hxxp://discord[.]gg

Analysis

max time kernel
469s
max time network
474s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 21:39

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://discord.gg

Score

9^/10

paypal defense_evasion discovery evasion phishing ransomware

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

defense_evasion

Network Share Connection Removal

T1070.005

pid	Process
940	cmd.exe

A potential corporate email address has been identified in the URL: 6633dd5dcff475e6fb744426_&@2x.png
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Lose2himatoV2.exe

Executes dropped EXE 1 IoCs

pid	Process
3716	Lose2himatoV2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
110	discord.com
18	discord.com
19	discord.com

Detected potential entity reuse from brand PAYPAL.
phishing paypal

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MySingleFileApp\\wallpaper.bmp"	Lose2himatoV2.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lose2himatoV2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{D0B61465-85ED-4201-9F83-A8AA04126537}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	explorer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 213531.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
776	msedge.exe
776	msedge.exe
3592	msedge.exe
3592	msedge.exe
4916	identity_helper.exe
4916	identity_helper.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
116	msedge.exe
116	msedge.exe
1136	msedge.exe
1136	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	520	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	520	AUDIODG.EXE
Token: 33	3924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3924	AUDIODG.EXE
Token: SeShutdownPrivilege	2040	shutdown.exe
Token: SeRemoteShutdownPrivilege	2040	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4352	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 1908	776	msedge.exe	82
PID 776 wrote to memory of 1908	776	msedge.exe	82
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3388	776	msedge.exe	83
PID 776 wrote to memory of 3592	776	msedge.exe	84
PID 776 wrote to memory of 3592	776	msedge.exe	84
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85
PID 776 wrote to memory of 1796	776	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://discord.gg
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe008a46f8,0x7ffe008a4708,0x7ffe008a4718
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2004 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2400 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2388 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3696 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1716 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6796 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1136
- C:\Users\Admin\Downloads\Lose2himatoV2.exe
  "C:\Users\Admin\Downloads\Lose2himatoV2.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net user Lose2himato /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:984
  - - C:\Windows\SysWOW64\net.exe
      net user Lose2himato /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2588
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Lose2himato /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net user Lose2himato dumbass
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
  - - C:\Windows\SysWOW64\net.exe
      net user Lose2himato dumbass
      4⤵
      System Location Discovery: System Language Discovery
      PID:3128
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Lose2himato dumbass
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "Lose2himato" /add
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3612
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators "Lose2himato" /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:1756
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "Lose2himato" /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c net localgroup Administrators "%USERNAME%" /delete
    3⤵
    - Indicator Removal: Network Share Connection Removal
    - System Location Discovery: System Language Discovery
    PID:940
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators "Admin" /delete
      4⤵
      System Location Discovery: System Language Discovery
      PID:2472
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators "Admin" /delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:928
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3504
- - C:\Windows\SysWOW64\explorer.exe
    "explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2532
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:472
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:180
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1640
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start https://x.com/Lose2hxm4to
    3⤵
    - System Location Discovery: System Language Discovery
    PID:416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x.com/Lose2hxm4to
      4⤵
      PID:5008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe008a46f8,0x7ffe008a4708,0x7ffe008a4718
        5⤵
        
        PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start https://discord.gg/UkEYppsAck
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3380
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/UkEYppsAck
      4⤵
      PID:2276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe008a46f8,0x7ffe008a4708,0x7ffe008a4718
        5⤵
        
        PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start https://www.paypal.com/paypalme/himato666
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/paypalme/himato666
      4⤵
      PID:4680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x104,0x128,0x7ffe008a46f8,0x7ffe008a4708,0x7ffe008a4718
        5⤵
        
        PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c shutdown /r
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3464
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2404 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7608 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3174425445341075273,6943703167732483909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7396 /prefetch:1
  2⤵
  PID:400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1756

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3977855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
984B

MD5
63ecb557ad1aba1d456f15980fe1ebe7

SHA1
3bd2313f49af21ca8429d45d49b988eace8aefac

SHA256
9e7670a1746760f8ad6258470b28e5957c888f56c1110875c370cbe8a457eba4

SHA512
a53a552fe6e11818ff3fd838eb6b33539407c4f4eac806ef9f263dc996531bb3de1e5a7d5da12b5e372fedaa835921abdf492d4d12a93c3dab274b748401cb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
51fa3fd06b708b14e242eda8ec7b89e8

SHA1
411dd9c7819006aca17d1117eb4739db425f8c2b

SHA256
4bea43b886b0f1d292a7be0561203f85b77b0e18c46a7e10b8e9e1194404df4d

SHA512
9d849a07bebb22cd4a23cde16d34645ae0199f54944838e0bf0c6b870a211dbad58f54c93e0db79f40d49b4da3c75e1071427af73f2bde2c83c15ec395adc5fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6d852904e1d1d8bae66d6ccda063b470

SHA1
02024400de13e98ea6efc5ae098f97e7b72a0d88

SHA256
2379843a2528b4740f9d48456f000d6b0f2c97aa8f36ffa94b72cbde5e8ce932

SHA512
a38d374e3acde07369b40682de6f37e1aeacb3bade60f49300ed65d0f9a503e6caae6a66fb2e80cd909dd4e59226bda7d663020788dabd53e09169a222c5a5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
767eaa3ff3cd4ec352717b77182ffd1b

SHA1
ba85d62e05e6f8887e0e020ee4850ffb42c3ab34

SHA256
6dfcc6533441b53e95db7c328ad6c3b9877646b7e3d137deeb977ed248bff875

SHA512
ac7109b2c903271484a0cd5b708d578991e1a5ef3e6197e91ee093e6ca7b0df2f6ac5b29a4bf3c54b3c1dcdcb88bc4f47ab4a6dae8392ce106767f3e8299a147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
21330e2d5edd080cca0dd77d70066275

SHA1
cd68e343defb349083ba791f1fb82c7ad8c3fd12

SHA256
c69496eee320a7d167156b234581526db30420a72b2103ae2ff23fe5b8a84ef5

SHA512
099bd09d7beb8bd6dabf08d8404a493ad87be3e5d130f30736cb6d8eeac7cdf5c15c88fdba712afeae0da636ef7bbde8dc09b4fa0f5feadd8895682d440b7984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
40ba063ad745a736703f36e7081a04d9

SHA1
566e4a4a97b036b20a55b02c48ad13345ebfad77

SHA256
55db47e5247aa5dd89c4e82b22b6ce17c9c719b9b699803429ddec2917895079

SHA512
7cdb8b50b80d8938a116180bd7edd00337d459a76eec659e52c415e23c500eb5950f2ce85ed753cc5275338974f5baa062f9e96010d93a7db55233545ca6bec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a40923e7c1cc7c4fa1501d5b946b2d95

SHA1
28266a49461ac72f14a2561a6b46057f08fa6cdc

SHA256
ee13abf7c0f00d6309a6c5a4009aa66aa054f30e3a6658082e22c49b37e2152b

SHA512
258e339d4cb35a1471293a321e2c419b92c3f7af33dafd63b40c76011e421cc0a1cd2c44d354c9678b8536bf1d63af9409b56d8d30db2ec3b0b3a4bb2e77b372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de1ed0bb4eeb13069b6966a7dfec112d

SHA1
4bd8e51ad1284561be43901c18b62012cb9314ff

SHA256
72bb32a26984ff5088c6609f4dd5e2c81c8238d5e780db3f91b42c4392046565

SHA512
a51d4ed3383f43d9fceb0114253c791b9e97e54eab2dab3df3a9239c85004d680a64bc61042b5f2207070a2c195c301d9e12f56a9017cfc6a2bcd5fc0ea55ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4f3517a4dd9f4efd5b8ed566c7be90ad

SHA1
dd3e34080affdf1cf91f5609f6a172f10813b8c4

SHA256
99aa4f183af1bb86b3ee860fb196696ff132147b247ce54ef0202931e2e50b75

SHA512
98cc1e7ca0058136234c4ed7a5984366077b7cc5551319c993e16daa8da16b9998b527a881f6d51966d3d61c01a3a034784db248a834d0f2fbde7099b308949a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
48aa883e000d4034b0f5309777e28072

SHA1
562d0028fc690d7036f22db736f2bb628acfaf2c

SHA256
2ec3a496fda302b2ca7a370b535ae46122154d45a34152889af75315b44d55d6

SHA512
03a28d9ccd3ec99d63049c64b39e5247c4dc390d17a9fc7cd4dcd1ea48e141c4bf560937713b2009853e6b73b21180b1fd8d3a7ae43735269b7cd6f8ed18076b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
95ea0a4e6589124b6f19c82948042cd5

SHA1
22bf7e58d3acec587e06f05f4a4d6ec5dcc34470

SHA256
269f9fe25413de9d8e239b18760bae83ab6285d9b11d06a37d9eef772ecd1b15

SHA512
cf39c926cb8bcfc190ba4cea6987ea10bb9e4b9a9d125f372e5e9d41a2c1f409c8eb5805c56f9f90b08eb162d464ba48d9d204ee81fb088074d7ecdf91d42ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c058a50c7d4c84047ea385f00b0b9a31

SHA1
27a51694926d3d83968cc81827ca7eb5706aa1b5

SHA256
93aeb095dd9bbf2199e12fd6201bb0a7852256c6401e2ec8e30e27086dd2dbd6

SHA512
0ee4d1fb7644dc37827de1aba34ff9972dee697367cbcb0052369915063ead7b3a23a440c24d068c9d3bedc1c229ef3a38e197c3816150d1392e2aeff4cf38eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9ac1591142b2d89499c0cf7598c2a5d4

SHA1
16d920cb37aef23372f65d72a39ea762b1689ac8

SHA256
bcadda48b97a1ec74c99c2ee79533bc4df8a27a7c113de9ab9e3f7ae48de7c1d

SHA512
4ff67b82a218d5f626f249c32dbdd89ca9c0104b7730f7ac74daa871538867a012662ee6b07e9b14b5105c9cde1e4d23273a11ac30649b1d96b04932d0cee57c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a05833493293c49644e52ed3c2e2a48e

SHA1
113108e90276ac6bfa9c46fed8362722f8dacad2

SHA256
33ab9b14ef48b5a7ac36576191faf056f1c8c57d501e44434205602f6a59942c

SHA512
d39abe296bef4e549e6cf35bd28ed25e3cf0c80678eeb9381d525a600fe6d095cc13c82bb12deab293086ab61931adf1a5fd880a1c8880314e65a77783ae87d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
555bf8e4c030b77315df9eb25af788bb

SHA1
a6325850ba8e3755cf41078a443a54e65a10fd31

SHA256
4c91a6504a5d51078cfe5a69b51538483b01afb43f1408610f5fddc736b731f4

SHA512
4dafa65f86aa98b9fe7c6f3d2582b130d834a8bc205db3f2ac5116dbe15ab22b12c9fa5c11edba314cdcede88659b33ec298014cbe8f1ae94937ac9449ae0184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ef2314870b613021d7c164fd15cc5c40

SHA1
64ff7f1d474de0d656982463f6e092eccc16d906

SHA256
a74ec1a16d2265ec4d63646e1bfc8e4ee5c3b555956bde6b45a02308f1d1ebe3

SHA512
228c4d255ec9d2be6ef737b4584005204a00d43915896dccb3910a994c7432886815050cbaf30e00c5adc0417c459229bbd4c5e4680494d87b89ce4649a0078b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
09687da2bd8b7f9fbad5d868f64f9ff5

SHA1
6fa6eddf0c22bf05e0121d249adc9c75d35e06a2

SHA256
1213920c5673c4ef82e9b864a5422062ece10b490fa6326bf4e41e028779daa0

SHA512
e970113680c23944508373017fe0d7c65cf83ebbb172fa417c76c18b78f14afaa4b3e01f4d53c5663a6c19ce93a46d8e2bfee53934fd218db400cbf6a91ddc08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
8e3a2889d2508b013fdb3a7784e0714a

SHA1
8e1db5c545bf8acb44a46a3c543e4b3bdc02700c

SHA256
881a0ace6a5b5b6d2a3a5d576a62c6a7dc0ff925edb36229a2cd0dfb477f2307

SHA512
7b067d82cf38fc923d7fe1bf94963b69218f6d134bdbde89318c8405be0ecaf80ea8d1b8cc0a0c98eec366d610eb1f29de9dc324448782ed0ace8e29d8cbb0e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8b41988be81573af72afd7e0f162f9c

SHA1
7c1ac4f7e70bb49f8bb4fa1fd163c0eb24192180

SHA256
e0ce7f3850b464540af25968de30994f8be382b9b418a09ff2eaabdf0983dc3f

SHA512
1c77cae7466109ed29c6e872bfe0f2d7c2eae01e22782e990bc3ed6bfa865f0d57dd8b4999fb140926adaf41ccfd0696881f7e5ccc35107083c6ca13f2e55e53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
5fc57ab9dcdff22152003028f532afef

SHA1
2fd01e5de3b8749ca8e12cc4e59ef9e4e37a2d75

SHA256
a7d828ee8101345f099b464c965854e97621222335f00ca75bc6619df6031230

SHA512
892a9312e401bd08675a08e3433e9f2297ac575d71db387ef4499e412f40b5d1aea7007bc13be58b8a56ddd4dbe2ae00a1624ae4c63a48199df5733a9a3c8ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5cd24b.TMP

Filesize
1KB

MD5
5a21e46bbc0cf04ff8bec1b3b2b3f89b

SHA1
3630d09583c6ef85298ff89cfe73cde8cec0d96b

SHA256
f4472f64f0d37b4066d43ba96c1e16dc75de4a68ae0eca7581ab2fa438aadd7a

SHA512
53d2431e61df3f0f858b87688e8ad5587d6d6be1af4d4aa064a48723e6189f69c478a0aa1bc8554cff7ecb917e1631e8557fde1fbd4b74bb005fe05ec87f0841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
052d522e53ead0662da0b4db596a569d

SHA1
55baf8a486abfaf291f51dcd2bf01a016844e6bb

SHA256
7acf636c48c6eb81ce4db2a4b63103653cf84894c5b83f421c1eb990d45f8b70

SHA512
e89893bc812b9051d188cab5ba1913708b38fdd0a62a430de900bb1a94610948cd7786f8a41ae71c2becb4670443acf837d0d81d80e06240ff97e8a716892ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c873fb5375786c07d9f4a46d86acd80b

SHA1
edaea4c7fd3495919547821034a85e5d6456ccb6

SHA256
eb6df5efdf18d516793bb60ad98831f5db063ff961d643c2bf7a23fb98ad3397

SHA512
edf68ddc1094d618b8554723839e0fce13de2ad289ad271a7933f29886540cfad15c3ffcc28d566b7e17b8b0018bb727be21fdf970852127ed467f386e33ffab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
ce439ad754632c715fd9b1f2435a8c4d

SHA1
ec78275078af60e0a533032567371dc518f82754

SHA256
7149c71089cb10d9cfc58f8dc726893924a5d0480c0275f8a790e88af04a0633

SHA512
a2e3e80417731bf47181e745a35d24e37d41f5f553f3caa0f94c30cb81925d775f504818321d8528ea181ab8957e417d4b6680415809ec267fc939c14cf29b3e

Download Submit
memory/3716-835-0x0000000006C10000-0x0000000006C33000-memory.dmp

Filesize
140KB

Download
memory/3716-843-0x0000000006C70000-0x0000000006C82000-memory.dmp

Filesize
72KB

Download
memory/3716-855-0x0000000006BF0000-0x0000000006BF6000-memory.dmp

Filesize
24KB

Download
memory/3716-870-0x0000000006D30000-0x0000000006D45000-memory.dmp

Filesize
84KB

Download
memory/3716-867-0x0000000006D30000-0x0000000006D45000-memory.dmp

Filesize
84KB

Download
memory/3716-866-0x0000000006CD0000-0x0000000006CEF000-memory.dmp

Filesize
124KB

Download
memory/3716-863-0x0000000006CD0000-0x0000000006CEF000-memory.dmp

Filesize
124KB

Download
memory/3716-862-0x0000000006CF0000-0x0000000006D2A000-memory.dmp

Filesize
232KB

Download
memory/3716-859-0x0000000006CF0000-0x0000000006D2A000-memory.dmp

Filesize
232KB

Download
memory/3716-858-0x0000000006BF0000-0x0000000006BF6000-memory.dmp

Filesize
24KB

Download
memory/3716-854-0x000000000B5E0000-0x000000000B694000-memory.dmp

Filesize
720KB

Download
memory/3716-853-0x000000000B5E0000-0x000000000B694000-memory.dmp

Filesize
720KB

Download
memory/3716-850-0x0000000006C00000-0x0000000006C0C000-memory.dmp

Filesize
48KB

Download
memory/3716-847-0x0000000006C00000-0x0000000006C0C000-memory.dmp

Filesize
48KB

Download
memory/3716-846-0x0000000006C70000-0x0000000006C82000-memory.dmp

Filesize
72KB

Download
memory/3716-842-0x0000000006C40000-0x0000000006C68000-memory.dmp

Filesize
160KB

Download
memory/3716-839-0x0000000006C40000-0x0000000006C68000-memory.dmp

Filesize
160KB

Download
memory/3716-831-0x0000000006BC0000-0x0000000006BD3000-memory.dmp

Filesize
76KB

Download
memory/3716-834-0x0000000006BC0000-0x0000000006BD3000-memory.dmp

Filesize
76KB

Download
memory/3716-838-0x0000000006C10000-0x0000000006C33000-memory.dmp

Filesize
140KB

Download
memory/3716-824-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3716-827-0x0000000006A30000-0x0000000006A41000-memory.dmp

Filesize
68KB

Download
memory/3716-830-0x0000000006A30000-0x0000000006A41000-memory.dmp

Filesize
68KB

Download
memory/3716-823-0x0000000008E60000-0x0000000009A49000-memory.dmp

Filesize
11.9MB

Download
memory/3716-820-0x0000000008E60000-0x0000000009A49000-memory.dmp

Filesize
11.9MB

Download
memory/3716-819-0x0000000007160000-0x0000000007AEA000-memory.dmp

Filesize
9.5MB

Download
memory/3716-816-0x0000000007160000-0x0000000007AEA000-memory.dmp

Filesize
9.5MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads