chimera | 67b2c63de52b106cb5067d162d231d04d9a4c977b470014b8bd7e3142451c0c7

Analysis

max time kernel
871s
max time network
879s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
27-08-2024 14:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

tyler.jpg
Size

47KB
MD5

a4e8e2d3b2f54a7d91f73f25280e29f4
SHA1

77ecb0a6391a72b0deba66b651adc70aa9e31e97
SHA256

67b2c63de52b106cb5067d162d231d04d9a4c977b470014b8bd7e3142451c0c7
SHA512

5c100af3d55901a5aff5c53490c797b243315cd66a2c319cdbcd1b15308470fcda987222bf236ef415fdd35cd0803b9b08aac8843d2d9fcdbf1f79d4e5fadb48
SSDEEP

768:HDZyIdPap+jg0263KE+lP2CDvz9IT7S+uulO+M0+Kd4d9gg770gde4avcC+8JnGs:HDRdPE+kA6EO2O+z5lfV+KdA9gg7Y4a5

Score

10^/10

chimera crimsonrat revengerat guest discovery evasion persistence ransomware rat stealer trojan upx

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

crimsonrat

185.136.161.124

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

Processes:

HawkEye.exemsedge.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
91	bot.whatismyipaddress.com
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

Processes:

resource	yara_rule
behavioral1/memory/1672-799-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

CrimsonRAT main payload 1 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Hdlharas\dlrarhsiva.exe	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Renames multiple (3280) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	revengerat

Disables Task Manager via registry modification
evasion

Drops startup file 4 IoCs

Processes:

explorer.exeRegSvcs.exeRegSvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93b36425.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 64 IoCs

Processes:

dlrarhsiva.exesvchost.exebutterflyondesktop.tmpButterflyOnDesktop.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeFree YouTube Downloader.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exe

pid	process
5336	dlrarhsiva.exe
4680	svchost.exe
3740	butterflyondesktop.tmp
5840	ButterflyOnDesktop.exe
2592	svchost.exe
668	svchost.exe
4664	svchost.exe
3020	svchost.exe
880	svchost.exe
5960	svchost.exe
4236	svchost.exe
976	Free YouTube Downloader.exe
4340	svchost.exe
3008	taskhost.exe
2224	svchost.exe
1492	svchost.exe
1488	taskhost.exe
4056	svchost.exe
4732	svchost.exe
2052	taskhost.exe
2704	svchost.exe
2308	svchost.exe
1956	taskhost.exe
3288	svchost.exe
1952	svchost.exe
4216	taskhost.exe
3352	svchost.exe
5304	svchost.exe
1368	taskhost.exe
3204	svchost.exe
2604	svchost.exe
2884	taskhost.exe
1344	svchost.exe
1828	svchost.exe
964	taskhost.exe
2880	svchost.exe
5016	svchost.exe
4648	taskhost.exe
1928	svchost.exe
3536	svchost.exe
5256	taskhost.exe
3084	svchost.exe
5388	svchost.exe
668	taskhost.exe
2484	svchost.exe
4724	svchost.exe
1228	taskhost.exe
1932	svchost.exe
1184	svchost.exe
1068	taskhost.exe
5208	svchost.exe
5652	svchost.exe
5712	taskhost.exe
1008	svchost.exe
2776	svchost.exe
3720	taskhost.exe
1744	svchost.exe
4700	svchost.exe
3236	taskhost.exe
4980	svchost.exe
812	svchost.exe
736	taskhost.exe
5200	svchost.exe
5548	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3656-9146-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/3656-9148-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2864-9152-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/6060-9155-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/6060-9157-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exebutterflyondesktop.tmpRegSvcs.exeFreeYoutubeDownloader.exeSevgi.a.exeSevgi.a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\93b36425 = "C:\\Users\\Admin\\AppData\\Roaming\\93b36425.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*3b3642 = "C:\\93b36425\\93b36425.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*3b36425 = "C:\\Users\\Admin\\AppData\\Roaming\\93b36425.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	FreeYoutubeDownloader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Netagent = "c:\\windows\\system\\sysfile.exe"	Sevgi.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Netagent = "c:\\windows\\system\\sysfile.exe"	Sevgi.a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\93b3642 = "C:\\93b36425\\93b36425.exe"	explorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 26 IoCs

Processes:

HawkEye.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exe000.exewmplayer.exesvchost.exesvchost.exe

description	ioc	process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service
T1102

Processes:

flow ioc

147 0.tcp.ngrok.io
173 0.tcp.ngrok.io
209 0.tcp.ngrok.io
228 0.tcp.ngrok.io
247 0.tcp.ngrok.io
251 0.tcp.ngrok.io
72 0.tcp.ngrok.io
95 0.tcp.ngrok.io
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

280 ip-addr.es
55 ip-addr.es
67 ip-addr.es
91 bot.whatismyipaddress.com
136 ip-addr.es
170 ip-addr.es
206 ip-addr.es
242 ip-addr.es
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

000.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop\Wallpaper 000.exe

flow	ioc
147	0.tcp.ngrok.io
173	0.tcp.ngrok.io
209	0.tcp.ngrok.io
228	0.tcp.ngrok.io
247	0.tcp.ngrok.io
251	0.tcp.ngrok.io
72	0.tcp.ngrok.io
95	0.tcp.ngrok.io

flow	ioc
280	ip-addr.es
55	ip-addr.es
67	ip-addr.es
91	bot.whatismyipaddress.com
136	ip-addr.es
170	ip-addr.es
206	ip-addr.es
242	ip-addr.es

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop\Wallpaper	000.exe

Suspicious use of SetThreadContext 20 IoCs

Processes:

RevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exe

description	pid	process	target process
PID 4788 set thread context of 4792	4788	RevengeRAT.exe	RegSvcs.exe
PID 4792 set thread context of 3888	4792	RegSvcs.exe	RegSvcs.exe
PID 4680 set thread context of 5736	4680	svchost.exe	RegSvcs.exe
PID 5736 set thread context of 5864	5736	RegSvcs.exe	RegSvcs.exe
PID 2592 set thread context of 2460	2592	svchost.exe	RegSvcs.exe
PID 2460 set thread context of 6104	2460	RegSvcs.exe	RegSvcs.exe
PID 668 set thread context of 5216	668	svchost.exe	RegSvcs.exe
PID 5216 set thread context of 3556	5216	RegSvcs.exe	RegSvcs.exe
PID 4664 set thread context of 336	4664	svchost.exe	RegSvcs.exe
PID 336 set thread context of 2180	336	RegSvcs.exe	RegSvcs.exe
PID 3020 set thread context of 5896	3020	svchost.exe	RegSvcs.exe
PID 5896 set thread context of 5400	5896	RegSvcs.exe	RegSvcs.exe
PID 880 set thread context of 3948	880	svchost.exe	RegSvcs.exe
PID 3948 set thread context of 3980	3948	RegSvcs.exe	RegSvcs.exe
PID 5960 set thread context of 4356	5960	svchost.exe	RegSvcs.exe
PID 4356 set thread context of 3284	4356	RegSvcs.exe	RegSvcs.exe
PID 4236 set thread context of 4688	4236	svchost.exe	RegSvcs.exe
PID 4688 set thread context of 668	4688	RegSvcs.exe	RegSvcs.exe
PID 2440 set thread context of 1864	2440	svchost.exe	RegSvcs.exe
PID 1864 set thread context of 3404	1864	RegSvcs.exe	RegSvcs.exe

Drops file in Program Files directory 64 IoCs

Processes:

HawkEye.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-commonjs\keyframes.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\WeatherStoreLogo.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\GetHelpAppList.targetsize-80.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\Timer3Sec.targetsize-32.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-white\BadgeLogo.scale-200_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-30_altform-lightunplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\Classic\Klondike.Wide.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreSplashScreen.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\Logo.scale-200_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-30_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-40.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarAppList.targetsize-36_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.targetsize-30_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-32_altform-unplated_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\createRef.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pl-pl\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsAppList.targetsize-60_altform-unplated_contrast-white.png	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleLargeTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-40_altform-unplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-64_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsAppList.targetsize-30_altform-lightunplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Close.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sv-se\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Xbox_SplashScreen.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\msapp-error.html	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-40.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-16_altform-unplated.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png	HawkEye.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\warning_2x.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\SelectedItemsList.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\compat\Button.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\NotepadAppList.targetsize-96_altform-unplated.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\index.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.scale-200_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\GroupedList\index.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-72.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\Assets\Xbox_AppList.scale-200_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Overlay.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-60.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-lightunplated_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SplashScreen.scale-125.png	HawkEye.exe

Drops file in Windows directory 8 IoCs

Processes:

FreeYoutubeDownloader.exeZika.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	FreeYoutubeDownloader.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	FreeYoutubeDownloader.exe
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	FreeYoutubeDownloader.exe
File created	C:\Windows\notepad.dll.sys.exe	Zika.exe
File opened for modification	C:\Windows\notepad.dll.sys.exe	Zika.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	FreeYoutubeDownloader.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

348 2808 WerFault.exe 000.exe

pid	pid_target	process	target process
348	2808	WerFault.exe	000.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

vbc.exetaskhost.exesvchost.exesvchost.exesvchost.execvtres.exe000.execvtres.exetaskhost.exevbc.exetaskhost.exevbc.execvtres.exevbc.execvtres.exetaskhost.exetaskhost.exeRegSvcs.exeRegSvcs.exeButterflyOnDesktop.execvtres.exesvchost.exetaskhost.exesvchost.execvtres.exetaskhost.exesvchost.exesvchost.exeHawkEye.exeRegSvcs.exevbc.execvtres.exevbc.exevbc.exetaskhost.exetaskhost.exevbc.exevbc.exeZika.exetaskhost.exetaskhost.execvtres.exesvchost.exesvchost.exetaskhost.exeRegSvcs.exesvchost.exeexplorer.exesvchost.exesvchost.exesvchost.execvtres.execvtres.exeBlueScreen.execvtres.exeWMIC.execvtres.exevbc.exevbc.exesvchost.exevbc.exevbc.exeFreeYoutubeDownloader.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Zika.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlueScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2256 taskkill.exe
4972 taskkill.exe

pid	process
2256	taskkill.exe
4972	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31127767"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2596495725"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Modifies registry class 23 IoCs

Processes:

OpenWith.exe000.exemsedge.exemsedge.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\open\command\ = "\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /Open \"%L\""	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\䆟縀䆁\ = "crypt_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play\ = "&Play"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	000.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\.crypt\ = "crypt_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\䆟縀䆁	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9991"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{AD14DE55-C5EC-4C2B-A333-F43E6E122137}	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{B9717A99-8D56-4C55-A543-9B7F99E3BC8A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\play\command\ = "\"%ProgramFiles(x86)%\\Windows Media Player\\wmplayer.exe\" /Play \"%L\""	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\crypt_auto_file\shell\ = "Play"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\.crypt	OpenWith.exe

NTFS ADS 23 IoCs

Processes:

msedge.exeZika.exeRegSvcs.exeRegSvcs.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe
File created	C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Recovery.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2010_x64.log.html.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\$Recycle.Bin.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\93b36425.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\Documents and Settings.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\PerfLogs.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2010_x86.log.html.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.exe\:Zone.Identifier:$DATA	Zika.exe
File created	C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.exe\:Zone.Identifier:$DATA	Zika.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1820 schtasks.exe

pid	process
1820	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1520	msedge.exe
1520	msedge.exe
4232	msedge.exe
4232	msedge.exe
240	msedge.exe
240	msedge.exe
5888	msedge.exe
5888	msedge.exe
872	identity_helper.exe
872	identity_helper.exe
584	msedge.exe
584	msedge.exe
584	msedge.exe
584	msedge.exe
5836	msedge.exe
5836	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

OpenWith.exeSevgi.a.exeSevgi.a.exe

pid process

1520 OpenWith.exe
1352 Sevgi.a.exe
2976 Sevgi.a.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CryptoWall.exeexplorer.exe

pid process

1092 CryptoWall.exe
852 explorer.exe

pid	process
1092	CryptoWall.exe
852	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RevengeRAT.exeRegSvcs.exesvchost.exeRegSvcs.exeHawkEye.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exesvchost.exeRegSvcs.exewmplayer.exeunregmp2.exesvchost.exeRegSvcs.exeZika.exesvchost.exeRegSvcs.exe000.exetaskkill.exetaskkill.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4788	RevengeRAT.exe
Token: SeDebugPrivilege	4792	RegSvcs.exe
Token: SeDebugPrivilege	4680	svchost.exe
Token: SeDebugPrivilege	5736	RegSvcs.exe
Token: SeDebugPrivilege	1672	HawkEye.exe
Token: SeDebugPrivilege	2592	svchost.exe
Token: SeDebugPrivilege	2460	RegSvcs.exe
Token: SeDebugPrivilege	668	svchost.exe
Token: SeDebugPrivilege	5216	RegSvcs.exe
Token: SeDebugPrivilege	4664	svchost.exe
Token: SeDebugPrivilege	336	RegSvcs.exe
Token: SeDebugPrivilege	3020	svchost.exe
Token: SeDebugPrivilege	5896	RegSvcs.exe
Token: SeDebugPrivilege	880	svchost.exe
Token: SeDebugPrivilege	3948	RegSvcs.exe
Token: SeDebugPrivilege	5960	svchost.exe
Token: SeDebugPrivilege	4356	RegSvcs.exe
Token: SeShutdownPrivilege	884	wmplayer.exe
Token: SeCreatePagefilePrivilege	884	wmplayer.exe
Token: SeShutdownPrivilege	2028	unregmp2.exe
Token: SeCreatePagefilePrivilege	2028	unregmp2.exe
Token: SeDebugPrivilege	4236	svchost.exe
Token: SeDebugPrivilege	4688	RegSvcs.exe
Token: SeDebugPrivilege	4472	Zika.exe
Token: SeDebugPrivilege	2440	svchost.exe
Token: SeDebugPrivilege	1864	RegSvcs.exe
Token: SeShutdownPrivilege	2808	000.exe
Token: SeCreatePagefilePrivilege	2808	000.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeShutdownPrivilege	2808	000.exe
Token: SeCreatePagefilePrivilege	2808	000.exe
Token: SeShutdownPrivilege	2808	000.exe
Token: SeCreatePagefilePrivilege	2808	000.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3916	WMIC.exe
Token: SeSecurityPrivilege	3916	WMIC.exe
Token: SeTakeOwnershipPrivilege	3916	WMIC.exe
Token: SeLoadDriverPrivilege	3916	WMIC.exe
Token: SeSystemProfilePrivilege	3916	WMIC.exe
Token: SeSystemtimePrivilege	3916	WMIC.exe
Token: SeProfSingleProcessPrivilege	3916	WMIC.exe
Token: SeIncBasePriorityPrivilege	3916	WMIC.exe
Token: SeCreatePagefilePrivilege	3916	WMIC.exe
Token: SeBackupPrivilege	3916	WMIC.exe
Token: SeRestorePrivilege	3916	WMIC.exe
Token: SeShutdownPrivilege	3916	WMIC.exe
Token: SeDebugPrivilege	3916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3916	WMIC.exe
Token: SeRemoteShutdownPrivilege	3916	WMIC.exe
Token: SeUndockPrivilege	3916	WMIC.exe
Token: SeManageVolumePrivilege	3916	WMIC.exe
Token: 33	3916	WMIC.exe
Token: 34	3916	WMIC.exe
Token: 35	3916	WMIC.exe
Token: 36	3916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3916	WMIC.exe
Token: SeSecurityPrivilege	3916	WMIC.exe
Token: SeTakeOwnershipPrivilege	3916	WMIC.exe
Token: SeLoadDriverPrivilege	3916	WMIC.exe
Token: SeSystemProfilePrivilege	3916	WMIC.exe
Token: SeSystemtimePrivilege	3916	WMIC.exe
Token: SeProfSingleProcessPrivilege	3916	WMIC.exe
Token: SeIncBasePriorityPrivilege	3916	WMIC.exe
Token: SeCreatePagefilePrivilege	3916	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

Processes:

msedge.exeButterflyOnDesktop.exeFree YouTube Downloader.exe

pid	process
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
5840	ButterflyOnDesktop.exe
976	Free YouTube Downloader.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

OpenWith.exeFreeYoutubeDownloader.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exetaskhost.exesvchost.exesvchost.exe

pid	process
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
1520	OpenWith.exe
5536	FreeYoutubeDownloader.exe
4340	svchost.exe
3008	taskhost.exe
2224	svchost.exe
1492	svchost.exe
1488	taskhost.exe
4056	svchost.exe
4732	svchost.exe
2052	taskhost.exe
2704	svchost.exe
2308	svchost.exe
1956	taskhost.exe
3288	svchost.exe
1952	svchost.exe
4216	taskhost.exe
3352	svchost.exe
5304	svchost.exe
1368	taskhost.exe
3204	svchost.exe
2604	svchost.exe
2884	taskhost.exe
1344	svchost.exe
1828	svchost.exe
964	taskhost.exe
2880	svchost.exe
5016	svchost.exe
4648	taskhost.exe
1928	svchost.exe
3536	svchost.exe
5256	taskhost.exe
3084	svchost.exe
5388	svchost.exe
668	taskhost.exe
2484	svchost.exe
4724	svchost.exe
1228	taskhost.exe
1932	svchost.exe
1184	svchost.exe
1068	taskhost.exe
5208	svchost.exe
5652	svchost.exe
5712	taskhost.exe
1008	svchost.exe
2776	svchost.exe
3720	taskhost.exe
1744	svchost.exe
4700	svchost.exe
3236	taskhost.exe
4980	svchost.exe
812	svchost.exe
736	taskhost.exe
5200	svchost.exe
5548	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4232 wrote to memory of 504	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 504	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 4464	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1520	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 1520	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe
PID 4232 wrote to memory of 2260	4232	msedge.exe	msedge.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\tyler.jpg
1⤵
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Chimera
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff69d23cb8,0x7fff69d23cc8,0x7fff69d23cd8
  2⤵
  PID:504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1312 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,17155879508838885443,3709839569450484625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:5896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1504

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoWall.exe"
1⤵
- Suspicious behavior: MapViewOfSection
PID:1092
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\syswow64\explorer.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:852
- - C:\Windows\SysWOW64\svchost.exe
    -k netsvcs
    3⤵
    PID:5992

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4788
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:3888
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\a0dgwxne.cmdline"
    3⤵
    PID:2576
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBF0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc51501822919D442D895662A8F98A3272.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhlsktv4.cmdline"
    3⤵
    PID:676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC9C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc74173E1DD634135AE5DBE1C3ADDCE7.TMP"
      4⤵
      PID:3000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ar5qqvyc.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD09.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB2A6411982CA4FE4AFE1CE79FD3CFFF4.TMP"
      4⤵
      PID:336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qnrzjkrx.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4208
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD77.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3A63AE6EC6FD4E57B161D5D628D71654.TMP"
      4⤵
      PID:5116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gjvwqly5.cmdline"
    3⤵
    PID:1536
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE23.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc49A19A9BC5B84D528EFE66F7F1F6AAB6.TMP"
      4⤵
      PID:5756
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ti7slir-.cmdline"
    3⤵
    PID:1672
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEA0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF13AEA1EAA9D40D2A159D8B8D1868CA2.TMP"
      4⤵
      PID:4880
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\txlz_2d_.cmdline"
    3⤵
    PID:1060
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF0D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4D97374361B34D80A4E13F470452DE4.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xu3-gubl.cmdline"
    3⤵
    PID:6088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC820091FAA43FFAD8743E0012FBF9.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1180
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kkbq_nig.cmdline"
    3⤵
    PID:3204
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFE8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5BB463AAA3344EDE8B2ECCD32CAA67BC.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vxmzpsgw.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5624
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE055.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCABC9649EF974364B4CD53D68F8FF9C2.TMP"
      4⤵
      PID:3320
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fxynonoi.cmdline"
    3⤵
    PID:3592
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0C3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1127028429364F9A8CC4428EBA696F82.TMP"
      4⤵
      PID:4996
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ot3btmh6.cmdline"
    3⤵
    PID:920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE140.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6FA719A995174E7B8EA08555EB2F6B28.TMP"
      4⤵
      PID:2136
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kexetxfq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6068
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE19D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA1FFAEC6CFFF42F6A59D184C80262BAD.TMP"
      4⤵
      PID:2336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\5glsbtx3.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE20B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2C5EA827E40D4889A0D88B71EE49874.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4648
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\96c9vdyv.cmdline"
    3⤵
    PID:3424
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE288.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc800CE4A5B0704FCCBB304D38F9DD8810.TMP"
      4⤵
      PID:1012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lgupcxjy.cmdline"
    3⤵
    PID:5520
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE305.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC328533C11894A79AFFF53E1C68EDD9.TMP"
      4⤵
      PID:5608
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7o9mqxkz.cmdline"
    3⤵
    PID:5772
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE391.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1A2FD9EE12440D3895D566E1A80A95.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4744
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xlwc0ipe.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4720
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3FF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20E88E9E77C4AE8B648553C674A4FB0.TMP"
      4⤵
      PID:3908
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w_sf2_ne.cmdline"
    3⤵
    PID:1800
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE45C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBEAEF08BE0304EED8B6AC56D258A92F.TMP"
      4⤵
      PID:668
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_ib6jf6m.cmdline"
    3⤵
    PID:4664
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4CA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB36D8D90D70C45EDB8715BE1AE562A93.TMP"
      4⤵
      PID:3000
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cszqclbx.cmdline"
    3⤵
    PID:1064
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE537.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5508BE1CADFE4CBA97706582EDF1C679.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\omgyehiq.cmdline"
    3⤵
    PID:4944
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5B4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE138846F2854C3687A575B247F69A73.TMP"
      4⤵
      PID:5576
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Suspicious use of SetThreadContext
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      PID:5736
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1820
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6nkfbd0m.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D0E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA808FC774EE45AD997452FBCD412D2A.TMP"
        6⤵
        
        PID:3228
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dr6pgtmu.cmdline"
        5⤵
        
        PID:1848
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D9A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D1C4B5ACF21418CAE3D51CB599EC5D.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4224
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wi5ex7ct.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4608
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD92F7377E0904C64B43115F6FFC0EE39.TMP"
        6⤵
        
        PID:2032
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ua3fzduw.cmdline"
        5⤵
        
        PID:6032
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E85.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD2F062FEA2B64E3EA9A313A4C0C3C033.TMP"
        6⤵
        
        PID:1208
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nfpdlzo-.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:668
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD439EB3BD81A46F2A31CA75D26E8FD49.TMP"
        6⤵
        
        PID:5352
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uljf0nws.cmdline"
        5⤵
        
        PID:3020
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F7F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDA30B396DA6942C3B2C4E770A97297D3.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5628
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\owriua1a.cmdline"
        5⤵
        
        PID:5968
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA00B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC49640E45CB54AB697CCBE9FF43AF6C3.TMP"
        6⤵
        
        PID:5792
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1th_zprm.cmdline"
        5⤵
        
        PID:2544
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA069.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA29DF7C13EA41CA9666F8CEDB781B50.TMP"
        6⤵
        
        PID:4484
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ijptltre.cmdline"
        5⤵
        
        PID:2880
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAC2B20AB8066449B86A3EECA8AEFFE64.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1840
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g5bqf-pt.cmdline"
        5⤵
        
        PID:1636
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA134.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A5BA1F870A04C5EA2CA1B4B1E245EED.TMP"
        6⤵
        
        PID:4328
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yaasgmt-.cmdline"
        5⤵
        
        PID:804
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc210D8471DF4A41BAEBCBB1CCE7B429.TMP"
        6⤵
        
        PID:2084
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hvgbtpya.cmdline"
        5⤵
        
        PID:5212
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5535.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F8045616034402A8823CFB03BACB26.TMP"
        6⤵
        
        PID:4460
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uhqoipso.cmdline"
        5⤵
        
        PID:4616
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\y0ayfywh.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES55F1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC68ADA7CDEA74C9090ACE6776B2A3C.TMP"
        6⤵
        
        PID:996
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xhca86hz.cmdline"
        5⤵
        
        PID:5272
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES565E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcC2C688F4E9C84BF7995AF0BDCE148FB8.TMP"
        6⤵
        
        PID:4032
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\gxldnbhz.cmdline"
        5⤵
        
        PID:496
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56CB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6443FC0AFC94566804F581BE8DD26D6.TMP"
        6⤵
        
        PID:6008
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmq3of2v.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5748.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc327C098ACC3A40B983FD1CA28E1F4A39.TMP"
        6⤵
        
        PID:5280
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\otstmiai.cmdline"
        5⤵
        
        PID:5536
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57B6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc835F74479B854BFC9A35BE4C2F3E683.TMP"
        6⤵
        
        PID:4064
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hsnbtmtj.cmdline"
        5⤵
        
        PID:3380
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5833.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E5CD5ED65A4943B7E6851D283A889B.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qja4a2nk.cmdline"
        5⤵
        
        PID:2792
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES58A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6F89AFEABAA24D5592C93F246E9F8C1.TMP"
        6⤵
        
        PID:692
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xqazpibx.cmdline"
        5⤵
        
        PID:5404
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES590D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3502CD1D99C74BD68EE164C8EA72FEB.TMP"
        6⤵
        
        PID:5448
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vki49rqs.cmdline"
        5⤵
        
        PID:2512
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES598A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB6A0FC5D8A684FE6A4988A72A48B103A.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:584
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rmxoyeaz.cmdline"
        5⤵
        
        PID:2352
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59E8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6CE288F9AB648B9BE5992E0D18AA83B.TMP"
        6⤵
        
        PID:1124
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u_b4ymzd.cmdline"
        5⤵
        
        PID:2164
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A56.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc47B09020A4CC412A82741A36D4C854C8.TMP"
        6⤵
        
        PID:2988
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\u2xflg30.cmdline"
        5⤵
        
        PID:5176
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AC3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE10CBD702D3D45A4ADB74490163FF99D.TMP"
        6⤵
        
        PID:1424
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ksozbmit.cmdline"
        5⤵
        
        PID:5004
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5B40.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD955F8AB72442DAB062272E491E490.TMP"
        6⤵
        
        PID:1208
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ihuk6w6b.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BAD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F92ACB9661342DC9BD569C342CA3D4.TMP"
        6⤵
        
        PID:5748
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ytnmcq2a.cmdline"
        5⤵
        
        PID:1944
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C1B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBDC29DBE83B747DD9FB2336AA41D5D8.TMP"
        6⤵
        
        PID:5588
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jlib7jpt.cmdline"
        5⤵
        
        PID:3204
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5C98.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0F4202B44F2471F814D89E36844C7E8.TMP"
        6⤵
        
        PID:2604
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rzmtgdc_.cmdline"
        5⤵
        
        PID:2324
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D05.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2E88F241662A4D23ABDD119CE18D3D8F.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\t0hjq9j0.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5520
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D92.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBF941386EC024A97A65553391857A67.TMP"
        6⤵
        
        PID:2392

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
1⤵
PID:3560
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:5336

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1672
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  PID:2736

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\is-A1Q34.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-A1Q34.tmp\butterflyondesktop.tmp" /SL5="$140374,2719719,54272,C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3740
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SendNotifyMessage
    PID:5840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    PID:5540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0x108,0x12c,0x7fff69d23cb8,0x7fff69d23cc8,0x7fff69d23cd8
      4⤵
      PID:2008

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2592
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:6104

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:668
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5216
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:3556

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4664
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:2180

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3020
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5896
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:5400

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:880
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3980

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1520
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip.crypt"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- - C:\Windows\SysWOW64\unregmp2.exe
    "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
    3⤵
    PID:660
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
      4⤵
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      PID:2028

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5960
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4880

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"
1⤵
PID:3656

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2864

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"
1⤵
PID:6060

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4236
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:668

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FlashKiller.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FlashKiller.exe"
1⤵
PID:4724

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\FreeYoutubeDownloader.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5536
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SendNotifyMessage
  PID:976

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Zika.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Zika.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:4472
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\$Recycle.Bin.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\$Recycle.Bin.exe", "C:\$Recycle.Bin.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\93b36425.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1488
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\93b36425.exe", "C:\93b36425.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4056
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\Documents and Settings.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4732
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\Documents and Settings.exe", "C:\Documents and Settings.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\PerfLogs.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\PerfLogs.exe", "C:\PerfLogs.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3288
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\Recovery.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1952
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4216
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\Recovery.exe", "C:\Recovery.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3352
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5304
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1368
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.exe", "C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3204
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x64.log.html.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x64.log.html.exe", "C:\vcredist2010_x64.log.html.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1344
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1828
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:964
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.exe", "C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2010_x86.log.html.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5016
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4648
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2010_x86.log.html.exe", "C:\vcredist2010_x86.log.html.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1928
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3536
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5256
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.exe", "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3084
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5388
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:668
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.exe", "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2484
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4724
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1228
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.exe", "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1184
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.exe", "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5208
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5652
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5712
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.exe", "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3720
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.exe", "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3236
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.exe", "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:812
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:736
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.exe", "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5200
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5548
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  PID:576
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.exe", "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  PID:5224
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  PID:3884
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.exe", "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  PID:3344
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  PID:6096
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3352
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.exe", "C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1060
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -extract F:\$RECYCLE.BIN.dll.sys.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, icongroup,,
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.exe" -compile C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res
  2⤵
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\svchost.exe" -addoverwrite F:\$RECYCLE.BIN.exe", "F:\$RECYCLE.BIN.exe, C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res, icongroup,,
  2⤵
  - Enumerates connected drives
  PID:5036

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Nostart.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Nostart.exe"
1⤵
PID:4992

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:1352

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:2192

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Sevgi.a.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
PID:2976

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2440
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:3404

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe"
1⤵
PID:5472

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  PID:2016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='UR NEXT'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4876
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /f /r /t 0
    3⤵
    PID:1880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 3960
  2⤵
  - Program crash
  PID:348

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa395e055 /state1:0x41c64e6d
1⤵
PID:5148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings.exe

Filesize
5.6MB

MD5
40228458ca455d28e33951a2f3844209

SHA1
86165eb8eb3e99b6efa25426508a323be0e68a44

SHA256
1a904494bb7a21512af6013fe65745e7898cdd6fadac8cb58be04e02346ed95f

SHA512
da62cc244f9924444c7cb4fdbd46017c65e6130d639f6696f7930d867017c211df8b18601bfdaaee65438cee03977848513d7f08987b9b945f3f05241f55ec39

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
6ce18e7f0cf7e65ad1e8fdefcf8be1c3

SHA1
260ce9bb960bba02d47e820eed7d9675ca572727

SHA256
8f1b735760281e81a0d686387f85614cb875f2e4a0f996badc75f1439d571a92

SHA512
cb0fc3a8ade3de6b76dab398e27c882dc823a5a8d2effddd5b89ad2b2cb9006036fd1e7f1d08e461e24d905532a98dcd767ff7670e7757b1777ab11061dee14f

Download Submit
C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\svchost\Recovery.ico

Filesize
4KB

MD5
8472b467c26da50fd1cfe3de9cba902f

SHA1
97a4b26a2fc95cd00c27eb573463c3cfcad6682c

SHA256
67767a30864cdab2c550b476e2031b7ea770737159dd76a5d287f2a0d503863a

SHA512
01807afeba5688aa5f6a86e6ddf79494747e28a2d17a7010ce82fc24e95cacca6685c6d8df5df4a3dbf5170f1413dd7ffe77652818bea196572e9eb37ee44cd2

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log-MSI_vc_red.msi.ico

Filesize
4KB

MD5
602ddd0c457eb622800ec2b65d1a3723

SHA1
e322f2927b3eb868f88f61318589cdbc9b5e4554

SHA256
6491b2ebfda073e601f99be125c6ce0c4a72162e0995c673605c673581023a82

SHA512
eb0cd42b7178ee205af959b3b811bf85c44343c2e3ead6678ece7bc340fd0efdde3067a583649d12aa2123b555a4cc2a7be7a587fb2874a9f9aa666093df782b

Download Submit
C:\ProgramData\svchost\vcredist2010_x64.log.ico

Filesize
4KB

MD5
bb4ff6746434c51de221387a31a00910

SHA1
43e764b72dc8de4f65d8cf15164fc7868aa76998

SHA256
546c4eeccca3320558d30eac5dc3d4726846bdc54af33aa63ac8f3e6fc128506

SHA512
1e4c405eca8d1b02147271095545434697d3d672310b4ea2ecca8715eaa9689be3f25c3d4898e7a4b42c413f258eda729a70f5ad8bc314a742082b5a6a8e9ff1

Download Submit
C:\ProgramData\svchost\vcredist2012_x64_0_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
28d98fecf9351c6a31c9c37a738f7c15

SHA1
c449dee100d5219a28019537472edc6a42a87db2

SHA256
39445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0

SHA512
f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971

Download Submit
C:\Recovery.exe

Filesize
5.6MB

MD5
b40fba98b831c281b324507db10b3bef

SHA1
f2b8feff8db1345645d30829f86550de8270be4c

SHA256
861c93eb6031f6a7ca00ae65f47e7f5ca17137bb4de8f3afcd72d7d680304462

SHA512
002bd2d4b1860403cc226e605a3dbba96df3061e3bae5eb2e72f0283982eae6cbaeefa394f7ec09bd087411d02a4b9c29d029cea2ff739052ae308f6bbb22377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\28bb8ad1-b520-482b-820f-bb5797403f6f.tmp

Filesize
11KB

MD5
6bfeed1be45470db16cf0726853c51ae

SHA1
fe155ba40dbf51bbbe1532a70c90edcaccd5e6e2

SHA256
b92629974dc4440f6ae62801f7b848f07aec56e4f22ca4b458e79d890b8ecf2e

SHA512
25a8290f46dd0fe1feb5c0a9e59d90bd0a6b5f9df059b976ef38a39e3e2d5762e442bedd7f49bc0cfc78eb565a6b4df1e20dc6974a5fcb55fb68245c1f1c91d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\62c07c4b-5d41-4129-b419-2dfc83761ad5.tmp

Filesize
6KB

MD5
cca7aaa9260e62922bf085e42fe0cc01

SHA1
86ff4a13a0d9ca8534ae898b83fe3695d7a4901d

SHA256
a2cfc7f33e63e58a0974baa6105fa9eedf30223ddd2a82af1f7272e592da3b3d

SHA512
78250aba664be31f5b010830319e2bd0679d67720af186b18105ab4684997579121bd3721cf599fd50c762986f2578d62b46ffcc090be90d45f955a37d716bac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
595a143ba21870939acb1b538777f1dc

SHA1
00be3333aeb19b91cd8bc5584111a177410815ee

SHA256
ee9bfb679a6c4d0db98e893f5351dce7df1f81d03717b22f384c3a61574463c2

SHA512
f655a78e7b29492fe7574cbea56f452d1d8ea258f7eb05f8437744a35b62df713df9006aa97f0f3c712afa6a5de51912e4489185eda4a86b8d9784784a45ec21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
9c0fb981f0d4e6d1010f99432366abf3

SHA1
68f295cfee46bed33046fcbae60ca5c2369191e0

SHA256
05009903652a6be35694b1ce677b0ffaa5d7aeef22f7f2af7d8bd7f4199a98f3

SHA512
ac849152b55e2018d2286caab016072a6a6bb1063f3b1e62214d370ef7f3354141cc1c0c50bc8c3877857bf812ba9e25774aa50549045fefaa241a40a1a2acd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e44bc034781b7424deab65ab11e11375

SHA1
c8a50a1f68314abec63ea4c053e29150922f32d0

SHA256
de07597cca35b3f2faa6ff3c0bd86321bdcfb6935388def6e0b429ba68c3ac0a

SHA512
ac05d53d94f09ccbb4aea68811410ef63b317b60344d7d4fcd557f122ea05c4421a309d840cf9cf162f9bd9ad1389b2e78753e53a95e21b648a317fa30d0f8c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e24fc2c0ea7783fcf488586260e21f1e

SHA1
8d5fd59b7d474ffe368dfb7f3121e70052ddd4e6

SHA256
96924fae9a07dc21829266648d3950799839bd3f41cbf798a29e0e189715e494

SHA512
351d17e96523363f25ee3a26e7905bc38f07be9aca9732d5bdbab3c1c8f87606a4130fb99a962806a9a1a30a70af62a1c003aac4138d2b19f4bb6db6b6f7bff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
14e9dcd7b8b182d9fc4d12b0148097c3

SHA1
e4b16e67dc83f0dea599c8426abd440e63e0d084

SHA256
ec29c6ae433392e4e8a910dd39f54d1a389b9dbb99ce9217b16f95b9dff308b0

SHA512
c3cb855e1ab145521151b073db7e9150cf921b61e01041e16e95748330f31b428516800a40dd4499b989181684d106ae9d3bacbcba59104159e5f0b80236852a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
54a6413a0166a17da3cd6274bf33e7f8

SHA1
341f192c9e3709ebb54ad2fbc3c408ffbcb10827

SHA256
c8f64ffec30715790de179333fa280473f051808edf5c18d16eefa7ef97481e0

SHA512
e09e56e2c5304812946a9ac5ab634b487d7914b4cbb4fd0a415e5a26add0901d311bcf1cd69c900ce30c44b372395a75e555d2b3f0d0f853fb79245f2acf4ed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
164fbd93b13a677e63ce111280d29269

SHA1
a7f7870a95ab12844912a969f73098ff3c6f10e5

SHA256
d505f9e22c36172706156894e2330d75f9cb479376a6f4dc3505117d7431d281

SHA512
3277d2bd7f396886264ffb0e2cfdabfa7d15508fd7dae7268d67bcbb8c5dabfe1c50c231c5dc0691345212e01461d8d9d29026051a1867a395b2aaf3463f66bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ced0e4548fd99089302a5e7c6d864fba

SHA1
a83d3f7c98fae472a9c22cd9a9591c3853d7c229

SHA256
a01f86b4c13a491eaa8a439aa4cdbc78dad07523eae10e3b3032ab7b2ff32250

SHA512
6cb2635c477f6b5f0d54514ae9ce953ef5d3dc65f1ac4a02f93e481922146e6ea9604dfbcb04847b557ca7f4bfeac6a60ba6eb50956c4890c0f6f06287b33cd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5f2fdb8d631c940bec6b9bdf27ca5376

SHA1
6187c9a88653bf04ca50fc30b5610d189175f6d0

SHA256
c4c9a05109b52422eafbea632ddf61075f766e44dc6d26e74a81c3c51c312429

SHA512
dfa8dd9b6ec080a0ea0bd548de4ecee758874c2afc8caaee17bf1213abede2e3ecb260cbffb5e84abc0936b44672eb6857c27edc489ee996c94fa8bd8f6a70d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58555e.TMP

Filesize
1KB

MD5
c95cc60b6bdd5c31ff7e5d005c1496d3

SHA1
ab9b9ee5935e66923e779c625aba2a6bb6cae600

SHA256
52dabd766ef75c1908164ee012fec70c571a820debb7221d809d73df7a6e6f84

SHA512
6bc9d5ebdf3f02a15e94b5065170e6e4a624ae19ef241ece175c7b401aafb34eb06a0f5d19c0a02bf24d769a4041504d34d57da10ef7a56fa70a358c3e6ed31b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
71498904bb922a299099d67659e7fbc4

SHA1
9539fbfc4ac5f4089a986d54241cf849adbca499

SHA256
6c5fe5b0bd73c6f73432cf3b0755f56c438001785dcf288187d6915b939b0cfb

SHA512
1e67d1168b59084f19362700e5abc07aedede044f045fb46af6ca8a7ad743c311fb97bfde6cefc33ad6e2954cb3a47170dac9fbe7b3a9985b92735fd48400a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ced8d6133bd570d050776f5db912558d

SHA1
5021bea8ac4706b94bf1451deee22bc38644f723

SHA256
c19b09eb1442db06d881d87a387e382e086948035144f781c0b031a0f4acc416

SHA512
7252039276a24e90a66816cad3aa0ada7f3537f023ff1f7a4685a25c7a614fa9487ed56bb62a4f0e89c2c516f68910d6d1f901585d0b7b507e14887a9bd64f89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
066f6e5acfff197d12b550ef7d452d41

SHA1
aaa8cfa5a56519594490d069f31a42a15ca515a2

SHA256
cac3a8354c7766b4ce0900bf4d8097bf372ec405a6af4bba63a6d92132932a30

SHA512
21c3985bdc883b7c0fcdfb660a577eb03870943d9e812a24726158b6c06cc36b00425fdeafddcb099fddd1488173280563f7241c9589e69d04d1eb1b5daa786b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\Icon_1.ico

Filesize
1KB

MD5
1e6c4b32205b72a32786ffcf143ffaed

SHA1
7a99df34d2d7d17e2e01272cd084fdae505bc8b0

SHA256
84a41ba1d0f60c4097dd6921ea73781140c40c14a1872d4aa1872046203e6872

SHA512
49ad851721e811be4b360819eaf55b5a1f572c536fcd86692c05533fa62e91efcf218ad60fa54ce5fc5bc476b04dae78c8ce59c22c7c1448980d430e288ab7f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.rc

Filesize
27B

MD5
5a4ef480b1c304883bb3c8277d82bbf5

SHA1
2f01221a87933b2fb81fd0e42c37974b5532bd32

SHA256
f1a67155054951f6eb8f675ece7545a69e901c51c562cd46e7c04e02c3193efb

SHA512
7b2571dcb3449d4e1e45c3e1be4a8d5162d76a2fbd4560840346d5cdb7746b329125e6f8ef987e5a85b2ec0e6c616080550657a26f4e30e2f49ec311730603a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res

Filesize
1KB

MD5
24faf9eeed5c13402bc8814af8f0ab60

SHA1
8f2e3bf31f385beaf239808ca7925da5432191d1

SHA256
e9a1a41d38647b00418872cb6cf2a6396bbce52bd023d8a1103b5d1ecc0dc7dc

SHA512
75026635ff5a3ef8f29815e9f8b0400996267c23940dfce02ef5148b51cdd4d02f32ae87fd440a796584d5579354c5ce6bf313b1eec81ef98d34a8fe99e45c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\icons.res

Filesize
4KB

MD5
85da221c777bfdb5e748453183c7c992

SHA1
03a19282a231e7d1a8f8630eee6509a3dd9b4c2e

SHA256
b7be37fd81ffe3bae65adc4bbb734651e74ac572d67718f93ce6873a63bdeee5

SHA512
f3836974019bce19777aea442a97a7d7fc37a2877ab38dea76e0c70d424dbc9438b8f60916b1ad95434f61de8087b38eb34886e46b057f8acc0d0ce7bab5126a

Download Submit
C:\Users\Admin\AppData\Local\Temp\54f9ef4e71204fba9930b23f5fc1d146\taskhost.ini

Filesize
44B

MD5
dbfea325d1e00a904309a682051778ad

SHA1
525562934d0866f2ba90b3c25ea005c8c5f1e9fb

SHA256
15a3a3303b4a77272ddb04454333a4c06aa2a113f210ba4a03314026e0821e6d

SHA512
cd853c67c2b1a44c3f592ff42d207b2251e8b9bc1eb22fc12cd710329069ef75abffccd169418c4f9bd008a40f2fbbfc6904519f27fd658f316309f94b8ff59c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDBF0.tmp

Filesize
5KB

MD5
7dba7ff9af2c64d2ce03eb61730841a7

SHA1
cb1c0446ab98e1db69b1658806c448242986d19b

SHA256
02c7fb0260ee7b42adb8fbbbb63eb90cae029d67f0296e5dbf4c9df067665851

SHA512
253339dbb07d408fa836985deac1baf4a447fee7d41e49c35f4b9ae7202d45e1cc4fec4c3f3ba34f2e938c1f84915b61fdc56641e3a77b05abacf23e30addb86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDC9C.tmp

Filesize
5KB

MD5
b6a15d7a0e5a02622e4962839ef4f465

SHA1
0426103733afce63b79b6f40f76b370722a66ac6

SHA256
0bc53378b8374d19d9f2df303e4f3a9e370d8e1e3d10a4803216fa4ad598fe51

SHA512
f6296749a6730b943e48e374019753074c1ec661afe4cc05b07ee8b2ed4f75ea46ec8f4175e07d4bb457e31f19d8022b3c04d2f46b52882eb338e4eaca44558b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDD09.tmp

Filesize
5KB

MD5
bc9422fac251934758b69f043eb8288a

SHA1
6edf1162f3dce624ba9b7bb2c0ed8c689570894d

SHA256
098c37d94796486c5dc8221d751b75d54fc8c7b664f52803bee695088e8f348e

SHA512
1415f50de45dadefabcd27d1cf76754303afae12f7025a325c86420723d720e8a9335d49826325251e208b72ceb8ed129d66ba8577db07f37b4f39d36d1424eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDD77.tmp

Filesize
5KB

MD5
042d541f2f91bb82384a20c24fac653f

SHA1
19bdd04576f5666433d23825f5722096c2eaf52d

SHA256
68677cf5fc3f3b0f6488128cb7ef85ec60229162b3c74ec256e6ba10a4e2126a

SHA512
6974a75369c18a89c18dddb99909e198bea38a3c30cc97f530de7473a17e2a79d3cc19ffd5bc66bbcc602681c3158ccec9ae750837fb292a478b9164939ffeca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDE23.tmp

Filesize
5KB

MD5
a17b61ad136a724d36df3d938f812c61

SHA1
22ddebcc35047bdac68e58c4d7b6317838a313e0

SHA256
1d2796226dfb5459575646862a18f2a79f265020f94634233af2214b002b184d

SHA512
4cbfa95b842ff32b1f46dbe3579479c43e5c37295a4ac5fbac963c1b5f729857b8da2b07feace34e6b2ef078a627c60827a2349135ade53583298ce5276f3a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDEA0.tmp

Filesize
5KB

MD5
c32dbbfc9f2f8dcbe383dc21a34bfa82

SHA1
899a0349270a5f5ddea1f7fa98290e6345c065cc

SHA256
3e5a2b3e1910cf667c428e22cfeab48cbc5a108f8af9d4dc129bf59797d4bf15

SHA512
69c6b421994bfb082cebe98d9df844b63e4119e406cd0c16d6499f819aaccc064a09159b239249c8ef09308d9b96a2a764bcd1c134eba83b8ccf872363434b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDF0D.tmp

Filesize
5KB

MD5
8df8713641ecfa8325f0e26ba055d480

SHA1
c25932607737cceb0406cfcab3898c5a83bb3ef6

SHA256
e665939ddf5f86918266fbce8ea46d8179eafb3d454bc9b6ccf0d025264069eb

SHA512
685f293423910d59991d7009f47d1d6376fb46955f0fa75e6dce63607b84301e002d7aba9781a7617d25e22e5dd93343c5c95d7dc9650067721651252c6e8c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0dgwxne.0.vb

Filesize
369B

MD5
e4a08a8771d09ebc9b6f8c2579f79e49

SHA1
e9fcba487e1a511f4a3650ab5581911b5e88395d

SHA256
ef4c31d167a9ab650ace2442feeec1bf247e7c9813b86fbea973d2642fac1fb6

SHA512
48135e0de7b1a95d254ae351ccac0cb39c0d9a46c294507e4bf2b582c780c1b537487161396dd69584c23455950f88512e9931dbff4287c1072938e812a34dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0dgwxne.cmdline

Filesize
253B

MD5
c49f8f96fb17f109fbff96a347413111

SHA1
861f0dc23e0bb9f784af9e9ff6f739bf0889afa6

SHA256
ed0513328dbe66fe34c4d62d5f66282cb637d5271d0ec1ef172f4bdb39dcfaa1

SHA512
467cc1b220053861b33a36c309ce53e5b498d441bda8e9bcd8bbe82e99b7f4ec69664f4e66fa2a56f9fa695d8e82220704d5bba7cba579a6b91e880dca2fecba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ar5qqvyc.0.vb

Filesize
369B

MD5
83f6067bca9ba771f1e1b22f3ad09be3

SHA1
f9144948829a08e507b26084b1d1b83acef1baca

SHA256
098cd6d0243a78a14ce3b52628b309b3a6ac6176e185baf6173e8083182d2231

SHA512
b93883c7018fdd015b2ef2e0f4f15184f2954c522fd818e4d8680c06063e018c6c2c7ae9d738b462268b0a4a0fe3e8418db49942105534361429aa431fb9db19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ar5qqvyc.cmdline

Filesize
253B

MD5
7dd055504bc8b3abcad0eff9bb2e27a0

SHA1
b0564f2a56bbb0a003527f24a5ce97d652d4b36c

SHA256
e507e6e51fb9ad49ad1f66e642b1ab14bd39b5d47d06266523f8030c93d5f224

SHA512
24aea5ac2c63af81d699e16a2ba15e65cb75dad7439cf86bcb02a6463d59400d1f9311e5f22aa05935dd559e4cf6e6b0c10eab24a5c7a21956228c6ce78b562e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjvwqly5.0.vb

Filesize
373B

MD5
197e7c770644a06b96c5d42ef659a965

SHA1
d02ffdfa2e12beff7c2c135a205bbe8164f8f4bc

SHA256
786a6fe1496a869b84e9d314cd9ca00d68a1b6b217553eff1e94c93aa6bc3552

SHA512
7848cdc1d0ec0ca3ec35e341954c5ca1a01e32e92f800409e894fd2141a9304a963ada6a1095a27cc8d05417cd9c9f8c97aed3e97b64819db5dd35898acac3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gjvwqly5.cmdline

Filesize
261B

MD5
f4f03729a052bdaef1381eb679ee1fbd

SHA1
9ccd7c55896de29bde14548d1e6e917a736806be

SHA256
ff465d3b7e3e16e56d9a808505f793b77974e3720366f4556c769b4ba93930b8

SHA512
18171170996193bbf0e68ce2345dd3c435f3b57c41af41888d752fbffe07e0a805d0ac0bc8ee74eef3d5a39749e21d9f36a1ba92a214585fba4935f12ed0949a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnrzjkrx.0.vb

Filesize
355B

MD5
6e4e3d5b787235312c1ab5e76bb0ac1d

SHA1
8e2a217780d163865e3c02c7e52c10884d54acb6

SHA256
aec61d3fe3554246ea43bd9b993617dd6013ad0d1bc93d52ac0a77410996e706

SHA512
b2b69516073f374a6554483f5688dcdb5c95888374fb628f11a42902b15794f5fa792cf4794eae3109f79a7454b41b9be78296c034dd881c26437f081b4eaea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qnrzjkrx.cmdline

Filesize
224B

MD5
664698e544e43613e9e94299d70366b4

SHA1
83721f2032e72f0e31f6f28aa95e7af3b6c27463

SHA256
aa8b24659b34f53e3a6fb0753df87639b2c4b68ee600536c7a11ca3147ad7e4d

SHA512
11eb8a4d39e5ea9e0e2da14c97d237e2e4a824bfa289c5d3c4aa12f398dfff82afe0dbb60935c45586765e2910e1e27c01f159ac5e8e9be65b325c49cbb6e053

Download Submit
C:\Users\Admin\AppData\Local\Temp\ti7slir-.0.vb

Filesize
376B

MD5
7a8e43324d0d14c80d818be37719450f

SHA1
d138761c6b166675a769e5ebfec973435a58b0f4

SHA256
733f757dc634e79bdc948df6eff73581f4f69dd38a8f9fafae1a628180bf8909

SHA512
7a84dbe0f6eebdc77fd14dd514ed83fb9f4b9a53b2db57d6d07c5ff45c421eac15fdc5e71c3bc9b5b5b7c39341d8e3157a481d9dacefe9faff092478a0cea715

Download Submit
C:\Users\Admin\AppData\Local\Temp\ti7slir-.cmdline

Filesize
267B

MD5
23363d7cb6559ffbcb143d954f03fdae

SHA1
6fbcbdbecb506b328141cfc9262701f7b4238120

SHA256
4995a813247f2e66e2007e14192dbb077c388f44fd83ad54b4c4b68047dad89c

SHA512
526c474f9fe9fbbbfbe61576f71b5a43915ffff4e229752bf3cf391c24ce33a2aff22fe08b94dae70ac4cd19c54c5fd2d33908cf4b4f297f317e3c4d841db573

Download Submit
C:\Users\Admin\AppData\Local\Temp\txlz_2d_.0.vb

Filesize
373B

MD5
7d0d85a69a8fba72e1185ca194515983

SHA1
8bd465fb970b785aa87d7edfa11dbff92c1b4af6

SHA256
9f78b435099106c2c3486c5db352f7d126b3532c1b4e8fe34ef8931c7b8968d5

SHA512
e5ef339dc329dbba2ab06678a9e504aa594d2f21ade45e49bccd83a44a76dc657f5f44dcf368f4d112bb3b01af2e577a487c6078751943770e90780fad202989

Download Submit
C:\Users\Admin\AppData\Local\Temp\txlz_2d_.cmdline

Filesize
261B

MD5
dcb28e76ec4a66eb3163cc0504aa5959

SHA1
bf22eea29a4f4aa7e2c657daf7bed95268b2d750

SHA256
c02355d8ecba868f4c1af7cfe80b08b819c3406325d2c588f90b05218c6d2775

SHA512
b445aa517876b724fe19f8423918125cf63949e754d76d07d2e6782d47dd92cf48bac7be70caf911b1b1febae83cf3ca6f96f793b6ff5b7a9ff61a1af0941681

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
91B

MD5
de97f8c7f4f066b79ad91c4883cc6716

SHA1
92cc8bf74888ea1151d9fd219eb8caee02978556

SHA256
a99f5d4f9a3cff36d5fa6ce75c5aa651448860ee1b29111bd8ad96eca85b05d9

SHA512
cfc7ab2465cce5b7bd5a8ed8ba0b632afc3f1b74f70f1d799f858d2271afbbbb3b37697e1074d6f85aabb4748745566d72ec68bfb2e90d312879875406efd0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
88B

MD5
afcdb79d339b5b838d1540bf0d93bfa6

SHA1
4864a2453754e2516850e0431de8cade3e096e43

SHA256
3628cee0bef5a5dd39f2057b69fbf2206c4c4a320ea2b1ef687510d7aa648d95

SHA512
38e7e92f913822cc023e220035ada6944ffbc427023687938fe5cbb7a486abad94808239f63577c195afb520fe1a1a1b14e1050c0c03c7d324ddbf7cffdc304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc2E88F241662A4D23ABDD119CE18D3D8F.TMP

Filesize
5KB

MD5
a1b46e574ef5ee504aa4c8d7eb9fa4ec

SHA1
e1692b8b1f683d1013de60bbe7ba6728ab52d4d3

SHA256
e0fd09c18c062770ed295cd7aa0612990d316126bf74c6dbe10fa18e01a50bfe

SHA512
a2c8f0d211d4db0807ea62e4d0b4a9a3b77e6d10b0980fcef580409f01f48caf61be49b60ccfd379c1e4015d2ad29b5526f126a2f0071fedc3a15c4cf8ff5612

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc3A63AE6EC6FD4E57B161D5D628D71654.TMP

Filesize
5KB

MD5
d56475192804e49bf9410d1a5cbd6c69

SHA1
215ecb60dc9a38d5307acb8641fa0adc52fea96c

SHA256
235e01afd8b5ad0f05911689146c2a0def9b73082998ac02fd8459682f409eee

SHA512
03338d75dd54d3920627bd4cb842c8c3fefad3c8130e1eeb0fa73b6c31b536b3d917e84578828219b4ffd2e93e1775c163b69d74708e4a8894dd437db5e22e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc47B09020A4CC412A82741A36D4C854C8.TMP

Filesize
5KB

MD5
5615510643200f4172af237e6bb0b1e4

SHA1
409df6d7f90a94655c1a5ce73cc45296f85736c2

SHA256
8d084d3119610cefec688b02df011bf5473cd9e8536fc3e88f1aa58fbb497196

SHA512
95f67e42fd96534ec5804e49fdcf33240c526f8f03855b19b11123db3b4d98f43c4f4f4126281cc0210b24bd868682fbf0a9428d94c7e0f1f4690045bbdc8e1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc49A19A9BC5B84D528EFE66F7F1F6AAB6.TMP

Filesize
5KB

MD5
4a0d9970022b9e7d0066dea49c7639f4

SHA1
6a576f471355762c7dec0b258fa8268c06b352d4

SHA256
b9fc51192ec614b38899c981eb6cfe47429047df1af56226e87da01f95089cc9

SHA512
92bcbbbbade44c91abe5bc4b4633892036b19ea6b0c5007a98ddc102aa41dca5d83568a9a243060a9a5153fea77bf7a56c7612d80881341358b1dcf190d42c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4D97374361B34D80A4E13F470452DE4.TMP

Filesize
5KB

MD5
d0700df86922f8822ee8cf4dc28769af

SHA1
80c24d2ad4d0add576cc97c608644dfdf9d0444e

SHA256
ff1ca342c6c1c86e58276a9c7a36e06cc300c8a566a57dc6e62831dc3d84c3ef

SHA512
721eae27ddee0305b5b5a07a8c8c2cacc2e44e11f032597d74d78e8979bddc51b74e4c1f700e74baff9eec4cf064bf97e58936ab6d69541f3a609c19f4dd7b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc51501822919D442D895662A8F98A3272.TMP

Filesize
5KB

MD5
84e9754f45218a78242330abb7473ecb

SHA1
3794a5508df76d7f33bde4737eda47522f5c1fdd

SHA256
a979621de3bcabf9a0fa00116bcd57f69908b5471341f966c2930f07acfee835

SHA512
32b51e82e505e9124fa032bfd02997de6d6f56e0c0dfb206aec2124199048168ec0f7927a0a289f4653662bdeb5089d91db080019a9556491ef111df99b12623

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc74173E1DD634135AE5DBE1C3ADDCE7.TMP

Filesize
5KB

MD5
abeaa4a5b438ffa58d07d9459e5c1d6c

SHA1
69631de7891162dd4840112a251f6531feae7509

SHA256
ce174412cb2889bbf162b7ebe4476da5a9c928ba5b13111d338753ccc4c0f5fd

SHA512
c9cae8bcc14661e993d97a3c7b658310a8b9c19044817589f92eab66f1bcfcecb3468b0de8b45cd68e218c23cd9c60aeef1d391af36ec03afab5c8b86d7937d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9F92ACB9661342DC9BD569C342CA3D4.TMP

Filesize
5KB

MD5
a9bb078176be4c3b368e1d31ec936f8d

SHA1
14b2ad83b65dcc929775fca317a4c4d5f886e77b

SHA256
cce53d76047450be6bde2b02521c10f2e4ce247f373b8da98ea26aff954f8a78

SHA512
cdbd736b825e3b9d0f72426c13f3cd9adff1bd1559e3978f8c6b44e12df8cbeb0da0fe1f144b47172dfc3861e8660ae9b402fbd6b3263763bf91229c3abb2337

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAA29DF7C13EA41CA9666F8CEDB781B50.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB2A6411982CA4FE4AFE1CE79FD3CFFF4.TMP

Filesize
5KB

MD5
11cb9aba8820effebbb0646c028ca832

SHA1
a64d9a56ee1d2825a28ce4282dac52c30137db96

SHA256
2a1e197c5f17c60b3085782d3c8c97bd9aa2ac1e3a4a721122c0b5ec56d276c8

SHA512
d227b39d5d67c18703730fd990ac41077321054d4f24198cafbc0b7af1ed6c72e7ef7eb626fb558f9407e11b5b9f0d194237400d248a80560d715c88971ad375

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBDC29DBE83B747DD9FB2336AA41D5D8.TMP

Filesize
5KB

MD5
8e72f246b375560a0142669bfdc3508e

SHA1
baac161d5ef885001dce0ab9b7c25f5a8ecbe15a

SHA256
38dea18c37747d3c5a5056207aca305dd059baec7d7d0b15a18337b5d42e0658

SHA512
2f0c458bcbcd04ec2ae262dce82e9e32dee0759db7fd80d3eabc37c937db3e276ffa8fed9c389855d4a648b97d31123e2e24e82b5921eda89e47fc3e74e23945

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD2F062FEA2B64E3EA9A313A4C0C3C033.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD439EB3BD81A46F2A31CA75D26E8FD49.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE10CBD702D3D45A4ADB74490163FF99D.TMP

Filesize
5KB

MD5
b71e6e19814568caf1f6d365fea29136

SHA1
6993dc9dcb4f4fa8443b5439fd0f6448620872fd

SHA256
aa099f363660fede895c28dc847748ce79a12d0ffa249e3980a54d16cdde1d82

SHA512
6ca16f231751b37787535c293804173411fa9f19d0ec29e6d04e32614bb8d630c5cdd493d80e35df4f29412b606c329f3196c587189a538ec5246b2223f53911

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcE6CE288F9AB648B9BE5992E0D18AA83B.TMP

Filesize
5KB

MD5
12709a9ce7122fd789256103eebaee0d

SHA1
a4ad85d03d56f31da215284fedc0a96ca02a0c65

SHA256
9753ea5ce1bef84c96a49bc4cf5d96e3b9195932d7209d3acf949b8adaa80278

SHA512
a7764fb031270b6da3c4aba217221c4aca7e8acd6fa5c34217cc4650fbd35543e47a44f7c884dde076c23e66279386a0cf2e908c7cec37a1cd5237e4bee3c49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF0F4202B44F2471F814D89E36844C7E8.TMP

Filesize
5KB

MD5
b73429be6150aa96e93ef9b49fb3ab2b

SHA1
0630535dfb92271dbdd0180307981f8814798ca3

SHA256
8ae5a47694d714b48857c9dba930a8947c7b18d48d4198e08fa50eb35e305ff8

SHA512
5fc581143f53032620134852c16a3116b6817c7efc3785fbde4c4cf13fb00e0824203420b3f61f45394139f8fc585706e87305e50ca850c9c82597f3bea6dcf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcF13AEA1EAA9D40D2A159D8B8D1868CA2.TMP

Filesize
5KB

MD5
0d43c4212c75578ea7eeb11e292cb183

SHA1
30b2ba3ad685b03fe365fd5a78801f039c8cd26c

SHA256
c6eb948ff4f2359dce5d80890ea50516c48a6599fd522744ec0dcb5da8da7495

SHA512
1adc9f10811af124048c36c9f41b48c3e777b6807aa61f148f52448d79d3eaac533fe4b9e7f887c6ab64cf99e9664113dd7fbc98353a1b57fb98db1d7f865b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFD955F8AB72442DAB062272E491E490.TMP

Filesize
5KB

MD5
1eec5a7f7298df1f578bd6cad1ae396b

SHA1
ea9a858b3a0a6fcbe46cea93a18c99010d11ade8

SHA256
c00d6f179c121a3e3193a850bcca719b03f75e1f0b92b79d179cdcd52c2a806a

SHA512
08ad3c19fa7354901a3a44b777cfaacbfbff3569d087275e8583d1142cf33fc3f99402087f57ddbcf5dfd9bf3053acc082cdd64a32b29c1d246232e555dabb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhlsktv4.0.vb

Filesize
355B

MD5
acd609faf5d65b35619397dc8a3bc721

SHA1
ba681e91613d275de4b51317a83e19de2dbf1399

SHA256
4cfd86d51d0133dda53ba74f67ffe1833b4c0e9aae57afe2405f181fc602f518

SHA512
400ffd60ce7201d65e685734cea47a96abca58ca2babda8654b1d25f82d2766ca862a34f46c827249a4dc191d48f56005a9f242765d7becdda1344b8741a9d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xhlsktv4.cmdline

Filesize
224B

MD5
d9f973ac3e0a2133469114309f5d03bd

SHA1
2cdacaafe9e9fb4cc18bd3a3081b834a7126b522

SHA256
2d9af3a38bf5421290a7ecf3b50fc02bfe608dbc06de09a9d2c925354fd1b449

SHA512
e2b70a167b6349f572b4cc7597ed64b76dcccfc6de700e6be41d117d79131b870303a0ee9020b7e896d215e80ba40c1e3c9241717f74491e3ace3741eae91fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\xu3-gubl.0.vb

Filesize
376B

MD5
688ef599a13c30230d9c00287511e084

SHA1
496834103ac52660dd8554590a2f92cbda8ab759

SHA256
9ce0d8e22177e91d78bf3e578b8b5f0d22d724ae17931195de2e3b5b46255051

SHA512
0f244536f83308c7db23337dadcef882fd258954d7e3c8a5f3f66ee0861fec0cd6ea7b3310db65a306de380da410af1e8e4041fabbc917b6af4b94d9424cec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xu3-gubl.cmdline

Filesize
267B

MD5
c7df8ae68b91b33af15e9bcbc64fd848

SHA1
e2955d340f094144a0523585eb0bcf9df4941462

SHA256
063d53725408d691a7d4a8ab8d7175e544cedb457676ec066ccc99029729bd35

SHA512
1785eee665f60aa7ac40a20cbab8314acf4a92702dfb4cb92b1839eb88c466595835a04a6781d00591787d8706efca006ebb1128fe1a1d1a42ce07320b3b37aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe:Zone.Identifier

Filesize
92B

MD5
c6c7806bab4e3c932bb5acb3280b793e

SHA1
a2a90b8008e5b27bdc53a15dc345be1d8bd5386b

SHA256
5ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a

SHA512
c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

Filesize
153KB

MD5
f33a4e991a11baf336a2324f700d874d

SHA1
9da1891a164f2fc0a88d0de1ba397585b455b0f4

SHA256
a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

SHA512
edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.exe

Filesize
5.7MB

MD5
df997a6615a46eac81cb90cc06582799

SHA1
38caa6a66cb25f75fc63002b83751a7e9a8cf7ec

SHA256
c9e71f0330a80123fc8ad1117d1014d318ac39fc6f98015b810d72d4d1630812

SHA512
5357fefa4c918920d58b2171839134f2539993c0a28105980c88cf3cd60e475e4e6c6f6b377cbb9f5d3f64484954d33a847a83ee00856d5e705de1352acef2d7

Download Submit
\??\pipe\LOCAL\crashpad_4232_JRLLNGJQXJNJVKNB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/852-472-0x0000000000530000-0x0000000000555000-memory.dmp

Filesize
148KB

Download
memory/852-467-0x0000000000530000-0x0000000000555000-memory.dmp

Filesize
148KB

Download
memory/976-9195-0x0000016F360E0000-0x0000016F3610E000-memory.dmp

Filesize
184KB

Download
memory/1672-799-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1672-804-0x0000000001DE0000-0x0000000001DFA000-memory.dmp

Filesize
104KB

Download
memory/2736-1433-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2736-1571-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2736-2428-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2808-9895-0x00000000008F0000-0x0000000000F9E000-memory.dmp

Filesize
6.7MB

Download
memory/2808-9904-0x0000000009610000-0x000000000961E000-memory.dmp

Filesize
56KB

Download
memory/2808-9903-0x0000000009640000-0x0000000009678000-memory.dmp

Filesize
224KB

Download
memory/2864-9152-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3560-484-0x000002579A050000-0x000002579A06E000-memory.dmp

Filesize
120KB

Download
memory/3560-517-0x00000257B4960000-0x00000257B4B13000-memory.dmp

Filesize
1.7MB

Download
memory/3656-9148-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3656-9146-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3740-1572-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3740-2380-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3888-481-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4472-9196-0x0000000000620000-0x0000000000BCC000-memory.dmp

Filesize
5.7MB

Download
memory/4472-9197-0x0000000005C80000-0x0000000006226000-memory.dmp

Filesize
5.6MB

Download
memory/4472-9198-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/4724-9161-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4788-478-0x000000001C150000-0x000000001C1B2000-memory.dmp

Filesize
392KB

Download
memory/4788-477-0x000000001C0A0000-0x000000001C146000-memory.dmp

Filesize
664KB

Download
memory/4788-476-0x000000001BBD0000-0x000000001C09E000-memory.dmp

Filesize
4.8MB

Download
memory/4792-480-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5336-519-0x000002A5EE270000-0x000002A5EE423000-memory.dmp

Filesize
1.7MB

Download
memory/5336-518-0x000002A5EB2C0000-0x000002A5EBBD4000-memory.dmp

Filesize
9.1MB

Download
memory/5736-796-0x0000000000410000-0x0000000000430000-memory.dmp

Filesize
128KB

Download
memory/5840-9041-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9038-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9004-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9005-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9018-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9020-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9007-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9009-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9011-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9016-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9039-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-7503-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9036-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9034-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9032-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9027-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9025-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5840-9023-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/5992-471-0x0000000000880000-0x00000000008A5000-memory.dmp

Filesize
148KB

Download
memory/6060-9155-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/6060-9157-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads