clop | 6b3fbf3c740886abe83f02b354e1243054307b2037b452e2d5afc405cbbb99a9

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2025, 08:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

clop.exe
Size

100KB
MD5

8752a7a052ba75239b86b0da1d483dd7
SHA1

6eeef883d209d02a05ae9e6a2f37c6cbf69f4d89
SHA256

3320f11728458d01eef62e10e48897ec1c2277c1fe1aa2d471a16b4dccfc1207
SHA512

57d19e9254ecaeaf301e11598c88b1440f3f85baf0cb8d7a0ac952cd6d63f565df9809b13f50a059302bfb0f81a5c498e49837e2e9480ec9b51c14a409fbdb65
SSDEEP

1536:gHIPkRUedYttp2bd/B8quuaOY2IfpW+VQJFsW69cdCeRk28+axHPjsb5:EYtLqJSquu42CW+VwisCgk2DaxHPj+5

Score

10^/10

clop discovery ransomware

Malware Config

Extracted

Path

C:\PerfLogs\ClopReadMe.txt

Family

clop

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN – files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Attention!!! Your warranty - decrypted samples. Do not rename encrypted files. Do not try to decrypt your data using third party software. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Contact emails: [email protected] or [email protected] The final price depends on how fast you write to us. Clop

Emails

[email protected]

Signatures

Clop family
clop
clop
Ransomware discovered in early 2019 which has been actively developed since release.
ransomware clop
Renames multiple (265) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	clop.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3181990009-820930284-137514597-1000\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	clop.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	clop.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3181990009-820930284-137514597-1000\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	clop.exe
File opened for modification	C:\Users\Public\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	clop.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	clop.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	clop.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	clop.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	clop.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	clop.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	clop.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	clop.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	clop.exe
File opened (read-only)	\??\T:	clop.exe
File opened (read-only)	\??\U:	clop.exe
File opened (read-only)	\??\I:	clop.exe
File opened (read-only)	\??\N:	clop.exe
File opened (read-only)	\??\A:	clop.exe
File opened (read-only)	\??\G:	clop.exe
File opened (read-only)	\??\O:	clop.exe
File opened (read-only)	\??\V:	clop.exe
File opened (read-only)	\??\W:	clop.exe
File opened (read-only)	\??\X:	clop.exe
File opened (read-only)	\??\Y:	clop.exe
File opened (read-only)	\??\E:	clop.exe
File opened (read-only)	\??\H:	clop.exe
File opened (read-only)	\??\M:	clop.exe
File opened (read-only)	\??\P:	clop.exe
File opened (read-only)	\??\Q:	clop.exe
File opened (read-only)	\??\R:	clop.exe
File opened (read-only)	\??\Z:	clop.exe
File opened (read-only)	\??\B:	clop.exe
File opened (read-only)	\??\J:	clop.exe
File opened (read-only)	\??\K:	clop.exe
File opened (read-only)	\??\L:	clop.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ClopReadMe.txt	clop.exe
File opened for modification	C:\Program Files (x86)\ClopReadMe.txt	clop.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ClopReadMe.txt	clop.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clop.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "19"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
336	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe
3988	clop.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5584	taskmgr.exe
Token: SeSystemProfilePrivilege	5584	taskmgr.exe
Token: SeCreateGlobalPrivilege	5584	taskmgr.exe
Token: 33	5584	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5584	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe
5584	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5700	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 5152	2404	msedge.exe	118
PID 2404 wrote to memory of 5152	2404	msedge.exe	118
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 3252	2404	msedge.exe	119
PID 2404 wrote to memory of 5432	2404	msedge.exe	120
PID 2404 wrote to memory of 5432	2404	msedge.exe	120
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121
PID 2404 wrote to memory of 1188	2404	msedge.exe	121

C:\Users\Admin\AppData\Local\Temp\clop.exe
"C:\Users\Admin\AppData\Local\Temp\clop.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:780

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Videos\ClopReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:336

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=qpot0v.exe qpot0v.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffda8fe46f8,0x7ffda8fe4708,0x7ffda8fe4718
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6111906951681907785,5945233054889456247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:6000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2720

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3884055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\ClopReadMe.txt

Filesize
1KB

MD5
da76cdbc83863176e9da51b1c9224139

SHA1
fc71801db718efd836c93b6b95dceaa155050290

SHA256
e79dfc0bbdefca3815ffb349139a512e7090403a1e4d80414b97b3e567c7c1ad

SHA512
58227520b3815a68695e4d80882166d0b6f2fd907b9f6a503acb843769ebc3aa836e5d4af5b9c5896c06543cc3757bd23f6f0c96e69a4cd25163dcc65c915e29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4255cae88563058c7eaed69088da0ab2

SHA1
2bcb70f6ae6ae0207a7a964422cac20c80b26394

SHA256
b0cb92f0d6e6cb20ace15d6bf06015570aee24c0d06a8102200dfd3cf4118a15

SHA512
cb41c1797e6d6c5a70d9045e0319ac92512deeb4d4280a1d9a607c2a4031db6027a050633b95fadce63f6f7513ba599f336182b6ce50a0cfbc44360723c461eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
806d271b63c2bc170813afa83e15671b

SHA1
b0a5d4f3e2094a99e402438f3ff4e153a7cb7453

SHA256
8c36754533e755375f987fe74c3499ba8f6044af05b416dded069e37f72d405e

SHA512
eb793dc197be47854473bd49ff09902e390562c182d87a670dcd7999f512fe4c090452dcb93a8bf7a4b8eb031de94f2e399dba802ca33f8764eea256eb5e805c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
402e32044fbd97b9026f00125acad170

SHA1
9f0bbee4b305e5f8d281f1a4208894d9eb299dec

SHA256
343b7655f738288454e257119cf9c51ec977f825b3c39d6e4be5d8821a2edebf

SHA512
3d400f14a985503da9641d25cb79968decc2b85d9dee203341e5c8fbfa5c4363b1607ce676160185a8c819b5567fd1d6e59384244e0a3e445dd6b434db0b54ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
471B

MD5
469840532bcd16ebf919e716d8256a80

SHA1
8c5eac41400af7184ca1da3f3c1ba00e4f6ca17a

SHA256
f39916f7ba81d1a8ffe08d5d339f992363511d0d517b86415a44fa009feba9e1

SHA512
6dfc7bed60c85cbbe11a7768440cb13b9ef505843b0fc73c62880e1afad3365c7e13af5cee29bff61596b54ea25e7ad652a9fdd6399ea62c6c472c4c1f3420e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0f4de298874bbe18bc8b4d7dd407dca5

SHA1
53b0647397db4e8a1034b23ea2c0b5b31adb98c7

SHA256
c4d681385210abaa5690009b45304ef461a468f03d042c7346c4e45f26214b51

SHA512
0f40da64e9800b8440231d76837f9dd5cdf191c6b9c225212ffda1e7e6df2dfa520db3e97159512812574697dded344ec749cabc600b7318651979c378e79585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
437229e0fe663b402c80d3c673c5c933

SHA1
000cdf99b63930bc6cd48bea697b4a79f97fa94d

SHA256
b030d279e2ca3e64dd23f585be399d157e3fb075b524e117603ddead5bc41576

SHA512
524b7891a6cda34e75d8eb5e936788b5a7fb442fc031903e0c8e4e3e951280e6b7ca61a172f6cbc4ea56ddc54ffc654cfa1b1d671d69871cf2a0219db705513d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
89056432d3414a76aecdbd04ff28f419

SHA1
09a8f0683fc13f3feec528b92f89e95220267077

SHA256
10d5217b0727e444bbbecac8242a4a938d16b533775a8fa033f4225e402e15d6

SHA512
e2c5fcaf26bff0cdadd8dc83d030383241e50877cd8c68430ae001301aed1c6936e016bdbff54c8b94a44d6e0b54e8973847c6a18662ef1e3c997a86c0f808db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
22dc8a806d2830a866378bfcb9a040e6

SHA1
8b0c939991d115bc7fca41918a4b49a03d857dfd

SHA256
452bb1cb70fe67bda3a76c81bf60d62af48219c5b5eda22145f5ac6faadbcb19

SHA512
2fe2b3593034d65b10b7a1209ac48d7808996adba13ecac0efa8c1a2fefe748303c424a31d82ea004a20971f1057966462b5edd01d1f510c7711a940e3219cb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
daf78172b1166a5cff2a20430400e609

SHA1
dab73179e5d3216231ab84f735e3c378d8c53484

SHA256
50bb452601e0019728c04972c1c3d87b8f0e00cfd7e3c9107188280ddb98d3c6

SHA512
894a8c903dd2a4211835cd29a86c1c0ff5cabb00a77bbe9b3fa0c08b5c38404df08cc0ab5737c003c325a969edfaf2f2be1066a07858f9f0444c337be36cf5e8

Download Submit
memory/5584-1193-0x0000014F68900000-0x0000014F68901000-memory.dmp

Filesize
4KB

Download
memory/5584-1188-0x0000014F68900000-0x0000014F68901000-memory.dmp

Filesize
4KB

Download
memory/5584-1189-0x0000014F68900000-0x0000014F68901000-memory.dmp

Filesize
4KB

Download
memory/5584-1190-0x0000014F68900000-0x0000014F68901000-memory.dmp

Filesize
4KB

Download
memory/5584-1191-0x0000014F68900000-0x0000014F68901000-memory.dmp

Filesize
4KB

Download
memory/5584-1192-0x0000014F68900000-0x0000014F68901000-memory.dmp

Filesize
4KB

Download
memory/5584-1194-0x0000014F68900000-0x0000014F68901000-memory.dmp

Filesize
4KB

Download
memory/5584-1182-0x0000014F68900000-0x0000014F68901000-memory.dmp

Filesize
4KB

Download
memory/5584-1183-0x0000014F68900000-0x0000014F68901000-memory.dmp

Filesize
4KB

Download
memory/5584-1184-0x0000014F68900000-0x0000014F68901000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads