hxxps://drive[.]google[.]com/drive/folders/12_8O2o_9tufEE5Dvup-uVXVdvSsp1JfE

Analysis

max time kernel
672s
max time network
673s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 21:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/12_8O2o_9tufEE5Dvup-uVXVdvSsp1JfE

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	JJBotv3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	JJBotv3.exe

Executes dropped EXE 4 IoCs

pid	Process
5516	JJBotv3.exe
5544	JJBotv3.exe
5568	JJBotv3.exe
5344	JJBotv3.exe

Loads dropped DLL 64 IoCs

pid	Process
2380	MsiExec.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Unknown\desktop.ini	msiexec.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
6	drive.google.com
207	drive.google.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\JJBotv3\runtime\legal\java.scripting\COPYRIGHT	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-multibyte-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-process-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\legal\java.xml\jcup.md	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\legal\java.desktop\colorimaging.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\lib\security\cacerts	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.base\unicode.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\vcruntime140.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-runtime-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\include\jni.h	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-handle-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-localization-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\freetype.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\legal\java.desktop\COPYRIGHT	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-crt-string-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\legal\javafx.base\ADDITIONAL_LICENSE_INFO	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\javafx\decora_sse.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\app\jnativehook-2.2.2.jar	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\include\jvmti.h	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\legal\java.datatransfer\LICENSE	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\conf\security\policy\README.txt	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-file-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\legal\java.base\unicode.md	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-libraryloader-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\legal\javafx.controls\ADDITIONAL_LICENSE_INFO	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.xml\COPYRIGHT	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-util-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-processenvironment-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\javafx\javafx_font.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-namedpipe-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.desktop\colorimaging.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.prefs\COPYRIGHT	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\include\win32\jni_md.h	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\conf\logging.properties	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\verify.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-console-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\legal\javafx.graphics\ADDITIONAL_LICENSE_INFO	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\vcruntime140.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.xml\xalan.md	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\jrunscript.exe	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\splashscreen.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-sysinfo-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\legal\java.desktop\libpng.md	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\javafx\msvcp140_2.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\ucrtbase.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\include\win32\jni_md.h	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\javafx.controls\LICENSE	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\app\JNativeHook.x86_64.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\java.desktop\LICENSE	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\legal\javafx.graphics\ASSEMBLY_EXCEPTION	msiexec.exe
File opened for modification	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-core-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files\JJBotv3\runtime\bin\api-ms-win-crt-string-l1-1-0.dll	msiexec.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\{9650A088-8CC6-3663-97AB-26A9265C2570}\icon1735593305	msiexec.exe
File opened for modification	C:\Windows\Installer\{9650A088-8CC6-3663-97AB-26A9265C2570}\icon1735593305	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF33D.tmp	msiexec.exe
File created	C:\Windows\Installer\e596073.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{9650A088-8CC6-3663-97AB-26A9265C2570}\JpARPPRODUCTICON	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI94EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI972F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA837.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\JpARPPRODUCTICON	msiexec.exe
File created	C:\Windows\Installer\e596156.msi	msiexec.exe
File created	C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\JpARPPRODUCTICON	msiexec.exe
File created	C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\icon1735593305	msiexec.exe
File created	C:\Windows\Installer\e596071.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF158.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6316.tmp	msiexec.exe
File created	C:\Windows\Installer\e595f8e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAA4B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e596073.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA51F.tmp	msiexec.exe
File created	C:\Windows\Installer\e595f8b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9650A088-8CC6-3663-97AB-26A9265C2570}	msiexec.exe
File opened for modification	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\icon1735593305	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e595f8b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6008.tmp	msiexec.exe
File created	C:\Windows\Installer\{9650A088-8CC6-3663-97AB-26A9265C2570}\JpARPPRODUCTICON	msiexec.exe
File created	C:\Windows\Installer\e595f8d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e595f8e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA7D0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB9B3.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fac5ebb7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JJBotv3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	JJBotv3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JJBotv3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	JJBotv3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673671298118998"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 62 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\880A05696CC8366379BA629A62C55207\DefaultFeature	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B1423C193BBCC4D34B6F4D3AA87894B0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\Version = "16908288"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Desktop\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\ProductIcon = "C:\\Windows\\Installer\\{9650A088-8CC6-3663-97AB-26A9265C2570}\\JpARPPRODUCTICON"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\41E9151D0BA2C9837BDA155ED73C2CCD\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B1423C193BBCC4D34B6F4D3AA87894B0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B1423C193BBCC4D34B6F4D3AA87894B0\880A05696CC8366379BA629A62C55207	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\880A05696CC8366379BA629A62C55207	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{B2D1A155-7440-437C-A0CC-405BD914E7B7}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\SourceList\PackageName = "JJBotv3-1.1.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\ProductName = "JJBotv3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\PackageCode = "DE93FC7454BF4194BB87A0F843899217"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\Version = "16842752"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Archive [OLD]-20240805T212257Z-001.zip\\Archive [OLD]\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B1423C193BBCC4D34B6F4D3AA87894B0\41E9151D0BA2C9837BDA155ED73C2CCD	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\41E9151D0BA2C9837BDA155ED73C2CCD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\880A05696CC8366379BA629A62C55207	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\ProductIcon = "C:\\Windows\\Installer\\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\\JpARPPRODUCTICON"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Archive [OLD]-20240805T212257Z-001.zip\\Archive [OLD]\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\PackageCode = "80809DC84EB39E44FAA63F30C97387AC"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\SourceList\Net\1 = "C:\\Users\\Admin\\Desktop\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\ProductName = "JJBotv3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\41E9151D0BA2C9837BDA155ED73C2CCD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\PackageName = "JJBotv3-1.2.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\41E9151D0BA2C9837BDA155ED73C2CCD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\880A05696CC8366379BA629A62C55207\InstanceType = "0"	msiexec.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 119280.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 358368.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4732	msedge.exe
4732	msedge.exe
4736	msedge.exe
4736	msedge.exe
2240	identity_helper.exe
2240	identity_helper.exe
4808	msedge.exe
4808	msedge.exe
3524	msedge.exe
3524	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
1848	msiexec.exe
1848	msiexec.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
5388	msedge.exe
5388	msedge.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1752	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe
5332	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2200	msiexec.exe
Token: SeSecurityPrivilege	1848	msiexec.exe
Token: SeCreateTokenPrivilege	2200	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2200	msiexec.exe
Token: SeLockMemoryPrivilege	2200	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2200	msiexec.exe
Token: SeMachineAccountPrivilege	2200	msiexec.exe
Token: SeTcbPrivilege	2200	msiexec.exe
Token: SeSecurityPrivilege	2200	msiexec.exe
Token: SeTakeOwnershipPrivilege	2200	msiexec.exe
Token: SeLoadDriverPrivilege	2200	msiexec.exe
Token: SeSystemProfilePrivilege	2200	msiexec.exe
Token: SeSystemtimePrivilege	2200	msiexec.exe
Token: SeProfSingleProcessPrivilege	2200	msiexec.exe
Token: SeIncBasePriorityPrivilege	2200	msiexec.exe
Token: SeCreatePagefilePrivilege	2200	msiexec.exe
Token: SeCreatePermanentPrivilege	2200	msiexec.exe
Token: SeBackupPrivilege	2200	msiexec.exe
Token: SeRestorePrivilege	2200	msiexec.exe
Token: SeShutdownPrivilege	2200	msiexec.exe
Token: SeDebugPrivilege	2200	msiexec.exe
Token: SeAuditPrivilege	2200	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2200	msiexec.exe
Token: SeChangeNotifyPrivilege	2200	msiexec.exe
Token: SeRemoteShutdownPrivilege	2200	msiexec.exe
Token: SeUndockPrivilege	2200	msiexec.exe
Token: SeSyncAgentPrivilege	2200	msiexec.exe
Token: SeEnableDelegationPrivilege	2200	msiexec.exe
Token: SeManageVolumePrivilege	2200	msiexec.exe
Token: SeImpersonatePrivilege	2200	msiexec.exe
Token: SeCreateGlobalPrivilege	2200	msiexec.exe
Token: SeBackupPrivilege	628	vssvc.exe
Token: SeRestorePrivilege	628	vssvc.exe
Token: SeAuditPrivilege	628	vssvc.exe
Token: SeBackupPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe
1752	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe
5544	JJBotv3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 4148	4736	msedge.exe	83
PID 4736 wrote to memory of 4148	4736	msedge.exe	83
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 1852	4736	msedge.exe	84
PID 4736 wrote to memory of 4732	4736	msedge.exe	85
PID 4736 wrote to memory of 4732	4736	msedge.exe	85
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86
PID 4736 wrote to memory of 3380	4736	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/12_8O2o_9tufEE5Dvup-uVXVdvSsp1JfE
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc434446f8,0x7ffc43444708,0x7ffc43444718
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6468 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6340 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7156 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6776 /prefetch:8
  2⤵
  PID:5424
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\JJBotv3-1.2.msi"
  2⤵
  - Enumerates connected drives
  PID:5376
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\JJBotv3-1.2.msi"
  2⤵
  - Enumerates connected drives
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4803728513472739967,11856482254111134939,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1692 /prefetch:1
  2⤵
  PID:3668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1568

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\JJBotv3-1.1.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1300
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 850F8721400CF2E31B4B621E3D7261ED
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2380
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ABF1EF1C680D38A5FA90A44EA5423A64
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5652
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 390DC296EAB1AB3CB01BF2B9085DFA81
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5920
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 78C60D67375265D60F0543E519AE0A95
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:1752

C:\Program Files\JJBotv3\JJBotv3.exe
"C:\Program Files\JJBotv3\JJBotv3.exe"
1⤵
- Executes dropped EXE
PID:5516
- C:\Program Files\JJBotv3\JJBotv3.exe
  "C:\Program Files\JJBotv3\JJBotv3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:5544

C:\Program Files\JJBotv3\JJBotv3.exe
"C:\Program Files\JJBotv3\JJBotv3.exe"
1⤵
- Executes dropped EXE
PID:5568
- C:\Program Files\JJBotv3\JJBotv3.exe
  "C:\Program Files\JJBotv3\JJBotv3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks processor information in registry
  PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc434446f8,0x7ffc43444708,0x7ffc43444718
  2⤵
  PID:2816

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:696

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_Archive [OLD]-20240805T212257Z-001.zip\Archive [OLD]\JJBotv3-1.1.msi"
1⤵
- Enumerates connected drives
PID:4552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc30facc40,0x7ffc30facc4c,0x7ffc30facc58
  2⤵
  PID:5652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,876734648592753610,12191327286920419287,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2000,i,876734648592753610,12191327286920419287,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1988 /prefetch:3
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,876734648592753610,12191327286920419287,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,876734648592753610,12191327286920419287,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3304,i,876734648592753610,12191327286920419287,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3184,i,876734648592753610,12191327286920419287,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4712,i,876734648592753610,12191327286920419287,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,876734648592753610,12191327286920419287,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5216,i,876734648592753610,12191327286920419287,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3392,i,876734648592753610,12191327286920419287,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=864,i,876734648592753610,12191327286920419287,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5396,i,876734648592753610,12191327286920419287,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:1804

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3120

C:\Windows\System32\rdvidg.exe
"C:\Windows\System32\rdvidg.exe"
1⤵
PID:5732

C:\Windows\System32\rdvidg.exe
"C:\Windows\System32\rdvidg.exe"
1⤵
PID:5324

C:\Users\Admin\Desktop\rdvidg.exe
"C:\Users\Admin\Desktop\rdvidg.exe"
1⤵
PID:2256

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38d8855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e595f8c.rbs

Filesize
54KB

MD5
3fabec680b7ae78ce645c6bcbe0516df

SHA1
72ff4e555bbb08d6c2272a5eb57c843cc9cfc3cc

SHA256
9c6d8cb8746cd354f3e4317feff34b733e923f0c419b2abb94c62cfdd7eadac1

SHA512
e8ee3edcba9d9ad640b6c27c2cdd553801c88ff9fb4a0599b23816b7c95ceb96d3db077622529c2dad95ca8a630eb88e654745cfc95eaf99c2e7de1c37a324d9

Download Submit
C:\Config.Msi\e595f91.rbs

Filesize
97KB

MD5
21622f5ec8b2b7fba4c74beb0e6f51e1

SHA1
93c22e7dd540e4e06a8d1626b2bb61ea91e01b1e

SHA256
45582e15b4ea0ae55053aa28ee96d3296412d34c8ee92a813def2fcd9064799c

SHA512
a6a6865231653d9d0540231a1347ba063a4e4fc29016807040aadffa14e5bbae33a298739f398fee797cce04b984c3c53bf0f05e272ff39e19138a7ffe8354d9

Download Submit
C:\Config.Msi\e596070.rbs

Filesize
54KB

MD5
e8a4df5c383ee670af6e73a682f718b1

SHA1
80b5faa6279514ec974c49283c88c687165905f5

SHA256
ef610fe5075242919c3da311d68088c4d728201b4157efd1e1190af37603744e

SHA512
98fbded4a462d77d30652fd71c4f487a25cf325a9efc59070b0d9ad05c0184e19ed4aeb9ed85aa62715632424d439bc2d370e791a3ffcd9517f8b9e1b69da936

Download Submit
C:\Config.Msi\e596072.rbs

Filesize
3KB

MD5
c6e7a6a38554c1074d4ba2f6975d114e

SHA1
6e666e37996f8c91f85b25d0fa1ba43cee37b9fa

SHA256
80ad93f3741f64ea52bdd3c871835b9d7c1c7b607da60ec648cc144132d79d68

SHA512
b1b33c60b5387d001cf80de79d634b68a0a148ba47a3c0e5b70298d2841d994afb64277a55fc80b5ea4fc75a6189843ab74aa5c9a9ad29f612ce586da72364e3

Download Submit
C:\Config.Msi\e596076.rbs

Filesize
97KB

MD5
112fc8069ac2aa91a9874848bbaaaa40

SHA1
5a48f9684d8d206fd03db7e401b94c89db014409

SHA256
cef65d44829c0805e627f91bc5ebc60cafc48c1f935fd25ef48f32371ffdc7ff

SHA512
a22f0d82803795e3f0a7e576d682231d0baafa399bbc8d0f322c84f7492be5821625192c23d5e70aaf358a7d49068492641d300f22a4d449008c08a2b9efda41

Download Submit
C:\Config.Msi\e596155.rbs

Filesize
54KB

MD5
17d5603aeae3924848f8d8387109f943

SHA1
af7afc1905ffa5f7502da8b81f31c311b64ada07

SHA256
10d448373719b7fc8624d53fe32fd5449f6cf48ae49b5afb2410dc9475bb567f

SHA512
f7630ed834581d873af91db5509db82271cfb5e4800bebd109898832559e85cd79ea931db74cba15ccca48f7fc33a5b3a03c353911cd1a42a8c36c00af6013fb

Download Submit
C:\Program Files\JJBotv3\JJBotv3.exe

Filesize
566KB

MD5
77f9cab6666d8ab484fc5b4a3f16c7e7

SHA1
3444a9e98e77c2088be7d2ef6594f5aab18ad16f

SHA256
b06bd79737c2019951a9512a553bb6f5a6c4ab558d9908a096958bc291d3fb2a

SHA512
f1eed85de6b8d9c2fee498b58453b16ff42cc2716978de45fd51dedfdbedae7c7a5ad8bcb9fb3abf20a472ff379c11e6c36b8ecd6a41c2c073c20dcbaa3d07dd

Download Submit
C:\Program Files\JJBotv3\app\JJBotv3.cfg

Filesize
297B

MD5
310fc3627a2ad34bb4ebc8008b6181e5

SHA1
ba94f3ca881155239a36639948a59ca4069623ea

SHA256
c9404def4a0a484a21a8729f82764be4f88babd1175fe51238b8bfb470e07d8c

SHA512
9e58a047dce320f877bf4b588b7b46a8985005571efaf4c15800f1afee7b209eb305fb7f7ad857e54459efcee3b07b7d0ce435cb1869b4b834271795ce285c0f

Download Submit
C:\Program Files\JJBotv3\app\JJBotv3.jar

Filesize
16KB

MD5
39dbddbd1a4515dad70801a191152789

SHA1
96029066606d854c935766423e191dfbfbae7db0

SHA256
3667b846e4a45f562c563c3582ef0ca0b2173ce964c7cdd54d8dc6af84c3143f

SHA512
0031250c30c003722a85a8de66246d91dc105243440c6cd56f07077f54b05475f2321f3d932fb1415a70b2ed067973a489930f0c49e1c487b09bb97d76d548eb

Download Submit
C:\Program Files\JJBotv3\app\JNativeHook.x86_64.dll

Filesize
80KB

MD5
e9a449971b9efb0a2e12b9cfdd95c076

SHA1
385777659fa84e94a3812eb9a8afad27ae3ceed4

SHA256
b8c331c9f915960201da9af9c9dc8309e95e7d533741e71f4a5d13ca007d3e18

SHA512
bbcaf66b316cb60c63bb190099bee36a0059f13fa35fdf3a9a3e7e9a5304abe57acd71d644cde554427825249b460d58f0aba79f599f0c6fa40d23ea21aa941d

Download Submit
C:\Program Files\JJBotv3\app\jnativehook-2.2.2-javadoc.jar

Filesize
356KB

MD5
a31b4909de04bca3704bf761f02916e6

SHA1
cf5ae1e3b1b94d6a18d17398ad5791ac933ce29b

SHA256
158a3e503aab115bba4a60f35698fb71e136ca7882cda15c7666c2fad2c65a62

SHA512
48d4afadfbe8290f769c29a35e6f039ebf1999daf9ddb5651b7c45a2170c4c51f47e9cac5b7cf2675cb7e4d10289ad2b58ca9d2ecb56af8ccf5cbe6dd1541de9

Download Submit
C:\Program Files\JJBotv3\app\jnativehook-2.2.2-sources.jar

Filesize
564KB

MD5
5910c47d885a60905e5787ded53f6cb6

SHA1
88739bfe0ba179d5f37ab1b9a9202b44dace8616

SHA256
1e484b3f7a0a531b37360e70573b5f444c0534fddd7815ab9a7163d3378270d1

SHA512
72940da46537bac9a7e433c97ecda495bc38b1b6478dd6c88ce14c67f12298ca34212cb4b0cb70a02693e1c692617839f7de0a5cea4e199373ff2ee651920946

Download Submit
C:\Program Files\JJBotv3\app\jnativehook-2.2.2.jar

Filesize
657KB

MD5
673bc1fae6ad9f3938efead7986ddb02

SHA1
183dd1fb8927b008761802bb402629d5749b15d0

SHA256
2c7904423bc680af02d9ea9557ae233c35199e302d072773a9d0304b568acd41

SHA512
6b74f38352d5f1871e5c944f76d3a8e2fcdba8b7beb281ed0fa88b0979e8abde824b30f85e19c410c4f3797b6bc75f57b6b623112a6e186f6e4655343a2d5713

Download Submit
C:\Program Files\JJBotv3\runtime\bin\VCRUNTIME140.dll

Filesize
95KB

MD5
7415c1cc63a0c46983e2a32581daefee

SHA1
5f8534d79c84ac45ad09b5a702c8c5c288eae240

SHA256
475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1

SHA512
3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

Download Submit
C:\Program Files\JJBotv3\runtime\bin\java.dll

Filesize
143KB

MD5
aa069d2675ed9415ed03ec50618613cf

SHA1
ecdd5d910052006c1a98f51d927fe048739776e9

SHA256
66c02525e5ec60e0d74b4225ed6f7d85c778d774f298b46577aea82b369689c1

SHA512
55d3f64576e6e4bbbe89082b347161a8f8d67d4c0fb0a5104286bfbb4a822d8a8e88c7c161ea3db703032065cf716328fcc3db4acd4637c6157cef712977f845

Download Submit
C:\Program Files\JJBotv3\runtime\bin\javafx\api-ms-win-core-console-l1-1-0.dll

Filesize
20KB

MD5
2c146bc8d73b8944f35506241b9953a9

SHA1
ac64abd745418cea35c0506b9cb0331b171b51ea

SHA256
89384f8f64a9b7f67c8deccaa721e2d76b8a17026d8083630859ed0cd1a9b58b

SHA512
02713948a156baccb2e7c38646193e82fef65400c086644866b698bc3e0a8c155a8eab829463e3868ce2b8a06608c5ea6de1e390bff976c5f92e2e42dd6c04f1

Download Submit
C:\Program Files\JJBotv3\runtime\bin\jimage.dll

Filesize
32KB

MD5
bd60efd008e48bb99caeac946ced792e

SHA1
855d278e7ca1c1e918bd5f32c2a3fd8772554f52

SHA256
fc2be5399a034c07beb51270471144eedecc5068139b7ae2a7dfff7719b19746

SHA512
d66a0095c57a521537dde53b4c3d730a719f91d41f51f1eb7efd666f5dbc00b9837e7ff28dd05cf3a8a2310a51083e3be044fd126840b0ddb885ff3e0edf5344

Download Submit
C:\Program Files\JJBotv3\runtime\bin\jli.dll

Filesize
88KB

MD5
3a315274152a0ff52027c0ba0a960a21

SHA1
e3ebb1bb6fbacbb12fd9f6231d950666f2e5a034

SHA256
4a40a3a94d69ae05a2d31143c3877ff4ab5bb497445324d1bd693998e0b9ef24

SHA512
9705a7cdc86ee88b64235f4d9362c7b4e610367598ac4f4617a9761675c229b3ad94ecbd321e48718f14fb09419545c01ac975d5e577217a1a2ba85723c6c5b9

Download Submit
C:\Program Files\JJBotv3\runtime\bin\msvcp140.dll

Filesize
558KB

MD5
bf78c15068d6671693dfcdfa5770d705

SHA1
4418c03c3161706a4349dfe3f97278e7a5d8962a

SHA256
a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

SHA512
5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

Download Submit
C:\Program Files\JJBotv3\runtime\bin\net.dll

Filesize
94KB

MD5
b4e840ed1c5dbca49f34028137fb3178

SHA1
98f24cac1b6f8b86ae24efe532720b5256e635fe

SHA256
e0e567586af9eab9f95b6d84b60fd2785e38e202908ca62579d0fa7261a65a83

SHA512
63610e17bf0a2b357e4bed5f78c2e6449ec4d498e70025ff37a8f80362d41e50cef6c4197b3b0eda6f842a8fa90e0e2f88dd59ff0eda1632f17137b5c852365e

Download Submit
C:\Program Files\JJBotv3\runtime\bin\nio.dll

Filesize
78KB

MD5
cf63016b7c60c45d7707b8aabb705ce3

SHA1
3d4067d14260cd816a52e3640774d1fcd8bd64b7

SHA256
b92a5e3024e1c05427cbdc593deaef2473a74d7baf4c5d98063ce6e98bd0a619

SHA512
d84a0d7ce7d5ebc59f17aced76b2aa12f924f9a823f776da49f7099b4f2c3828b737be0001e47486aca9eb70363d9cb9068a1d75524853d0792d71874ee3ca62

Download Submit
C:\Program Files\JJBotv3\runtime\bin\server\jvm.dll

Filesize
11.5MB

MD5
89ad37a2cce32eec711b1df655ce4b8c

SHA1
1fa554d4382696eae8c2523990f3787598a22a24

SHA256
13bcca0624bfb0e41d684a97e50ca07479cb12c6643f61fadf72985688c7a6d1

SHA512
e09a135b86ea9d4778c31ded4a27210114a9db26fdb3085568c70064fb0fa2e8e1903a7286ff7df5025fb8b6fb02af960689fdb6f60820a023b2ae64af5497e8

Download Submit
C:\Program Files\JJBotv3\runtime\bin\vcruntime140_1.dll

Filesize
36KB

MD5
fcda37abd3d9e9d8170cd1cd15bf9d3f

SHA1
b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2

SHA256
0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6

SHA512
de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

Download Submit
C:\Program Files\JJBotv3\runtime\bin\zip.dll

Filesize
85KB

MD5
ade1f943087e19c5085ce31125f585b1

SHA1
9f6021d049b09008be221cc1721ea5d12d3dc877

SHA256
090ac3d37609f9717861dfb4535466fb1ff48b2213b837ddc3777f9c8d960d1e

SHA512
f3ed6bfd4614574e300b46545c3e43a73d363c252539a0efbf2bd9e2e8921029b0233a7f67f689dbb967eb648c88c0b012944841a4c3e11aad8d4eb66822857f

Download Submit
C:\Program Files\JJBotv3\runtime\conf\security\policy\limited\default_US_export.policy

Filesize
146B

MD5
1a08ffdf0bc871296c8d698fb22f542a

SHA1
f3f974d3f6245c50804dcc47173aa29d4d7f0e2c

SHA256
758b930a526fc670ab7537f8c26321527050a31f5f42149a2dda623c56a0a1a9

SHA512
4cfca5b10cd7addcff887c8f3621d2fbec1b5632436326377b0ce5af1ae3e8b68ac5a743ca6082fc79991b8eec703a6e1dfd5b896153407ad72327753222fdb3

Download Submit
C:\Program Files\JJBotv3\runtime\legal\java.desktop\COPYRIGHT

Filesize
35B

MD5
4586c3797f538d41b7b2e30e8afebbc9

SHA1
3419ebac878fa53a9f0ff1617045ddaafb43dce0

SHA256
7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018

SHA512
f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

Download Submit
C:\Program Files\JJBotv3\runtime\legal\java.xml\LICENSE

Filesize
33B

MD5
16989bab922811e28b64ac30449a5d05

SHA1
51ab20e8c19ee570bf6c496ec7346b7cf17bd04a

SHA256
86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192

SHA512
86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

Download Submit
C:\Program Files\JJBotv3\runtime\legal\javafx.fxml\ADDITIONAL_LICENSE_INFO

Filesize
51B

MD5
494903d6add168a732e73d7b0ba059a0

SHA1
f85c0fd9f8b04c4de25d85de56d4db11881e08ca

SHA256
0a256a7133bd2146482018ba6204a4ecc75836c139c8792da53536a9b67071d4

SHA512
b6e0968c9fd9464623bfa595bf47faf8f6bc1c55b09a415724c709ef8a3bcf8a954079cce1e0e6c91d34c607da2cecc2a6454d08c370a618fb9a4d7d9a078b24

Download Submit
C:\Program Files\JJBotv3\runtime\legal\javafx.fxml\ASSEMBLY_EXCEPTION

Filesize
46B

MD5
c62a00c3520dc7970a526025a5977c34

SHA1
f81a2bcb42ccbf898d92f59a4dc4b63fef6c2848

SHA256
a4b7ad48df36316ddd7d47fcecc1d7a2c59cbfe22728930220ef63517fd58cb0

SHA512
60907d1910b6999b8210b450c6695b7cc35a0c50c25d6569cf8bb975a5967ca4e53f0985bee474b20379df88bb0891068347ecf3e9c42900ed19a1dcbc2d56ec

Download Submit
C:\Program Files\JJBotv3\runtime\legal\javafx.fxml\LICENSE

Filesize
35B

MD5
f815ea85f3b4676874e42320d4b8cfd7

SHA1
3a2ddf103552fefe391f67263b393509eee3e807

SHA256
01a4ebd2a3b2671d913582f1241a176a13e9be98f4e3d5f2f04813e122b88105

SHA512
ddf09f482536966ac17313179552a5efc1b230fa5f270ebde5df6adebf07ee911b9ef433dfbfcb4e5236922da390f44e355709ecaf390c741648dd2a17084950

Download Submit
C:\Program Files\JJBotv3\runtime\lib\jvm.cfg

Filesize
29B

MD5
7ce21bdcfa333c231d74a77394206302

SHA1
c5a940d2dee8e7bfc01a87d585ddca420d37e226

SHA256
aa9efb969444c1484e29adecab55a122458090616e766b2f1230ef05bc3867e0

SHA512
8b37a1a5600e0a4e5832021c4db50569e33f1ddc8ac4fc2f38d5439272b955b0e3028ea10dec0743b197aa0def32d9e185066d2bac451f81b99539d34006074b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Unknown\JJBotv3.lnk

Filesize
1KB

MD5
bd0c3b00c22b6bc1a21c1c74c6786e3a

SHA1
36c880217823747d58125bb975e89ddb6487c396

SHA256
7e97488e60c450e27c187748b798cbdeaf863732ba02c3f8bcbde70ae1f00868

SHA512
f827d89efb7b404203ae9ab3ae485b47962346a03cc63f452ac51d879dd38652cb700b9e44a6f3aeef6ac1083702c70750aaa86ba328b256d2d09f94ec7c67a6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Unknown\JJBotv3.lnk

Filesize
1KB

MD5
3b8986e7a2cd00ce0504ac15c58cf0f2

SHA1
04c08f5b50f364927cadbed8926fa7d795a01349

SHA256
04cc47f9df8d867449174c2716f27ff3e1617f5ac684a0f09296911fad1bbd54

SHA512
96428868710b0c286cb6684fc815c8fb010ac62909e7b14f68c975efadda20faa8eedb04a5d84a7211016e1c8145ff688b8f633a441ae6ed8d5dfe0995107c72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
3cd5404a1526143559092a19aa685dec

SHA1
3f24f5958e31ecbb826bb8ab28a505ec4517d6b3

SHA256
e960ac83f4dab2a6815870cbe46faeedcfcd5ecc88287363bbb75a2bcca9fa82

SHA512
0fa3ba5f5848b56ad897f19f3c90b3791cb24538e92b68a61cd7c6d9692d12facbe5ab0ced91f8a00a9f37b2e3092ecaef6fa17d54619e51c56cdd121465eb71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
52fe2982c2b868ac9e62dc1b14fb37ef

SHA1
a86d60bafd4cafcbdaf5693aa2a2daf3c1a0ed32

SHA256
488f5984ca80add753183501b08efc1981cd2702dce8755fcbc7a3e752bc79b7

SHA512
76a305529fac13013daa1cc9d8af6e0eee74f6d458e2443d20daf908b6e95b005fb693eff8f6aea0f69ba690f185d3044c1a715c31399e8cc8eb5c91752ac536

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
9f549d3d0932cbb37d7c96267488e9f6

SHA1
0bbe4bfc30f0a48f1937d50b19537e90e8fd232a

SHA256
c0e909b82001d55610e4af16bfbd1fa6961e17ad90ff57c97b13a3a439f5cc00

SHA512
1dd8295521583b0d0ffb63684713a7a0fd69c98f5da5caf3811732c302f8079b34d729ce104fe8ba117c429e7a7468f37348d80fa5124784a487e94c25b6f0ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
6b4c477e9635b8b682863e7225c5744e

SHA1
457c0123cc52d7249024456d235371ae8ae79896

SHA256
e8d2ae6e3bc268cc1db79271274a89701df46599247f478d20edfb9f12c14e56

SHA512
bd38f8893996b15ab2e56f1c1d23176de38b3d3d666dd63d70975b439bb996da55a02729cf30109447868d2fbdbc67351f05922ed0f4218c1920c939d4861743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
db1bfdf9707f738f6fead1b23022059f

SHA1
a6346f935f7d59c5269985bd7111b8050f36dc30

SHA256
ba532118f8a2407756ef66643df9e3c74283642a23e8810fbcbaad570905eb35

SHA512
2167e7c1a959d97fd12dd0f6dac90a642ae91cbef0986d482ae012b04b9d020651e89404d3ddfb55ec089919a3c6e0a27eb356cae1cb887af1c05f4a8eda2d2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
86fe2c60b379bbec67ddf231c96118ab

SHA1
b89f40d29d2eb58625baa3af14d1bbc078fe015a

SHA256
2452a2dcf13b7c54b1f11042299f3f7fa708c899b17f1dc24ec7b2bb0f37a0ca

SHA512
8a5b6ffaba323adbb57361215a86d872f0c8fc74c1aba18d1bc3529f27e781adb1f506e8fedb1efc19ef6277b007aa765389bc31b8ee11d8a398f69ecbc80439

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
f36d75b12ec7e9d2be578af4feb7144e

SHA1
5ab80c9ac295552eca535c90dc0e2e530dfddcdf

SHA256
a28696f2cfa444cf0e75ca7be5c88835bdc4ff0353871c7d97f70f1ccf0c271f

SHA512
10ebd7acf96aa0b3580937ab55afa901fb0262fd47a2ae42b18ee4480f409362b260a6bbc82a08e5fddc651b7a6aef95b4598fe782293121840412c38069e2c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
288989a2ce8c9f74f57fd0accaaf91d0

SHA1
1e4316dbc6153f185552269fc40920e4c5472727

SHA256
d8dc7ead98e2215bea5053680dfab57754baa3eff2afed36153892fe79618856

SHA512
1dc90d1c4ae0956fa39de10c93f883e3ecc99ae4009857609d51434d3b6733d13d1d8ee172a16761bcce74401bf218995b6d6cb1df4ecaa1a3339015bb8ab073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
65fbec4cc57c47789e2e5ed659be4a37

SHA1
c9460d2f0f25b66ea920460e08a74d36b3b94d13

SHA256
255c9b38986b115ffef1762ec6178ae1e127d66fbfc31a1403ef39cdf4db8187

SHA512
bf41ff7c746eafbb2a4e15600edd535b7feb2290b5528a72053a33c696444622217b352079e9c47ddb4070239fdaedbf6ea4ecef637a2d59c5703ac81546c802

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0ba88084634f76efcbfb75bc4666283

SHA1
30c64335d5b0146b9d2796bcff7d933300c344e6

SHA256
f227a1910e79e68d730a5d0e0f0846fb64e1a160cd3c07c6b580178148580bbb

SHA512
f77010e3089fa629f9c6ce2faf388018eb3d7471c96a8065dca25c426205cfa0ed1a9f0a307749e052c400d484c2b510355098b8d72b62a23abba1011e98037b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7559415123fd9ab6f8ae210d44ba372f

SHA1
75055a7ad2226c5844f75dcb80a3aabf1b1ebbea

SHA256
58879b3f0a162d62a12a7bf99a1ad89fdae76eb5d8bb03007b983fdcce9a040a

SHA512
74b5918fe8eea0e686c4bcff74d7670ca5ddd1db657d8996235a69111723fd370604d7f8cdefce29565ff9ca7723f56cba8fe4654a570fc407e91af8144785c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cbd9fe40f8ed96e4a5e4c65557b3cdbf

SHA1
299205e8a3a9226569fc2e74799db40e743053b4

SHA256
a436b1c5af7e067a0bed26502720611569620d2ee06b9d8b4d5cac1954a336c7

SHA512
251160a46b20da3bce893644313fbccc3577a71895ca9ec7d858905dc0bb00ba7f4f474729f985da9f67c970fc4eded61c348f8574e9c6b2c5b3174824f62e72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2d9d87b169fb321577ee663983a8ba8d

SHA1
5b507b5a74aa8c7e7e368a73c61284fc1d234ba1

SHA256
c863304eb90322b0cb69fd7c5b74bc07732b7c83e5e00b128fe65625f7d8b657

SHA512
61a6e38abf6cd19626becab07194b4bb0dce81a4b2afede53af1f8d58826b9754eead42bd653b47ed833392ebafca9746230c5b2104c16efc77dcf972f330ab2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
02f2f8e67c903170a3fefeefdf296637

SHA1
b807a2a37c8dd7d9acce401c343476c9a3f88781

SHA256
19fca9a73f36312e605b7913c2cf6905fe9196617cea1681a1d55c04ad1357fa

SHA512
9b9daa76b8579383acc56c0a1d82605c6b0b5bd2d38daf80d6dc0c1f353811198afe707ffe5239e06a3911e73dd6f83992171ce07c91d23f20ac220e7759982e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e9f7d95f58fb3dc4755c2f5213f49574

SHA1
2f2e69e7297512207014eec6322c33e5fcc9ec06

SHA256
1f0e9affbd35a7f8b6197ff48d2341808da7b9e6d107102c389a9ae536a9a2a4

SHA512
0b000d8b56a3412c91ce8f7b6e0f9eb85ac3abbc04d9e402d943e65c239d2a90d83e1ed0ef0f2b2120bd8a8a3ce43d75f4f445585cc3e65f5a38c588798a83d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e701d571-056e-476a-bbc8-6f36f3f148db.tmp

Filesize
8KB

MD5
073721b81befb8ace8a61a9daf5ece8c

SHA1
cf11a9e323d241f8f9ff5340c7378fbdf6c2fc4c

SHA256
4ebd6a701602dacd4f1a46a35aa0ab1de89023ee6e1cd0aeb69a044d2a31c4cc

SHA512
3fb85294d8c2895356041ce2583d94a1698278e533e8f4fdb0fb7dda6dc4e0389ffd1e4a2aca430ab34fd4d6e825004965229e2ace10fc58a2e2201e8cfee366

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
fe7615974518c6934a1fd8b2a72534ac

SHA1
29a3b5387b14d8bfd26e23ed7ff9c09446d57eef

SHA256
e837b475633554099ce165d898baedf382eaa255a3abc4cc42b9c7ed2b1bbc61

SHA512
6192f39d6fcc6618fa7f9e119b4aa54dca0ce6e91db2155984bd395cb5c5c02a26a9e2df80bf9b180063b491173e3e300c5a550a35f6d4cb6c351bcc828e2209

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
a615dd9d15f9646169b52e95aaee4399

SHA1
60fe9b0813e8cfef2f131d65077b6237cf49a88d

SHA256
c7a35de73a697d538bbf785c6961fae42926dd04037a5d51ed8d41c40b930e12

SHA512
64f19e69cd3163caa7134331756b7dbc9aee67fa372d2ec0b7597ac49f8ed3e17ff1f1efe51a944c52216be0a20dc54ed6a527be03636a01faa40904a87a3b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
f132d4d3a95af3d20917e4d08618f4a9

SHA1
e12163c83372082dca1feae6a78ab54320fade65

SHA256
99af4551c9eb7553ad33665a3490e5a5ca4c5d305ed6cb47c8ddfd0d86e21544

SHA512
2903898278458f7bd2efefa380a12f61c9d620fc52f1390eb06c11c57f1c553621ce14c7858d654ed3c1efbfaf29e9e0ac1912441b754fc8d5d8f189e1fc8fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\608eb280-300e-4a84-8aa2-19afbae1e822.tmp

Filesize
1KB

MD5
90701751db1ffc327a7ed030c7cf2072

SHA1
59607fec75602b81d0dcc7ba1d4b72c41db24b67

SHA256
31f01c7703e6370702af470835030ba155372e6bbebd7ea53cc7744f7f14fad9

SHA512
08b55eedd98a03fbf707165c0a7f45b4771b7588794c7e5433ffe7d8c368047d96aa73cfd3b6044c48631007a6d72b60ec881258f2de0b7f153ad32726a7d36a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
28KB

MD5
bfb4ad144233248db8f0b493c9f53943

SHA1
75f204ac49008ca945d35db03568db5ffa2ee27d

SHA256
57819395af403b8697d446c0ef64388fd0f4b33af5647bf8a79d0616cd903393

SHA512
0f5f4ffdc046a81da203998f22ce0f156036b3c14646faa1b1c30d6bd0cf5138b70b3d5ac60b2b6eed36d2beadc108b78119f757bea84705ac71a8f1b3d4dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
d83a2ff8a8351c68b0029df1baf55964

SHA1
ee4736b770ce4a86ff06756c505601ffd119b410

SHA256
af6679a1e574c335736fc77b7abf0de3d66a7a3b442884cf148695eca392e1d5

SHA512
4dc205695e35c18a3ede8faabf19c2a777e9baaa92bbf8f00bada5f42e2b43a1266eec3f9d7e56fcfc3cd8195272b309b060155a2af76c85852d05c1daf9be0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c8c85dd6ee5bcb2166d9b69794c3c13b

SHA1
8331dfe3b89b6eac26e064534e974a969766f84a

SHA256
f03ced3c443436f9bbfd05e0785d0306ef7146ad379ee0042cf20ca335726ef7

SHA512
2eec3bcda6a9c25808ab1563178e9b93dfc09b7525f9f9195e64cd7bf96cb6ba3e968712e811f9e5713d9bf82370d9c9aa7d7b9acf51aead792b160fd5ff244c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
da01bb3c2de0dfdf65e5aeb10b216508

SHA1
313222200f8ded8ac4da3881e12ef97042b80746

SHA256
6bed8d2258b0e02fe66c1626bdd680d716b0f536b83dcc4b8ceb1ef59a07c1ee

SHA512
900629484b91833037bbb82be1275ff9f12f58758f4237f7b3ccbf806e852fdca264f5d5c3c23f0ebc03d98167c3e7e8b486b7b4a9b6b246d5ac35238aea2930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
46787587ca55fd844cf816395ff2a13e

SHA1
defd91ec038f8b79153b51bd06073b661db0afaa

SHA256
df7da014cbcc87566f8864715a9408a11cbe92181a8a711c57a5b28f1b771841

SHA512
30bb1b7d38fb9c36486137f5bc39f831e1574e9cd69a8a1cb0235d46d8b0da5da639c785797af8858f03b9a7c8643aaddce447be49596fa8108b0c65b0d9cf4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a38c25759158782ebf13d078b94a8589

SHA1
66f4621b5be1fe180f090817cad3a9f0efeee42b

SHA256
1aedda9ecebc49ea2bef72b48c7a66f54d236ffa86635333c667b2983a9fbe8e

SHA512
ff624fd80d8f3ce169dc2f132df2f9ed06bf84c27ae7c43e53c69b27c24c84c3f665c41a6d026569340f1622b84ad4e042c5fdc76c999a5704cc2a3efa58bcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
07f4b493f36f411829412754489d1449

SHA1
58f3b5f1e70bd56c5acfd677b43704242afaccaf

SHA256
e1dc691853832ec8e699fe55cde582175c29caac7d7c42bb3b1964ea0bdf11ce

SHA512
5e007d49065a65d07ba10e53cfc19081b95bbdc40c054c280cae499ec533f0bf1d63d6b4afaec7905aa3fe393027b86b2db2d67ea9944b8ea3770ff48c1408d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
70fd0d155246c14d3b9f3c9b5daf7218

SHA1
689c4d79c2abf078dcb7cad4c943abd67590a09b

SHA256
a26b89ad8df41cce0c7c84aad6293310f402fd6e30cc78f15e7a0f555182fc04

SHA512
48c6ac243ba2c1a4bd74f5bef3d712269d9d2b527e07ab369f688b6eedd69f1c9a91161de86ba01646e53e516315f7ec2dd2e80c67d6e8e5bae0baaf8c021324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
05276cac5289da5497b982836451ad00

SHA1
3114550555e7aeda0292adcc3c3c504aa7adc6a5

SHA256
efd4275bba7017f334aee48efdb3f0bc027db64d92c54d2c8d2c8975e8352fe5

SHA512
61675ffef6ad54f1c331af9962bac12e67eafd78b10d2a604d67a0575b01742303afbb57a2c4811017c9bfe08bd853848e60310b06afc5b9790a36f558995f52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
38d4be5477f7e410202c6d2a16825c72

SHA1
5294dc91dea7b36d6fe8790230fd1497ce46537a

SHA256
59572c6922497bb86945109fe7e7b1d057f80dcfddc22323cdb961ba35e08e32

SHA512
3419b5ab1ec9d65857b15e6c75e17c2d53916c954f52f1c46a3a9d9146f98873752ca656a313b35950f6583e6e318c2d92c7a9f5fc033e8465484e7d8978cdc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
8750382cb77fec50359bd56894cc5e96

SHA1
b82ea123010c8ae41dc54591b70e6e414700ab6d

SHA256
b9704c91a5052c47f6fb69f96c71bc5f36797f6a406bb0423e252b9cc3722001

SHA512
d4818b7fa1ae14972c334f3ba84b7e70e5fda3d68f8979d33bd2839378a69b73b7c29ef33ee8c0ff6d8f6e58c9ae3e70e191253cbc1ebb38bf31895110917575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8dae8bfb03bda62a4237f106fb1c4b45

SHA1
ee90eb69db877267e376965d71acc1cca2b2679d

SHA256
a79ef593b7824adaa6273326b673daed2416fd3d61b3d25bef377326fc48a81e

SHA512
997176ea74558a9de1fdedf08ba14f667732bd484138fcaedb26984d23293b394e9c78f7f7a535c21c4642af7f62c29c5e36808c6976fab6c9572bd6c2176979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d28a58a3c3b148eafccc24c3dfc1b6d

SHA1
6b7d58f4eb27e28e7589ab420265fe184466b2c7

SHA256
39ac13d4141f161b6fadd1dda09b53dc909cc11a5ac7172b9798b7adce3a7ef3

SHA512
b035a6deff222446b569a2713518c80437eedfbf414b6d5d36f8a55dbae7704d903081c610e3219cf68f2531edb62e53096b94da907a155ad81f995371b54cbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a8e61fff8adb0b9f3b4535f5c2d96a19

SHA1
f43361fdf1458baff8672dbfed541c9e3ab0aa7d

SHA256
a637978aab329c7cfb854f56114973800c50591fe1494e533e5c602ff441ad41

SHA512
9088a1b0406d8adbaf5d09adc448a1fd57566e0833fb20860b6f241d19f876f18f5966b1b80363d9ee2c5d6d78cd4b98643382829454ab14307de7a5cbefc12d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
52808660f32fc818d94afbb68b74428e

SHA1
fc25576d43496b71605a6af040b25a7fde197814

SHA256
690416cecf4b14b0ec7a51b389651c41788d06889350ee1a1c020c1bd8e338ff

SHA512
e1682433129e172521c1b6c587f1c0d17f36f30b74c0e449b2a82a86365ec3da42b95b66ca8857e94df21187039e0806c76b406c7d3eca7880d1549e4bf09832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b773d5a42a5f6e32f724e2f4e426102

SHA1
e32f6bb5d961e9878ba9111a61805d6c6f09b80a

SHA256
7d50d94ab97e7d3930c4ef333b0c984c59434760c7627bd22c6fc73b76b84f2b

SHA512
87ddf324c2e2fd0957de222f22a0cbc54613d3b9280f65f569c9eace008c100d46d129864f640eb989275a138b65b25409eb6d87688e36576cf30a1cf154fed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7fe99d29e4ece9759b3e9f8cde7fa7ad

SHA1
1b6490545e64122e23c0de9b654f80d094adab05

SHA256
52368c7bc55f4e4fc6a21814514ce7fdaf3288a03ef46635c065c37c9febd92c

SHA512
6b80e363438daede38a8bb481c4949d2ea53b8d1587a4b6db2ffa5042f6b90268e3b37548c23444bb6eb28b565f117b7736e0866a3b24c893fb3bd90ecd19e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
daead1d42d7cb6d092cd37a1bc6076de

SHA1
62305d92e866deda0833f079d5cfc42b4af33725

SHA256
68343aeea333f04d8577d1be5faba003fc0c379dbadc60e0f196e84b1d6b3f1a

SHA512
5ba36905deda336cd0f5d9da562912d7daaffad0c10a31085e51a3461f5a81a568c6d0c09cd91ee99f3e7908f34e43c1ffb0372904f22edd8fefa69298346b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
06405da1abc24ada0c6770e3a2327c41

SHA1
a91eeae68d0b181a5827abe361dcbae092492ae0

SHA256
4c973da67ae12db47c4e997203cef776a7d6f16082fb48c34fe70b5252673ef5

SHA512
f9ac34b50d425de6c3ca8b2bbdb1f18d1b5412abe0f5f8ca92d638114119c35fbeb6311728a54e43703d0d04e7671a1e5cbbd9fd9be5ef7f671685ca1fb575ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51672cd4cd935357301b7ab62d25adcf

SHA1
94111a07aa5ca13b2231d30be33c75c343d414ea

SHA256
588b86a0b0b48f1015a7f20eec974ab49350509dabb8f9ee890091543059c486

SHA512
b6cc6c6d5986c912a78594cd0677e8eb1423c13b0a3b95ac04242713368fdb6b2a568c23f2591d4d63d11fea59bf4f7ff67124d98195f4172de3bd8b8178b2cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
29183c3756d88fff7bc0f345465165ec

SHA1
0aaf4855a77bf01850217853629b073693b58334

SHA256
7d52feb34d2b2a547d81967f9c03cad1ccc90a404b56b0d05decca35ef5b58b3

SHA512
b5c15570a0d8ddabcc0bfa3e2fbf4a143bfe74a0e23e256d483815356dbcfd1c5c135511e6d0d68d5a42c11d4d48c52a148a230f5641a0894113d57168a0a0c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ccbd77291a36f1040ee1b48e901f9d31

SHA1
d2a06c1cea996f3ce2b86f3ca03d476bae836d5f

SHA256
d4ccbaa4f0b08eacb555b9e55e21e42a321310106e8452905579f71058b2af57

SHA512
9809943cdc0ec3fd4c26d79afd678b2c5e29a4bb258999ea53498637b9cdf28cd1592008a5050cd16667eb511bbdfbbfe16f6b30d7e3cd9e4c0205045bde2356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
84ee49ded4a24119b9d2d936db2b118d

SHA1
d340f9468f2e8dc4a1eccb4c88bc3ab502c99213

SHA256
6fda511e29ea2600f2b7e7b6f7951f7a650109784899bfe94cc7fb2b80c46776

SHA512
963b9cf7213e7c818f4f0fa11a50b1b6045644206f7d2f6ecf25e9647c44dcb9b6c0894114628d67e0229f97fb3c20c0976064726bdc72ae84bb39f5769c57d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5f6b499fd2d92ef9ad22525c45df90be

SHA1
556ffeb76bb984d56a5fcd5c866cc842e5bb3399

SHA256
01cc8392b24d92ba21e8a510554ecfc14a2cddfa914bde44e41bd825d477817a

SHA512
5e80ab91e9f80e09549ec6600b2fb7194900fd078d43a29ee3de69b8788b6df1c6740cf703a0e03b11c1387784381cb9e8111479972338d853c3dd442310d779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
26481e2315572f26f57b063b0c92f269

SHA1
964a70ebd2ad343d1f3e14b969439ee10c458350

SHA256
dc817e527c49da1904e1d6c7a4c6839fee7f662c53d85c75e67bd54509bbc613

SHA512
a6dd72e81dbe6296d5f732ba117150926ad30d62d51243919991c976f0280bab83b34d3fc4fa67e58d2f10d0ec57437a52a8d6d3cf89a21c486849884d0db632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8fc9010e11849ea69b8de682c848590f

SHA1
e111eef1f31213f67807d150e27600bdf1e53091

SHA256
0504e3b7487f83672b94c16384bc8a922be0dff84ef4177602f988e184df1f75

SHA512
20fa303ed4034f865c9a778f5b76ff4f716fa49830583de91080c9b2878ad10f142f9f6455ee9b14b3a21d6319e01bf37ac4c0f5d466a846e2dcc8cc535011af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
924a1b5972fada7d7dacb89fe1dfd2b3

SHA1
9e53daa34483fd012aed1ffe1f04e8fd930ffeec

SHA256
5d999ce0470b804ae7b5c2b9c2e1c1e7032516939eaf2ba4ffd5b14090108675

SHA512
d24420b843b10b0c0975db48bc3d15d475c955578773653eeb28b4a8485c0364bf2988131e53cf52e786c784c355e3bd1ccabf89621ff3a600b426c7f1c61007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
523adf21443c504c392fc25e04c525c6

SHA1
3b01d01b3b19c08fe3cb2944933ef46726189418

SHA256
6656a268acb3a608ec7f6f65d9d739a452364bddb10d232416bd310fa5d210b4

SHA512
7c10df5fb2531b1b7f802213b8eb957ed054d2ee2f5d256b8be6966a715fb39dbedc0b27a36e66cddc337657e84e90752dff440ebc3628b1dc76b2989fead922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b4db3c337f559deeaf3eb7829d39a11b

SHA1
d349bd30fc6c0641da0e81f507992d240e1c9aef

SHA256
a16c39fbc049ee6ffe742df901653446466db3be4b0925ca4c603349ea42a813

SHA512
81f9b1499ccbac3da04b009e391f367ee7f9189eb6759ed86070da83d59478a2e0cd253657a2f5981488df963ff4915d76ea674a9c771a00692e0ce7b3b3696b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
60f5b464b4ecc4c29342c34362517f78

SHA1
a1471212fe430f836684fac03b47641904df21f7

SHA256
ea824c02665e88f7895ace81e00aeef94b83cb9a2565e370043d14c8f8202fec

SHA512
dedb3335aaf0523987714937bd027742fc21105032b22e2f37e1b7459468ce561abfb94a2a48f1d3d29c916cd4d4a5869cc21d16abb144336282de81d380804c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
95ab42ae8142f3a66b8966d604fea55c

SHA1
06fef7377ff499bc10c904d9517c64a6dc03d519

SHA256
e0d3af9b780db2ba601ec18aeaa0c86b82839e95571b2712ab8720ba85df8f94

SHA512
9b95b808669d514cc8df11b2dffcecc8732a3c31862467e38c83f7166bbc9c9cbab91439263583dc00190826d53bc65dccf3d17ab069e4ae1c6f56ed0aa80b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7fbe517cd5e400184e322f933ca4551f

SHA1
b6b2177a44eedeb832c50ccd6d5738132e327e74

SHA256
7171e59ccc370f6d8546324d7814239fb7991d6c9b292c4369cc01cc6119e411

SHA512
764d5ef612692c5693a25e2b92fb2f1fb5704274af55445ec4d0799da083423bdd18ef2e6e50e46ec5531cf579fa1ccfa0e7cfcfac12b2462eba46a101601d71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3e50881883c0c1146edfaef1da410209

SHA1
373fc9760cf0b2b253b5da56b71d973e78764193

SHA256
e5729135580959571d2aab32ad18afad49f66a789018627f92a7249e310652e9

SHA512
c7df6d5abb0af633c5fa0b110e2417842bb2dd1e75e8f4ebe97564891dd26d528e3c50e77f741d58620b1c64c916feefe5c48bd4d483fd461e5752301bf7bd16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57edea.TMP

Filesize
1KB

MD5
ad9a1ac815382781e19410bf10cf69cc

SHA1
012f766de2f92dc6947bc33e14cd55032427f256

SHA256
6b2939f5e9838d21e5d9273283a4dcd7a01d7179bfc82ee2a4e320373285e960

SHA512
73a5e779a8414e9a979d2beecaa61a669a146bf7c747ab54f4a72a511dd41cd19c72267bf05cb26160355fc361d1ab5d6c7f757911dd96ab0485b1dd24e299cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ea7d5c6e73af8fed3d99d6edcc07e97a

SHA1
157836989f24b6d9925ca97f8922ece7e885bc74

SHA256
ba90e96db1ec2185a7c7d140d369a1aca1ff6b384818f8058c53283ef7a4ea51

SHA512
5dc81582d7ba934754984e05749dff738b57f6c66a76cd3378648ff4cf673bfa867177afae815918d5c6c73a45414bf5529da230c40d5590c9976465cd361d25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
88bf089f8c18f0631586252cf39fbf0c

SHA1
7d1cf4c194c344eed33e0b33b5369b80cabcd9d7

SHA256
49bc33a551a9809d1468d9dcfb9e3a2d5703dfb8d2480fe044bf686ab48a20e3

SHA512
88408444a5d535f5d0a78165fc60ca33b6a603f55f14548d49f1e65d8fcd474617397cf05880efee9b0ebd09aaae662919c91a108f9778e8848d0b2554013d26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ccb7c804243fda4167852b1bfd8031ca

SHA1
3c6b8ee0ee3a31baded99a3e6e6c1ea3a85cbd9a

SHA256
8a8b7094ffae3722b8a64d678c4b08236fd946d43745664270fb4173be2094e3

SHA512
2b09108f2df7c96f4d48da604636f1325a7b6b46df16c6c205cd71f79adda08208d9cd7509e96ed36554ab7aa1068a01132046e44a9f43a8bad2fb5604464342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d3a0a354d9befd1c16da19700286baa4

SHA1
3f5a3a29171c1ddec697248ebdf9d9ed7e53a315

SHA256
c94d0cf5e67da622f6a190427775236841067bc05978b60d03e04a5c2a0b5a60

SHA512
7a7e38f467cd8f052caa4a2efdb9be877dd54058fdb9c4f7db0bb759cf31b8c17a63eab5b5c82d9a626b55c4f368a33863f240227ebb0a0027a7668927e4bfb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
03a0afa2da3ab858d4049e93571446d7

SHA1
26c9781ff914d695b5f8cba28ef513aff0608d73

SHA256
6198b58c48e52ed5ff30d5a0a9221831e20499d56033c497adf0a592eb151d55

SHA512
9b828c2dd36726d11313c188d1c90d6738acdae996312db95239d60d82ee3fdc72b8762bc35f7484831117d51a6940e44c75043f40e39dfab0059eb40eff2ed4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ad6fef9f6ab24fc9bec6a1d07cbe5445

SHA1
be322455f22a7528a31875524e5746fad6d27e07

SHA256
a40f74813e61c0109d4206e5f67d04dc659fd89d7d2071fbe1a82b4767587696

SHA512
c6312e56e1bd9520aed0755b1082225a5ce6b6b256aca25c3998dfadf4bdd5845618bd567143f1490cb7e947cba61e9cc6527c6f3fec8e8d650bcb2f68de11e7

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
C:\Users\Public\Desktop\JJBotv3.lnk

Filesize
1KB

MD5
9c5651b02277304ae72a0ba0073c9234

SHA1
eedcd6d46a46073be519714cc5c6d56d5b206796

SHA256
8057a10ed83284051b0f8ec1283a7d8e1536481b212711fd42c2022adc4a02fd

SHA512
3af4371c1914fcc06fe4e18f6ed7146e42eda3b9563a4965aeeb50b0d7827e00115ff32180c15881f9019626288c3b303fef1df4421e65960191fdd788f97cf6

Download Submit
C:\Users\Public\Desktop\JJBotv3.lnk

Filesize
1KB

MD5
6a0bb7533df68551da6a3eac74c84a20

SHA1
aa48202dbc6f4753c53178451d772799d5d5554e

SHA256
17d4fda49192fc0843b1143baeb54ae29ae4380f851a10dac850c93b288f5f94

SHA512
4e36b3888b859bafed12cc6f1eab9ed98410ccbc4091128ef9b382b30bc51b5f580b1c85714002bba0d56cb848650c30537a348c16263b581ae7ca41e674d2dc

Download Submit
C:\Windows\Installer\MSI6008.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\e595f8b.msi

Filesize
34.7MB

MD5
488b1c3be9dc419e7357aae1839b23af

SHA1
aadf4a443dcdcc07dedf718b5a901f0f59891705

SHA256
76d60c6338d9d68eba16a7e6c2faec9ded0fda7bbd4d103a17b064592e808b7e

SHA512
28d37ac23f1155cd19b70c4d1cf7155ef96c344c3039550a3d25be0c41a624e69587af6193a1496dcfd75e17a3ba4e19d3f79105ab23df8fb825fe32082c4e6d

Download Submit
C:\Windows\Installer\{D1519E14-2AB0-389C-B7AD-51E57DC3C2DC}\icon1735593305

Filesize
155KB

MD5
1a22ba7e511977689bfb35cbf2db061d

SHA1
94e2ef362afba93afc92a78c4b3f2ad2ae089220

SHA256
dbd3b20568a647fb68875e34510f94fc333ac5e0414f20a3f717a87c06604003

SHA512
1d61b2c282eb9311649a31884ff40a6b465701dce8f96bb6a76cc39f365c7edb4998c7995d7e230e3d870691c7f035379af0956b0fd24cd98661a5436f50d105

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
f1f81e3cf1106dc80f46545b6e437eed

SHA1
b266ffe73c57443e0d3f36a8a6e90c51fc56c98d

SHA256
a88c7a0475d10f227986daec4c2ab59d8f730dd74dd396db6e1afdd8dd49048b

SHA512
22e1160bae4097d04f1385f455852d16c858ecec2c438738732b8468514d101b39adae13a2a2ab3727aef371e72b628c0602f4a71fbf4aa0b16b9daf66a3b45f

Download Submit
\??\Volume{fa3589b5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5706db65-ae8c-4096-ab61-67a37cc83342}_OnDiskSnapshotProp

Filesize
6KB

MD5
6ec020086b83ce98f2ebbf6800c2f9f1

SHA1
ff1e013274ab3f18e38177f2a0289f209126647c

SHA256
a493b80edb49d648f08e4058081ce61596ecd4d8de5ab249ef5e4c4cc840991a

SHA512
c8699ed8be6a7b827af4d2d1cf0daa46fe7dc7d3ecebca887999a977abe11bed7e57b1de995ffdbfe4911784e282c5b47895919ce4eac11288951111c7568f72

Download Submit
memory/1752-813-0x0000019578930000-0x0000019578931000-memory.dmp

Filesize
4KB

Download
memory/1752-804-0x0000019578930000-0x0000019578931000-memory.dmp

Filesize
4KB

Download
memory/1752-814-0x0000019578930000-0x0000019578931000-memory.dmp

Filesize
4KB

Download
memory/1752-815-0x0000019578930000-0x0000019578931000-memory.dmp

Filesize
4KB

Download
memory/1752-812-0x0000019578930000-0x0000019578931000-memory.dmp

Filesize
4KB

Download
memory/1752-811-0x0000019578930000-0x0000019578931000-memory.dmp

Filesize
4KB

Download
memory/1752-810-0x0000019578930000-0x0000019578931000-memory.dmp

Filesize
4KB

Download
memory/1752-806-0x0000019578930000-0x0000019578931000-memory.dmp

Filesize
4KB

Download
memory/1752-805-0x0000019578930000-0x0000019578931000-memory.dmp

Filesize
4KB

Download
memory/1752-816-0x0000019578930000-0x0000019578931000-memory.dmp

Filesize
4KB

Download
memory/5732-2495-0x00000000007D0000-0x0000000000F5E000-memory.dmp

Filesize
7.6MB

Download
memory/5732-2525-0x00000000007D0000-0x0000000000F5E000-memory.dmp

Filesize
7.6MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads