badrabbit | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
649s
max time network
679s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02/09/2024, 04:05

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

badrabbit cryptolocker dharma defense_evasion discovery execution impact persistence ransomware spyware stealer upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (166) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8ff267ab.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Executes dropped EXE 11 IoCs

pid	Process
5076	AgentTesla.exe
2180	Bezilom.exe
3028	AgentTesla.exe
1292	BadRabbit.exe
3336	AgentTesla.exe
5036	EFF2.tmp
4980	CryptoWall.exe
2452	CoronaVirus.exe
1076	CryptoLocker.exe
1900	{34184A33-0407-212E-3320-09040709E2C2}.exe
3176	{34184A33-0407-212E-3320-09040709E2C2}.exe

Loads dropped DLL 1 IoCs

pid	Process
3308	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000200000002ab7b-1260.dat	upx
behavioral1/memory/17648-25685-0x00000000007E0000-0x0000000000A6E000-memory.dmp	upx
behavioral1/memory/17648-26606-0x00000000007E0000-0x0000000000A6E000-memory.dmp	upx
behavioral1/memory/17648-26704-0x00000000007E0000-0x0000000000A6E000-memory.dmp	upx
behavioral1/memory/17648-26738-0x00000000007E0000-0x0000000000A6E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\8ff267a = "C:\\8ff267ab\\8ff267ab.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*ff267a = "C:\\8ff267ab\\8ff267ab.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\8ff267ab = "C:\\Users\\Admin\\AppData\\Roaming\\8ff267ab.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*ff267ab = "C:\\Users\\Admin\\AppData\\Roaming\\8ff267ab.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartUp = "C:\\Windows\\Maria.doc .exe"	Bezilom.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-970747758-134341002-3585657277-1000\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-970747758-134341002-3585657277-1000\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
38	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
94	ip-addr.es
2	ip-addr.es

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/17648-25685-0x00000000007E0000-0x0000000000A6E000-memory.dmp	autoit_exe
behavioral1/memory/17648-26606-0x00000000007E0000-0x0000000000A6E000-memory.dmp	autoit_exe
behavioral1/memory/17648-26704-0x00000000007E0000-0x0000000000A6E000-memory.dmp	autoit_exe
behavioral1/memory/17648-26738-0x00000000007E0000-0x0000000000A6E000-memory.dmp	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherAppList.targetsize-32_altform-unplated.png	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.Core.dll.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MedTile.scale-400_contrast-black.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\NotepadMedTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-30_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare71x71Logo.scale-150.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Security.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateWide310x150Logo.scale-400.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\EmptyShare.scale-125.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.IO.Packaging.dll.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\System.Windows.Forms.Design.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-pl.xrm-ms.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-96_altform-lightunplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview-hover.svg	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationTypes.resources.dll.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSplashLogo.scale-180.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\SUCTION.WAV.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\colorimaging.md.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\Microsoft.VisualBasic.Forms.resources.dll.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.targetsize-24_altform-lightunplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_x64__8wekyb3d8bbwe\Assets\AppTiles\MapsWideTile.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-30_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\Wide310x150Logo.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\FileAssociation.targetsize-48.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-64_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql70.xsl	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2102.13.0_x64__8wekyb3d8bbwe\Assets\inifile.targetsize-16.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-64_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-oob.xrm-ms.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-16_altform-unplated.png	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\LICENSE.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\sendforsignature.svg.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36_altform-lightunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxMailBadge.scale-400.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.id-C0D5B4E3.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-140_8wekyb3d8bbwe\AppxBlockMap.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorLargeTile.scale-200_contrast-white.png	CoronaVirus.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Maria.doc .exe	Bezilom.exe
File opened for modification	C:\Windows\Maria.doc .exe	Bezilom.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\EFF2.tmp	rundll32.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 11 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoWall.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bezilom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bezilom (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Locky.AZ.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RedBoot.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bezilom (2).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bezilom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
18376	vssadmin.exe
18128	vssadmin.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{25D0426B-946A-46DA-B688-AB1C757A12DF}	msedge.exe

NTFS ADS 25 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Bezilom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 574450.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RedBoot.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\NoEscape.exe.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 270413.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 216548.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 743813.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Locky.AZ.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 672288.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 177297.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 911344.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 512987.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 547857.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoWall.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 272040.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bezilom (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bezilom (2).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 504359.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1036	schtasks.exe
4816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4820	msedge.exe
4820	msedge.exe
4592	msedge.exe
4592	msedge.exe
3168	msedge.exe
3168	msedge.exe
2900	identity_helper.exe
2900	identity_helper.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
4084	msedge.exe
1692	msedge.exe
1692	msedge.exe
2088	msedge.exe
2088	msedge.exe
1376	msedge.exe
1376	msedge.exe
3004	msedge.exe
3004	msedge.exe
3860	msedge.exe
3860	msedge.exe
3640	msedge.exe
3640	msedge.exe
4432	msedge.exe
4432	msedge.exe
1820	msedge.exe
1820	msedge.exe
4864	msedge.exe
4864	msedge.exe
8	msedge.exe
8	msedge.exe
2840	msedge.exe
2840	msedge.exe
3056	msedge.exe
3056	msedge.exe
2564	msedge.exe
2564	msedge.exe
3308	rundll32.exe
3308	rundll32.exe
3308	rundll32.exe
3308	rundll32.exe
5036	EFF2.tmp
5036	EFF2.tmp
5036	EFF2.tmp
5036	EFF2.tmp
5036	EFF2.tmp
5036	EFF2.tmp
5036	EFF2.tmp
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe
2452	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4592	msedge.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4980	CryptoWall.exe
3440	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3308	rundll32.exe
Token: SeDebugPrivilege	3308	rundll32.exe
Token: SeTcbPrivilege	3308	rundll32.exe
Token: SeDebugPrivilege	5036	EFF2.tmp

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5076	AgentTesla.exe
2180	Bezilom.exe
3028	AgentTesla.exe
3336	AgentTesla.exe
4592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 1432	4592	msedge.exe	81
PID 4592 wrote to memory of 1432	4592	msedge.exe	81
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4312	4592	msedge.exe	82
PID 4592 wrote to memory of 4820	4592	msedge.exe	83
PID 4592 wrote to memory of 4820	4592	msedge.exe	83
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84
PID 4592 wrote to memory of 3924	4592	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb37d73cb8,0x7ffb37d73cc8,0x7ffb37d73cd8
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5780 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6796 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6860 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6848 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Users\Admin\Downloads\AgentTesla.exe
  "C:\Users\Admin\Downloads\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6612 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6764 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3972 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3972 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6584 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2532 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2528 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7148 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7116 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Users\Admin\Downloads\Bezilom.exe
  "C:\Users\Admin\Downloads\Bezilom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2180
- C:\Users\Admin\Downloads\AgentTesla.exe
  "C:\Users\Admin\Downloads\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12253170658979209227,15245516741565278063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:1552
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1292
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:3520
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 345951898 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4388
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 345951898 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 04:34:00
      4⤵
      System Location Discovery: System Language Discovery
      PID:4416
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 04:34:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4816
  - - C:\Windows\EFF2.tmp
      "C:\Windows\EFF2.tmp" \\.\pipe\{5DE743D7-30A7-44C0-87E7-84F5AEA6AE3C}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5036
  - - C:\Windows\SysWOW64\cmd.exe
      /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
      4⤵
      PID:18544
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN drogon
      4⤵
      PID:18528
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN drogon
        5⤵
        
        PID:18648
- C:\Users\Admin\Downloads\AgentTesla.exe
  "C:\Users\Admin\Downloads\AgentTesla.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3336
- C:\Users\Admin\Downloads\CryptoWall.exe
  "C:\Users\Admin\Downloads\CryptoWall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:4980
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:3440
  - - C:\Windows\SysWOW64\svchost.exe
      -k netsvcs
      4⤵
      System Location Discovery: System Language Discovery
      PID:1500
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2452
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:1440
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:8940
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:18128
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:17852
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:17964
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:18376
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:17980
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:18012
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:1076
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1900
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000240
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3176
- C:\Users\Admin\Downloads\RedBoot.exe
  "C:\Users\Admin\Downloads\RedBoot.exe"
  2⤵
  PID:17648
- - C:\Users\Admin\26039593\protect.exe
    "C:\Users\Admin\26039593\protect.exe"
    3⤵
    PID:11136
- - C:\Users\Admin\26039593\assembler.exe
    "C:\Users\Admin\26039593\assembler.exe" -f bin "C:\Users\Admin\26039593\boot.asm" -o "C:\Users\Admin\26039593\boot.bin"
    3⤵
    PID:38984
- - C:\Users\Admin\26039593\overwrite.exe
    "C:\Users\Admin\26039593\overwrite.exe" "C:\Users\Admin\26039593\boot.bin"
    3⤵
    PID:17948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:18256

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e3055 /state1:0x41c64e6d
1⤵
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-C0D5B4E3.[[email protected]].ncov

Filesize
2.9MB

MD5
b6c9b5dd54ad245344808e5e461f31e7

SHA1
2921f72d0373b41a1f70ba02826eabd7404bea2e

SHA256
c19d060a2b4255d14efd1d9a8da06cab0ddcc575500a690716d8b7bf9f0e252c

SHA512
c8e9c9f369a349e8aaa1f6f93d2d528cfca1675c332acffbd782492da93b5b947b548a07c1b84fa3aca122f8af216c7c35508fa894ed5892ec749f9e8e9612e5

Download Submit
C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-970747758-134341002-3585657277-1000\ReadOnly\LockScreen_Z\LockScreen___1280_0720_notdimmed.jpg

Filesize
62KB

MD5
6cb7e9f13c79d1dd975a8aa005ab0256

SHA1
eac7fc28cc13ac1e9c85f828215cd61f0c698ae3

SHA256
af2537d470fddbeda270c965b8dbdf7e9ccf480ed2f525012e2f1035112a6d67

SHA512
3a40359d8e4cc8792be78a022dc04daed5c1cc55d78fe9cf3e061ea5587baa15023ce2152238f5be5cc5124cd468f220cf9dab54344d93edd3dfcd400b24469d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
28KB

MD5
8e9d7feb3b955e6def8365fd83007080

SHA1
df7522e270506b1a2c874700a9beeb9d3d233e23

SHA256
94d2b1da2c4ce7db94ee9603bc2f81386032687e7c664aff6460ba0f5dac0022

SHA512
4157a5628dc7f47489be2c30dbf2b14458a813eb66e942bba881615c101df25001c09afb9a54f88831fa4c1858f42d897f8f55fbf6b4c1a82d2509bd52ba1536

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
b625a21388f96ede0b59d3bb42dc245d

SHA1
a71fddc2c89bc12cd5bcc8f3dbe1516c6920e3b1

SHA256
c6178f185b951161db86bb1e455e470a6edca1acabc9ec0ea3d15cc91d5d73e2

SHA512
cb226af94666415aec91c26f3f633cd9806dd8a995a452547bcd2f16d68e7f5ecff1d45743e690588e1c7a0bdd264335c93e13acd3becd98d7562585e355eb29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
30741cfb02a70ac50efa96c237d384a8

SHA1
545be3cac240d7de1e19346fc7dd06e0ce72ab59

SHA256
479b8adf6167812c217dd109c08f33016cd4ff4216ae4d53807131c02b9d8e87

SHA512
497193375c61f0f9458ee0a96cb713e6a92a13805dd89927c4e908e4013968b825e2c8ae9da99024f0dde4b70055806b597851ee69d3683670ab7fbf93b35c53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0e8a21a1fd4aefecb4e9654adf81b66c

SHA1
f5ed6a2cf555610a0f093865d86cd7e4e999dfe3

SHA256
0586f842fdae9da364ecf6f6da347c68d199b2616563546b87f4bccdf96e88c8

SHA512
96756cd55b7f1eb221eeb38b855642f6b940ae07f878bbadfb3deba2f925948d9147ca34fbaa330bcaa1ec53aaa1bf9347246ee50d8ffeb8667e6ec1775a0046

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
954B

MD5
62772bfe40f5ae5390805edd850d536e

SHA1
3ce8ffe6854f8061478080aa77beed0153ef2164

SHA256
9a12fa8854126bf1d9dc8053c3d3e160f8871ef279afbeb3baaefda04ec6d1be

SHA512
f0d3d010146d24a039a52c0a259c4a50ea467e40087f87f1d32b5e1afc2367ffec62953d4577f96895e3255b10f132c746ddb771de7e622e7a9468b9f88d8be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
366cd1263db0d47457528552dffcc115

SHA1
74ece74157ff531b432059a70fc9377308632f7b

SHA256
aa6eb8dbee474f43f5f31c07c6a0283f367c699e5236ebd17f1edd17fcdcd838

SHA512
c4298eac674a84d64ebc881a056a3dae7507c3fed2cb13a041568952efaed8fc1c5fc3f1ad1876522e35deaadd7b40b34ff0843e8fdfed9d34a78df73921a188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
2d71d855b15ef6b930bb1e2939f5d328

SHA1
fdb1d6e9639fe460b7edeca3ef818faac73bb52e

SHA256
472b16afcd9ec77b81035db7d11cf7ce4a250e3ffec444452f7e3081e1a8b342

SHA512
a5ffe6f254baba16e4732e1d2746f911eac587424eedf4662f7fe1a553c3ba98005834c1abb3066b9fc435f277d24a4d1f21079cd0fb0baf3f88444979439234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
323870cd118e3fd7c3746719a0f3b8ef

SHA1
6babf263fc81017ba29dd03ea4a9d53ffde1b331

SHA256
0a7b8abc4aad2b01d38124f5f853be969b72aff810f0454c18ce465e94ef99ed

SHA512
269bded09af5eacff4512d8da7e590685bc81ece14149dfc75bb91d7a046d52686c178aceb5c1cd1da5f98ff1b6cac62e428e319e6cdaf139a4570d56302bd5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c4d529d8dfa46bf14762e7d1f2e9029

SHA1
14e5c2a92560500c31b4b06382e4574ddf686bee

SHA256
33bb49e397ff2a85751f5d6ca36a3e7fc89595c9a3d97c7e7892d5aa9941b9ae

SHA512
b98501735a263771ef78ae200b7f89d477f1d7bd6d8e0d0f6ed9851c376f6154c1e7f89b6edf7a3b1fa41b62fd003733ac5976898bad1ac2445b764374b2d419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a17755161490e1c2e62502e57248da87

SHA1
2319b111ab4a59edaa8d4e1db2cb5622254452e4

SHA256
2184bdd7a1b357974e649009e075f96450f50073324c5ca597831c66876c596b

SHA512
44df1d6ae1a3302fb78d2523092e8e65ea45640cb158a525c67db53945ff943bf23e7d8aba6430aa73ffb3aae99d31a892cb6291491a7399e1fd89a2c2426471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d5fb82d2a3c78df0efb2d9a3a2c237e

SHA1
032b8a217dc7edd24e1a115c06539f91e020f89e

SHA256
2025e247fe24e4254271f376a863f07784d9701db8f67ee219a8f819996b2f08

SHA512
665bbac7d646f7b17101ee8d40788fd1beacffe675d2636a27bb1ff4c577ffaa2a5076e82214dd7a09b9e5cef968926e11c607fb9a6ce92443b0ff0ef4ff0017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7d08c8ccff8784c7b3a5c2abc238ab2c

SHA1
c63a70eab96546a8e21e93b872d2b64035370e7e

SHA256
3e6eaf1140e65e2efaa5191c18d20500696f30f8891d7045628723aa94c45be9

SHA512
d9180011f11609156cd3f943ae5316e2e59cacb036021241b459531bfa0acb5ffd3741a688076b15b82969ca8fae4eb19db81bd23e22ce733e642bea1439a69e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e414e4d331b31b3ffa4c3420dfcf2fd

SHA1
a56da2552419592804edd35609225cfbff7cf5fb

SHA256
8d8c9829295b3b09215ad6cd3718b56d711130df57a05f95fb8b7a5a54e17325

SHA512
9e75872889e7e4918c79d133cfea03e5757b2c7f83921ce16fd59d3e60b6761edbd5a1661659c66ce8d332f2a40aeaa2db1ec500eea05d32c6c0290419883286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
efd4c99e2b5667dba0f33592f6a58838

SHA1
68fe623b1f88e1f95735dc67918e76dee7e33cd7

SHA256
41490a5f5166d5d6530cebd54386008dad4ad10791b538988a4bfcb465e78a1d

SHA512
1d715e255648c258da825173cb9aa20c45e4f0dfe016805fd2755c70eb86d5ab9ea6dc335e46eff2a7a4ca95df8872368ea86e2351d590673d189d07eded346c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4e55d17874af96cd49d3162e1fcff9c2

SHA1
8f96ea1652d8476d6f106e35a8a317b41b743163

SHA256
2ec57b11569c93e4cb2dc1bc88ce3470af66d12abd7d3b6160d4e241242458f5

SHA512
eb6d9b7fd21499e8bc0d5060c288175b5ef7066d28e2191b936c6839d4311cca72c40ae37d075fac173904ab0f7f54d3c185a48523c1fc8c7fa99ea0573bdc03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
16ef21f4ec7d56e0fce7860080be0ae7

SHA1
ebcb52b5860b6e752e18094423782e4433fc290e

SHA256
86438669056cc6ee682c85445f089acd820129d5242cd9bb2ded875fcbf0d002

SHA512
46e6e1a66c1ccc0a486f0c3a78149c865aef8dfc82bd8825511bb782c9ec5c55cd34f05d3d4f58841984efe04a76df1677a7bb594f6936453e248b2929918b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
114b020ae935475c85a181975df53921

SHA1
ef8af27b2cdd54272e804449f8c5c1edb19428ed

SHA256
cc08ad510527b3ec2f8ba9b9b15d457b084b0d301b9dddea096467dafe2b53f4

SHA512
9153d25defe06b47a9d63d416e78f974d149914f20ab1885160780c2f8cbbb1bb0c2ad745b28ee6f7c4f12eeed10cc635e0f55f2c2f0b498b22e7eb6a08b581b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
75737a793573e9f5efdfdc7dc08ecc1d

SHA1
7887d08fbf8cfb2d5a11c9853267d5f199091bf1

SHA256
df7f92f02f55bc34d7045138e79404b321301e90586be3d4d640af950368bb2d

SHA512
4826610eb5617f6d9e104158c60777fea5fb78a17d00ebd70ba7824e05f882bf0b05c89f82d120795239013687646c3a045387fe4623e72d3e39031b3b7e2ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b6d1b54d59322de0e19db7c07dacf851

SHA1
82fdf797c33d1646cafda60fcf5c0b3f90587c03

SHA256
83628ec1b29a1499445f5e9c8ab79e6bbff07cd2b4c41183aeaf326644dabdf3

SHA512
b04eabfadaf6c381809fc53155eaa1d7353a54f250ba2dda5641eed64a53b8010f99ba2b821e536ff14cd24824d551dfc3dd185b086b2c0743b719fa57f9aa61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6a94c0f513dce1577a08ef0a95be01c2

SHA1
69da9eec9566b87277b7b0dac0e33a4d27f4f80e

SHA256
66b280c54e3a06da58cbd4c17bf1f2085d4bdb373ca7d0ade464a64e1ca73d90

SHA512
5ea8b852e521b1577eb765b58d8283c200828ee7c196d28c0f6c0235b62199bcf56e217971cd107b3c19074cfeed0777e45eda7b84e3c1ded1df75870a438e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
88cc937e0aad974f1095ac7d391b50d0

SHA1
cf4f2bb97e8c516d01fff7561531eab3a0dae27d

SHA256
957ffb375c759cc9526667401604bb5008b171f193fd30948eb1cefa23399000

SHA512
a148f56d767d7247ad3f7c97ddced501cea7185df8681f8195ce75a8d226c224769d53d8c0c09e7f7f5402d0149fe79ac8f293239c632dfc0f6af10074000bbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ca01902e5c9981085bab240ee11041f0

SHA1
de4dc7e96d116956d829eb037eeebc57830f9307

SHA256
89dcb0aa348a5bfc5ba76937617e15bee23fc8637316abb5e7a895fcf19f6990

SHA512
c95ea6050490d87487000df767065f915a750b04505898bfe9f6c9100256c3838627071b33e27fa2e78502799170c61216394a719e7aeedf10d302b5b9ee060c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
580994e4ea5ef01e3a360805f6752d2b

SHA1
92f3694d13612068e1f2e41410e2c71e2d62ad65

SHA256
d26a2728b48e5c70f7784ae58dca3b47db5e920793962804728f313f03eee26c

SHA512
76a6606202922ab418596e361c9cde506f39af78d76a20e4612920daef82e502615ccc183928fc31ada529709b15adcad930930defa7124f309920a2b4dfb0e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
d63397b2199a7d5cbc1085b71431c376

SHA1
0679edb654c3c54884a8981a47723280d7b58825

SHA256
f91a1fa03015caddd32023049c6082757d6568dd890c1645efe16871925299ce

SHA512
3bb09830d5824a9fa1845c5ab7743f835ae2e3cf02834008498c8c871728651657cc8bc3066d6e6983d5d1745e8fc41127b1d49e5257f29f5a844c2fa7ebff6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
01fb8a453be747877fbd93435c90d271

SHA1
545ecbebe48c71bf825dda61c2d70d841e868f7e

SHA256
f38d6c70215b248a61241620d7482b3574c4f3044964e76a63c338a0bdc6ff0a

SHA512
2a61cd723dc8a4f81a1513b87250389ecb252a3abc93a5a229260451515428b406f8ab29ab260e1b59cbf678411b1c77992b925f59ad67e34e26daeb586fecbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
db1479665121f4146ef175deeb60c832

SHA1
c15ef2e6a248ff4f7ce39f269bdeefa03eee6bd6

SHA256
eab2b7d7e8a3fa9e0a74f000d6aa53107ba61a8221f71a5afbc058c47b01d7e0

SHA512
bdb449042e07b65f9e14bd42e438d3d89022321c25f9a6c2d4b485ee2404e5b591a6f5153ba49fb2363db07209f650e66a57ad924ce0d74c1a4be08c98eebd8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
31a544943a0dc9d45d866ef8472f46f1

SHA1
fc5555864ce3929714391d29bb36c7985ae745bd

SHA256
6441f3b39b2d3d8eaff241d1a369f4378552361d5f0182f0d3b7da92e9001fed

SHA512
2fa8fbf86b2a9470bde840da7256c45a497bd86d56bf5293927bc0997905719e6856a5cc4b7edaa46d983a11cf464299a064efb411d01a36e65be135307585a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
462ba25e5cc87ab4e7cee7e98d531eb1

SHA1
38ce43a447cb33dafba656146a006b8c57f3d13f

SHA256
70c7edc5177911fd187257126c58cf383a1bc58a8a95ec0c3fd2b6b841a1b901

SHA512
038fa219af934efe26627b657fb7c7dbd6bc8dd7f0bb53414462c3db3fab4f9abf49c51b7d190cb1d59b699801c6957a146f93a6a30f3e911de8ae737944d9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7900c2d86d726d72c283194e58e73f64

SHA1
88a823521591b4752fc725808234de470dcde798

SHA256
cc115c194d36f70a0c53488a3082e915534671e7765426ce2085f92b5240fea9

SHA512
df3ad7318542f14e6bf7962bc5d45f2fb944b79f721d1dd37069443a2f8fb9d42c81eadbcb56faa42cfc88c6494b852fa1aaf4dd1597856f00fd23574a25fd8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
74c38e6e4e69f55ae5226eceb2c700ec

SHA1
4067008b711ad44318251d8c5359507af0248fb8

SHA256
857d40ead62d6365a10e7a3f0d7fb6ca967a546b40d01d58c8d3f6f6f5be0e8a

SHA512
7c33a58f50af7f073430e025515bae00aa30478508669b91124ea626a0097fba33731da6a7fd3d656ea10f50ae12ccad7557bdd79527097a09dffc587675693d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
36cda0f84dd7efb8ab035aab05bd9231

SHA1
d2dde75e142967c8d4325b9c7079d57e85b1b952

SHA256
dd8aa2155323cd2464b9074434fda3fe57bc55e68a7ba07465694ec40a30b4a6

SHA512
6c994a310db2502537e23e64b7b7b3844f70f5152638c8eda57e68ff80b24831a155bcaaeb0e36d26cc0d519dd4d9163866fa4068b795f5b22535174a3edae49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e90ef553f0d585b3ae052442eccc009f

SHA1
a77aca166b74bbb7626148c00a9100c3565b80c6

SHA256
fac572699852ea16d03b86c2965c25a9741bc952cc7c16eaba4a3fc6ef4442bc

SHA512
c7a3fd457db4f49f935504a374c8fd8a7c4fef5420a43307ede1b71d58b52e769ac34a537821470b047c195e4b391a8871c29ca6380a4dae88c0745333876e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0afa39b2691b285bc6af57e1d4359a1f

SHA1
86d4177e5210d98556666ff3e28566cb04c2d061

SHA256
f0983005f0f42283b9f398dd16cd27ebef52f56a507026907103fb4b9043c332

SHA512
a1f86917ce24f1b493cb28f97a47e83ade71f1b6970b9ac53ec3ee6f3072f88ba0cd69e7666373d20083f7c42f5a5eceaa0b74fa75be08757515b8420e3a73a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5891fa.TMP

Filesize
874B

MD5
e7734aa6c383b36fa7b469d6a0708955

SHA1
6ddfd34a042bfc3d91c33261fba83456fd7676f4

SHA256
dc7fb5f9de95348e67d3b1ad02dbfa6ae63d0dc670bfc9e332abb1ef5e82619f

SHA512
a6fea4e4025bd3452f306bb6a96924745f57747933b898c02ab7c85809d79a84aa7413cd8cb560bf29f1b00895540b7fe614c46f1da9803ff7ec076abfe18d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe61daa0.TMP

Filesize
1KB

MD5
586064e6edfb81d20a40a50c7d60c4fb

SHA1
54ae8e8866d08898ff5e79aad6b7d34963cbe76f

SHA256
808b99b31d4ab39fcfbc8e32b5c3e1e24a6640ee3cba98d92e4aacf4cb1b988f

SHA512
fec6b9dd482275b4130777a84ee37d01c1771cfb58eb702f10d8d38466622c627ee1f7c82c8b79a2a8b90503e3b70ccdadaa4e879ee8d7ff1fa8d77d167778e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5fa2c87d5b34ffc05377f147012a3989

SHA1
896a306ee4f14a2c5b0f0f69b3b9ec19629fedc3

SHA256
3fff820026508141a40214533346cd0dfb70000d13f2296f540fbd8e85ff32f8

SHA512
a4d5356b4d3884807f041507c787385e9e1dc8d0defa021405b299581e67429bb71a75d14f4b2c4aa22970f809c6f1c46f9efd92222facc0ad1520c254bac235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a3727f75fb67b8dff6f1863207c2e56e

SHA1
42ec67c4892c6b49104a3dd7cc6e54bacae4ed64

SHA256
12f598074e6519b01538b26c1a89c0249219a4654274cd6fb8a77c79f4ed681d

SHA512
cee3bb7a0ab4f7e3241166d832cd1a11df8057de25e7e99fd51e39e0e7f1da4a2646e7800126382b90d2f41e2ff51684b75268ff54bfb00821f72cd37713f2eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c8ad9edd41bc754a6f173c3de009c8e6

SHA1
e86f720c2edc83d337d01605c247ac90df22e58d

SHA256
c7215824b3db5b09d9cd5e30f8dc1e79dbb3db886d5b239b8101fd3e1368a132

SHA512
e89e9ed02bc22b11d09223c2c4676342378ba68be1fa5d545ef810c4c68a4d3b6ae54ba851e5e7dd000313de936b3b7eda2220b4c936492d56033ba5e011b2af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bffc147b9c963b6c68336fc9d0b517e6

SHA1
b21197d7e903bbe8feddf77bc04cf5845059b9e7

SHA256
504dea7ebfa8989f42564e2fa3f48cfea6fba63730aca3f269e494b14647660a

SHA512
7a2ca0fbc0700b1e9e2e8c0ffc7eef094f6867612fa2521cc933bd9c5c0746dc50f239176449866af8812f5f20530908c8abcd2697ec9dd058956fc9313046fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dea776b68eef0e1282c4bf73eadbf65e

SHA1
66b73fb6d1dcb4a0756daad42f389624b2f807c4

SHA256
f9922747de4d29696c373b016555552ce7e98c5876dcea3d952df00b64c6bd76

SHA512
0614d2d96624d3dc87f0decdc88b8852346ae711a71db313228eb5015f74f2d971c308bd9940aa76cf9f9c8611ed49ac2db845abf9c6fd88d1d28885676336d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eaf2207d94dbd65427cc894faa90c8a0

SHA1
61cd8eb587a85f1efa6cf542e7627e139c900bf9

SHA256
0e0b566fc7354e73ddb915a4436c4097d73b55c1b43c77a15e5668347b536ef9

SHA512
27f79b2e90fd1d7882b52e03f586a86ac9693c00ce610d82c8452cf127bd630ebed868575455052cbef29dd9016878995776987ed406da8eda079b0eacb9b288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2456933830189343af6f1000af603c14

SHA1
3ed5a4789724b009d049e593feaec487af5500e7

SHA256
e8bb805fd62b7dfee318d69223468aaf170426f8ffa9efa2d119858cdeb41fbf

SHA512
bef5c4c8cdbf2fe1aae454ed32f272a198226cb7b642012837c9ec53834b197ea04b94cca436bc701f6f21b88a349532fcfa70b26e129ec3b8385f2f3b5ae96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ad76bebe51ba9293eaa76eff6848846a

SHA1
16d0d64403cf243259f428fd756d736847bf62c1

SHA256
330cd1dbb5cce4602784695d780655bdb3568f3ddd8824d4e95659860d64bb60

SHA512
e1e63e897a4f91b25a9d8cacf8313b5f949ad9f750a0ef45b5cae774455ac7fbb2bb4f1a31a6d8512aa9c13658f64915817dd670bd8cf321ad694eb8395640c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a5e8b536fb0f993b824c6d5f7c331008

SHA1
bf8aa34601a702b9fbac506803af9abbc2c734d7

SHA256
0204e37601f34037b64927259f78bd616464fbad15559e3116bb83101d16c49f

SHA512
f768c65ea53f31470fa8a41e299a43bcef21dd19e03df91e37d3f3ad36d655fe0c616b335b7e2236c44a6fa159bf14e7ee3bfb34f5d0e019b412d38d09580674

Download Submit
C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Bezilom.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 216548.crdownload

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 272040.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 409155.crdownload

Filesize
13.5MB

MD5
660708319a500f1865fa9d2fadfa712d

SHA1
b2ae3aef17095ab26410e0f1792a379a4a2966f8

SHA256
542c2e1064be8cd8393602f63b793e9d34eb81b1090a3c80623777f17fa25c6c

SHA512
18f10a71dc0af70494554b400bdf09d43e1cb7e93f9c1e7470ee4c76cd46cb4fbf990354bbbd3b89c9b9bda38ad44868e1087fd75a7692ad889b14e7e1a20517

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 504359.crdownload

Filesize
181KB

MD5
0826df3aaa157edff9c0325f298850c2

SHA1
ed35b02fa029f1e724ed65c2de5de6e5c04f7042

SHA256
2e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b

SHA512
af6c5734fd02b9ad3f202e95f9ff4368cf0dfdaffe0d9a88b781b196a0a3c44eef3d8f7c329ec6e3cbcd3e6ab7c49df7d715489539e631506ca1ae476007a6a6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 547857.crdownload

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 574450.crdownload

Filesize
1.2MB

MD5
e0340f456f76993fc047bc715dfdae6a

SHA1
d47f6f7e553c4bc44a2fe88c2054de901390b2d7

SHA256
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

SHA512
cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 672288.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 743813.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 911344.crdownload

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 911344.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Pictures\HideAssert.bmp.id-C0D5B4E3.[[email protected]].ncov.locked

Filesize
2.5MB

MD5
c2beef3184a0b6bcf636c196db3ce88c

SHA1
8d7f47b28df46480701d0fc2c425911c9ecf077a

SHA256
1cd9f87681eeb2dd4b08bae23ae96e8fec8fb2c40243932db2c280404b684cdf

SHA512
7c852b6a983d494b4fab42cef5c3fd36a5f5df43190827b4cece95f08e9cf6c8f004b7b05bc5699c091a0021cd27642c958b58c4de7e1cb8207515ef7529c67e

Download Submit
memory/1500-1485-0x0000000000940000-0x0000000000965000-memory.dmp

Filesize
148KB

Download
memory/1500-26740-0x0000000000940000-0x0000000000965000-memory.dmp

Filesize
148KB

Download
memory/2452-1490-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2452-1502-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2452-5080-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3308-1430-0x0000000002460000-0x00000000024C8000-memory.dmp

Filesize
416KB

Download
memory/3308-1427-0x0000000002460000-0x00000000024C8000-memory.dmp

Filesize
416KB

Download
memory/3308-1419-0x0000000002460000-0x00000000024C8000-memory.dmp

Filesize
416KB

Download
memory/3440-1486-0x0000000001000000-0x0000000001025000-memory.dmp

Filesize
148KB

Download
memory/3440-1481-0x0000000001000000-0x0000000001025000-memory.dmp

Filesize
148KB

Download
memory/17648-26606-0x00000000007E0000-0x0000000000A6E000-memory.dmp

Filesize
2.6MB

Download
memory/17648-25685-0x00000000007E0000-0x0000000000A6E000-memory.dmp

Filesize
2.6MB

Download
memory/17648-26704-0x00000000007E0000-0x0000000000A6E000-memory.dmp

Filesize
2.6MB

Download
memory/17648-26738-0x00000000007E0000-0x0000000000A6E000-memory.dmp

Filesize
2.6MB

Download
memory/17948-26554-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/38984-26551-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads