8bc30192946e8fdf051d3c

SHA256
ecd9b2c6dab5d48c78b74645d7ed43c26ec9ea94095e0983b9ee806951fec7ee

SHA512
ee01a0a1f79607e5cc38289e4d9744c736d85d73e9a39d2e4a4c0b0ac17b9f53724683442ffba80e24f4a9b368775055ac40e3a74c58f4ebb12ad4c2b8a06a5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
473B

MD5
1fd57476ef0c42554eb16332bedcb102

SHA1
e02f2e634b235a040a1fb1711e8bf5bac8ddfc88

SHA256
3b2850f7b10d596f8d23001daf9ec9746a2649ed1812ace65e6794b0949b33a1

SHA512
cedd7f9e82b2529cb62dcf067efa1e3e1888e4002fc4a932ec746e5957c1fabd1adecd69dd3fa4f2b29ab7cd89c45e23db0907dd3dbf1271584220862af7b7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
97d933fe182c55e6ca639a36dfe276e0

SHA1
cfaea38950968b183313dada77bbe5fcc2427245

SHA256
ea2422238eb87a2890cf7ec3e81e31b90eb68210742bd80398763e3032bc3542

SHA512
66a06e6debb1b8e20ca4bc2568f2ed6b273773958e107853b75aa92e87c0cbb06f82f59a97d6e416eabc71e7c5fbbdbec83c333d5beb48412b63615c49e1741c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b0fa1220eb3ee86c1c5f62b2a3cec58b

SHA1
9b0ff5e62ae3d97dd1d3a5bad42dd918d9c2f1be

SHA256
64a1e084abc156b634a30cd724a49dfc9170510b299a2b1052634a635df4c57a

SHA512
5bc49cf56ec2589b0841cb338abf3a389952abd6182388022bc635342a1b0fc010aec57c3ec9d3fcdf6f9555462efbf50b2b4e9e7afab4fc89288b86be1affd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
304289450e8b338d632444ad9723f0b6

SHA1
7b47cea48b2ab12934c1ebad6e1fd2fe6c5ef6d2

SHA256
5b1a4da63805693666b16868a7f33e5716f629039423cd6bc08220d189d93019

SHA512
ba845a7fd3c1467480ef45667b10a55d5dfef449386e733f0accd22ea367d09281e29baf6599d9a42ba09eeca48f02a7217fde457e9296e066535ae1595f1e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b86409e3fb50d291c0a1a52e8d9e8346

SHA1
d65f05d272aed2cdaee68bf08dd01035619c29c8

SHA256
403f996cd0c356aad57cf767365b681ea3d566a59a3e22e51cd71fe993d3f79d

SHA512
7163455abae8348a5ff1a94c86c27e16a70f4bcebbac27b352a714d580cc4fd7fb361d304cd3960231fd359943940d42207db7608b328496996331c5fd9adcd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c97ba6e4925842d66554985eb4f8be06

SHA1
5ff3305829d96716294b47fa58af84cc51b70fd2

SHA256
fe1b44077404141812b7c04b8852b5dae60a9c86487b69d9f5fbdfd31bc44bc0

SHA512
0efd78502fd97bab2a22da9cad03296bd6374c91c103e174447b968e4bf42846d1f3d065b0a6c2eaa67e32b79ee1dd6db9b79d2c0105ea67fbc8cbd2f0bb3c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
71a3cf4c174752a8b6156323f361d28d

SHA1
05ae245af757384786e3b171172adf7fdc128c82

SHA256
3bae839a35fc6ee48dfd6917ccf6e2582536ffecde5e9050a4a81afaea2f5565

SHA512
aea3abbb32b304cb68bd064de90ff71f4c343828ed827de8335f47fd8730f4d4dce743c7793292ad9c3ed18d1a88a30c7f274809c058aa2980f47f1d1f16a66f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f45769eb3b1c365fa15746f25ba696e3

SHA1
91964070adbd6f3f464be2a15c9b819f7cb7c67f

SHA256
da1753ea735d79ca8ab7615ce20d050749b0289f7bef9228cd44d29927e7a9e4

SHA512
3e75fd0ae7037b6fa104a52b5fef8d8c5f97042600caaceed8698224a5903cbe62600a615305c2bfca947c34184e804dcff45b181d4381f569fa4e04eeddd233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
244e8e52717c0ed911ffebf59ec59432

SHA1
afbc24f86fc7726258fa759006154c2b0340949d

SHA256
2d86bc4df51388d570adf65affd275c2bcd73b6536f6f6b248cf09939e9047fc

SHA512
3a73a5342a0bcc8da03aa77c6c25712d5a6cc9b26f86b4ef694d4c55852d4748ad1b9187138c7990b054edd687888f24a3bac1c6445bcaa27fa3fd77a918b115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e194909a52a03a6f42efd5f8f6792a2e

SHA1
11ab52cb24e7aa15aeede16d8d20298828b4f480

SHA256
602f61610fe5c940845675a8445d07ac69cfebd57722660402edeb9f486501b4

SHA512
9c52b5f200b701f2c42971fd649eab094261f299e8524c0812bd7a96dd0cbbf4d45d188f20fc0731b0170c961f3634057950c672e21def421c5491ebe4ad4c3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE115.tmp

Filesize
1KB

MD5
08f3271098a557bda322a6ed49ed76cd

SHA1
47aa32dd06bd2c803b4ddc8f503a01ee5833d466

SHA256
4c83b5d9e5dd8057f018e6d075aec441441999c335f4fd7a852ee0f36e9f22be

SHA512
127dd76f4d7407cd2aa5e16d2ec97ac4828c479bc85e321c61aef684d11b43c26b3cc42591e673b1ef2cb866ed182cb04c8e089d9adee89b4ae2014175569f85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\Downloads\CRYPTED.exe

Filesize
29.7MB

MD5
ceca9866fbea3d2d7a93316c28425fa7

SHA1
f30c61087b3a8ed9ce6114faa6923f9b39892785

SHA256
426b6209f0d56935a1556408f70bb689c01a81c0f44c0794c68dd955cf4b4abd

SHA512
498e40b8aa822953af0c3d8197ba1a41d8a59efb2966e5ada7b75d143a968811d4ca2ff112b9e944f2a319c848f8f83fce89a1c92932efdb78b87f93614c3149

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 639454.crdownload

Filesize
29.7MB

MD5
91a9e2ebea5b5d38c173172eac6eb156

SHA1
8fd2b9ec8de5ce5469fa0912d4ceda4e7f493009

SHA256
fb7b2585d0538a038d4078089105f73224419a4d92a8da4d00cde640e90ebac6

SHA512
3d8aeab561cff1e97e6d2cf1050f8fe8f5db0a9caf92d94a0143dd4deeba03e216c1dab530d5dedcc321974c5438792c752919297ade02a879bb2194f3f4494f

Download Submit
C:\Users\Admin\Downloads\njCrypter.zip

Filesize
6KB

MD5
3faacbeb5b8642ca6e9bd9fa47a305f2

SHA1
531f20219b08209ba5c3fc6fafcfe5d12b36e7bf

SHA256
1156e61f47fdfb3901fb99683e278b2f8943e71656bace38d53c83d3b1ba30a7

SHA512
eb37f75e776f9d00aca742530c20fb922cf462fa799161b0d0434019221408e15b4ac88a2b2cc2b9e9780e50e0c0b062f7763444fc8b5411f2a03f0d506a3565

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hmg6lwft.0.cs

Filesize
1KB

MD5
3019b93c6ec35164174c1d0cbffd8b56

SHA1
b47e16920bccd45b30a6d0f08f4995ec709768ca

SHA256
a7920ea948879b24c15f4147961b3f6138f66cbfe730744a5c38e84e932c9469

SHA512
eae4126d3b5744fa44928ffb94aa66916e50fb8decf720b7b58b1aea3b0a8c247d2d39b7f423f1a20a02417774694de710b91b85f47e3b8dd1f3b36aa7b74470

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hmg6lwft.cmdline

Filesize
277B

MD5
26e52dfc497a9aa28ccf6e8ac1753a78

SHA1
b3904ba48aaf4eb48d4e441b0dd3c44f13e8b2a7

SHA256
ebd0158c2ef563a321f679cdb3f4145c884d88e203fd2fd39a75c75fae7ef418

SHA512
b8dbdb68bf104ae29f6800773b7eee9438391826fbca6aa135df8a8d15c5902a69047330c49b184fc01bd6eb0c8bee7e0d0f0b0ac815f9bdb4e145092f275eb3

Download Submit
\??\c:\Users\Admin\Downloads\CSCE0E5.tmp

Filesize
644B

MD5
f95487a389a33ab7767fa935b4f5a4d2

SHA1
21bd9191bd20fef7368f658be69dea9b6ac7cd8e

SHA256
7935b4605b16bb9cd6266fdba5987507227c1f016ac8a7890c4ded2825002040

SHA512
e48a7c5c2542e835553e477d671382481fccf45de03e3b3f8d9e81a0dde9b7abbe0f73df969555f67459b128fc26274481f92a48c63dfb5858e4f345925f2689

Download Submit
\??\c:\Windows\System32\POFE9BJB

Filesize
29.7MB

MD5
343fc0a0e929c8ebe7169f8069dde43e

SHA1
9309a472ca240f501dfab55808f0c9e53906d358

SHA256
1e957776c8cce6956164fffdaa16770358b5e162155c28fe5bdba464bb36fa63

SHA512
7a9c7cc99b3c8ec9f17a2220368c705444a9b783f60811e3084f73bb7728b32a4a7e306762b9916bf4188da0a410409c728235915226e15441a7700c46737592

Download Submit
memory/1720-104-0x00000000015F0000-0x00000000015F8000-memory.dmp

Filesize
32KB

Download
memory/1720-94-0x000000001BBE0000-0x000000001BC7C000-memory.dmp

Filesize
624KB

Download
memory/1720-93-0x000000001C190000-0x000000001C65E000-memory.dmp

Filesize
4.8MB

Download
memory/2856-207-0x00000252639D0000-0x00000252639D1000-memory.dmp

Filesize
4KB

Download
memory/2856-204-0x00000252639D0000-0x00000252639D1000-memory.dmp

Filesize
4KB

Download
memory/2856-197-0x00000252639D0000-0x00000252639D1000-memory.dmp

Filesize
4KB

Download
memory/2856-198-0x00000252639D0000-0x00000252639D1000-memory.dmp

Filesize
4KB

Download
memory/2856-199-0x00000252639D0000-0x00000252639D1000-memory.dmp

Filesize
4KB

Download
memory/2856-203-0x00000252639D0000-0x00000252639D1000-memory.dmp

Filesize
4KB

Download
memory/2856-209-0x00000252639D0000-0x00000252639D1000-memory.dmp

Filesize
4KB

Download
memory/2856-208-0x00000252639D0000-0x00000252639D1000-memory.dmp

Filesize
4KB

Download
memory/2856-206-0x00000252639D0000-0x00000252639D1000-memory.dmp

Filesize
4KB

Download
memory/2856-205-0x00000252639D0000-0x00000252639D1000-memory.dmp

Filesize
4KB

Download
memory/4312-219-0x0000000000870000-0x0000000000890000-memory.dmp

Filesize
128KB

Download
memory/4312-222-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4312-223-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4312-240-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4312-224-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4312-221-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4312-220-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4312-218-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/4312-215-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/6060-210-0x000002507B810000-0x000002507D5C6000-memory.dmp

Filesize
29.7MB

Download
memory/6060-213-0x000002507FA60000-0x000002507FA6A000-memory.dmp

Filesize
40KB

Download
memory/6060-212-0x000002507FA70000-0x000002507FA82000-memory.dmp

Filesize
72KB

Download
memory/6060-211-0x000002501B820000-0x000002501D5D6000-memory.dmp

Filesize
29.7MB

Download