modiloader | hxxps://github[.]com/enginestein/Virus-Collection/tree/main/Windows/Source

Analysis

max time kernel
288s
max time network
348s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-12-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection/tree/main/Windows/Source

Score

10^/10

modiloader njrat defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe"	Fagot.a.exe

Modiloader family
modiloader
Njrat family
njrat

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

ModiLoader First Stage 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002ad13-611.dat	modiloader_stage1
behavioral1/memory/4116-689-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1

Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 12 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Fagot.a.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5728	netsh.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:Zone.Identifier:$DATA	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe

Executes dropped EXE 9 IoCs

pid	Process
1712	NJRat.exe
4116	NetWire.exe
4648	NetWire.exe
1588	Remcos.exe
1476	Userdata.exe
6124	LoveYou.exe
2912	ColorBug.exe
5412	ColorBug.exe
6064	Fagot.a.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Fagot.a.exe

Modifies system executable filetype association 2 TTPs 16 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	Fagot.a.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe"	Fagot.a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Downloads\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Userdata.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe"	ColorBug.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
4	drive.google.com
65	raw.githubusercontent.com
70	drive.google.com

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "COCK_SUCKING_FAGGOT"	Fagot.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "COCK_SUCKING_FAGGOT"	Fagot.a.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x00060000000006a5-1842.dat	autoit_exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bootok.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\logon.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\MDM.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\chkntfs.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\alg.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\dllhost32.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\services.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\userinit32.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\progman.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\alg.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\ctfmon.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\systray.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\SysWOW64\userinit32.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\MDM.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\wuauclt.exe	Fagot.a.exe
File opened for modification	C:\Windows\SysWOW64\userinit32.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\alg.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\wowexec.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\WINDOWS\SysWOW64\userinit.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\shutdown.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\win.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\ntoskrnl.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\ntkrnlpa.exe:SmartScreen:$DATA	Fagot.a.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\SysWOW64\services.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\win.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\dumprep.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\dumprep.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\MDM.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\wuauclt.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\chcp.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\chcp.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\services.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\progman.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\dumprep.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\logon.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\logon.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\wowexec.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\dllhost32.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\bootok.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\imapi.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:SmartScreen:$DATA	Remcos.exe
File created	C:\windows\SysWOW64\ntkrnlpa.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\regedit.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\bootok.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\wowexec.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\wuauclt.exe:SmartScreen:$DATA	Fagot.a.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe
File created	C:\Windows\SysWOW64\dllhost32.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\ntoskrnl.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\chcp.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\recover.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:Zone.Identifier:$DATA	Remcos.exe
File created	C:\Windows\SysWOW64\progman.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\imapi.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\imapi.exe:Zone.Identifier:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\win.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\Windows\SysWOW64\userinit32.exe:SmartScreen:$DATA	Fagot.a.exe
File created	C:\windows\SysWOW64\autochk.exe	Fagot.a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 2540	1476	Userdata.exe	130

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\NOTEPAD.EXE	Fagot.a.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 9 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Remcos.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\000.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ColorBug.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NJRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ColorBug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Userdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoveYou.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
788	PING.EXE

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe

Modifies Control Panel 42 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\Hilight = "26 15 162"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\Menu = "146 99 170"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\WindowFrame = "64 192 108"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\InactiveTitle = "51 185 115"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\AppWorkspace = "76 152 103"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\HilightText = "72 134 208"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\GrayText = "15 180 217"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\InactiveTitleText = "32 95 186"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\Scrollbar = "106 111 116"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\InactiveBorder = "233 86 29"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\Window = "54 11 1"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\TitleText = "216 128 134"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\TitleText = "166 166 128"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\ActiveBorder = "223 235 170"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\AppWorkspace = "19 47 79"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\GrayText = "138 6 196"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\ButtonText = "66 183 202"	ColorBug.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\MenuText = "53 68 37"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\WindowText = "208 31 50"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\Menu = "90 202 199"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\HilightText = "65 63 240"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\Scrollbar = "231 137 124"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\Background = "171 48 81"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\ActiveTitle = "150 43 141"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\ButtonShadow = "76 34 108"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\ActiveTitle = "6 98 126"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\InactiveTitle = "177 60 73"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\ButtonText = "132 137 67"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\Background = "63 112 170"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\ButtonFace = "38 91 241"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\InactiveTitleText = "14 72 224"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\ActiveBorder = "205 237 232"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\InactiveBorder = "29 215 212"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\ButtonFace = "239 194 79"	ColorBug.exe
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\ButtonShadow = "79 108 246"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\WindowFrame = "93 40 47"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\MenuText = "137 45 191"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\WindowText = "214 78 133"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\Window = "174 51 171"	ColorBug.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Colors\Hilight = "91 200 38"	ColorBug.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main	Fagot.a.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com"	Fagot.a.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0322-0000-0000-C000-000000000046}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.OpenDocumentPresentation.12\Insertable	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8DA89837-9DCA-3A9D-8895-DFC4491A5E76}\15.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4F925449-10C2-34BA-81AB-6EB5C8F82F3E}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E985809A-84A6-4F35-86D6-9B52119AB9D7}\9.0\FLAGS	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC917F06-7EE0-47B8-9E1F-C3B48DF9DF5B}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B076AD1-BD51-11D2-9238-00A02448799A}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00F20E90-2168-4CAB-A8E0-C7D0029965E6}\NumMethods	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B783AC-9C9E-4F73-A1C3-E767FC211B2C}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A05B5DA-5AEB-4290-A08B-57177176464A}\NumMethods	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30590072-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\InprocServer32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3257068C-AD6B-3E02-B74A-2C295384681E}\15.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{04B01227-B5BD-448C-89AB-D990E9E346F4}\15.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2F2C782-F929-4FFA-8699-88D4C4C07B17}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7372DCE0-F816-4E35-8B42-64B7F50E6395}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{72F1B36D-E413-4025-A1A6-B8D612CF9ECB}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wv\shell	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage\65001	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B3D28DBD-0DFA-40E4-8071-520767BADC7E}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ttffile\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C030C-0000-0000-C000-000000000046}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B92C37-5745-4872-96CE-24D0BE89763A}\InProcServer32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5F7A2664-4778-3D72-A78F-D38B6B00180D}\2.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B34E469B-BD59-11D2-9238-00A02448799A}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A88E90A6-DD82-437A-B89C-DC2977EB7BA9}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E8304B8-CBD1-44F8-B0E8-89C625B2002E}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Microsoft.Paint_8wekyb3d8bbwe!App\windows.fileTypeAssociation\.heic	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\DataFormats\GetSet\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\shell\ViewProtected	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage\1256	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSRDC.Similarity	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E790E1D1-9DE8-4853-8AC6-933D4FD9C927}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.asf\shell\AddToPlaylistVLC\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{62ECB562-B92A-37E7-8D5B-84036A1A4348}\2.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.DirectMusicChordMap	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_~_8wekyb3d8bbwe	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.cap	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\System.IO.IOException	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E0ABC3C0-D199-11CE-8CCE-00AA0044BB60}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-excel\shell\open\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mp3\shell\PlayWithVLC\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\Conversion	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2981c306-09ea-405d-9d0f-83337827bd35}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D4514024-95CA-45A5-B7B4-A38768D31513}\InProcServer32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe!App\windows.protocol\ms	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A4AD36C-8B24-5F2C-AD6F-6A936A17BFC6}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03C0-0000-0000-C000-000000000046}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3574BBE0-F520-11CE-83F6-00AA00479846}\11.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.heifs\Shell\setdesktopwallpaper\Command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{51E1B3CA-D3CB-39BF-A016-6199569E74B2}\2.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-actioncenter	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30510750-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C100BEEA-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogx\shell	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.lpcm	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{384D0656-2A34-36FC-AC92-F2FB3072D0F8}\15.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Slide.12\shell\ViewProtected\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0330-0000-0000-C000-000000000046}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.3ga\shell\AddToPlaylistVLC\command	Fagot.a.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1852	reg.exe
3448	reg.exe

NTFS ADS 19 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 836493.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 649078.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 332570.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 534158.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Lokibot.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ColorBug.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 261213.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\000.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 55077.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 876357.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 624174.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Remcos.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 248690.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 570508.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
788	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4220	msedge.exe
4220	msedge.exe
1248	msedge.exe
1248	msedge.exe
3700	identity_helper.exe
3700	identity_helper.exe
576	msedge.exe
576	msedge.exe
1652	msedge.exe
1652	msedge.exe
3892	msedge.exe
3892	msedge.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe
1712	NJRat.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1712	NJRat.exe
1248	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe
Token: 33	1712	NJRat.exe
Token: SeIncBasePriorityPrivilege	1712	NJRat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe
1248	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1856	1248	msedge.exe	78
PID 1248 wrote to memory of 1856	1248	msedge.exe	78
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 2788	1248	msedge.exe	79
PID 1248 wrote to memory of 4220	1248	msedge.exe	80
PID 1248 wrote to memory of 4220	1248	msedge.exe	80
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81
PID 1248 wrote to memory of 3584	1248	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/enginestein/Virus-Collection/tree/main/Windows/Source
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc4c2a3cb8,0x7ffc4c2a3cc8,0x7ffc4c2a3cd8
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6744 /prefetch:8
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:3596
- C:\Users\Admin\Downloads\NJRat.exe
  "C:\Users\Admin\Downloads\NJRat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\Downloads\NJRat.exe" "NJRat.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5728
- C:\Users\Admin\Downloads\NetWire.exe
  "C:\Users\Admin\Downloads\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4116
- - C:\Users\Admin\Downloads\NetWire.exe
    "C:\Users\Admin\Downloads\NetWire.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3120
- C:\Users\Admin\Downloads\Remcos.exe
  "C:\Users\Admin\Downloads\Remcos.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1684
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264
  - - C:\Windows\SysWOW64\PING.EXE
      PING 127.0.0.1 -n 2
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:788
  - - C:\Windows\SysWOW64\Userdata\Userdata.exe
      "C:\Windows\SysWOW64\Userdata\Userdata.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1476
    - - C:\Windows\SysWOW64\cmd.exe
        
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:360
      - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:3448
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2600 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7120 /prefetch:2
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3892 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7516 /prefetch:8
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:5904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7816 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7488 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1224 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7648 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7800 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:6068
- C:\Users\Admin\Downloads\LoveYou.exe
  "C:\Users\Admin\Downloads\LoveYou.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8140 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8116 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5820
- C:\Users\Admin\Downloads\ColorBug.exe
  "C:\Users\Admin\Downloads\ColorBug.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  PID:2912
- C:\Users\Admin\Downloads\ColorBug.exe
  "C:\Users\Admin\Downloads\ColorBug.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Control Panel
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7940 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7740 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3720
- C:\Users\Admin\Downloads\Fagot.a.exe
  "C:\Users\Admin\Downloads\Fagot.a.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Manipulates Digital Signatures
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6124 /prefetch:2
  2⤵
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2991465041655010271,1665020615189978236,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=7628 /prefetch:2
  2⤵
  PID:2712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E8
1⤵
PID:5040

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:5220

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39cf855 /state1:0x41c64e6d
1⤵
PID:5744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
94fd3c06253a91dec55429d79fdc3d65

SHA1
59870783eeba6450b7baf8981ff03c90a9223ac5

SHA256
1c1b29dd385163871cddd32aaea1f4394af7b184f58393011f2f1a51c57705f2

SHA512
3dd69003cbaaccb682ea2e9e2c6bba95b035ce6e4f8405e6381974a6aa6be33bb95f3b4205419dbb229fe1e8a50e51982a6e5cd2d45ec9338c8fb0d3afb2e53f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ec71b71ad0b83f38a04da9949601d972

SHA1
c33200c3be3909c0f84b7c4cb92697c0c82210fa

SHA256
b8a9a9b1f70c47c5b3ee40332f4987298ffe6644931a0e3aad88597772a55066

SHA512
60d6ec968e8d3c57de2b10bc76ff773556f77838edc20e860e055b297ef5f8b2ee696542369acdb0e3456ad406b48dc5f498af3c85024f175d29bf5f5e8ae7b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
733B

MD5
8fb8edc93a5c5d9de0ee2937b6b2f3cc

SHA1
dc9880b3c0ddaa336a4781ee01b14bc983665347

SHA256
5b98b5526dd97a6d7f1385810c0caed9842ea6a1926b13d6ba6d1a2e05c6ca05

SHA512
d17a147a59b2b2f12abdf7092d3ca2b510e596198b5b121a872367fb3469b814a4c8265782ac96eae619db6bda0b7c0ddb2f5d41426e8adb07618509d62abddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a45bb3f4bdc9e42bcc24b8546a3e002a

SHA1
58f3cb11d2afbb6f099bfe366f8d41febb7c736e

SHA256
4378928269b8f4e1bfc14b9107d72d03e8447706d3654173516be928fae62f05

SHA512
3c7d867c04125259c3526e99db95519481a0ef509af251206fadf4cc4e223ea03800d86c74564582ba0a8c7b33aed21e32472807bbdaef82f5cd5b7b15d8382c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
81cc2d6aebea5ca1cae5a9e6967fff46

SHA1
64d622fff979e8bb4b6481738778d08733074f7d

SHA256
3ffc7b9dbd54e325852536de78cc4252224630da9aa8bcdd536e4f5618c771ad

SHA512
5608b07f20c06f8b8a0c6f4c60ec528eb6071e6ffbbb12f5fd5dff3b82141ee833e641afd7f32bb4904c2c07155941d43e671fd8b9f9389d6fb40915dfbbf178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c47725ddb471189983c18bd06c800025

SHA1
a8686fbcdc21825fd05b90371309733f58cf462e

SHA256
04dc54caf107ad737f089ab72bebe34a6e224a255cc5d1b5d2e313fff1ed5c87

SHA512
288aa7a0395d5ef7daf1c1581e85e7f244c8868acdb4694bdf19cc34f409a2c459da6f64c170eefbed3d311cb0bac767c5dfd0b93ce5cf3b18e7ee53f44d3cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c8efb86a5af979995e6cbfffd3abf58c

SHA1
571e699cb7ed8adbe09a80ef7d4e2dc2029ae2c2

SHA256
7ae6ff51efa25bba0e8fa57c8e77fe3111d043ec6c750ad8609a14a46d8b4816

SHA512
bab01bee2862e7ad940a44d469de6209b709ff383c1586a9f6b7edb9e025fc2cdf437ae54f629e954aec93b9e801d60ba248622f7c587190aa6b64deada55613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3652191cbccec5bb5f4a2bcbc22a8312

SHA1
ca55a4fafd2a8f0bc8a0f18ef23799238c6e88c2

SHA256
97751516808f1b1a231bd8835f909e008fc326ff3a71de5462f934c52f589126

SHA512
efb79ed938c4ceefa5eefbefaaa6270db4efed59cc655519ea31e0f7447d81e2d889c0f24d4f19284354c99dc384d7492e0006ce7e1121b42b61906a9c8d4212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1e333ac076d91f0c2c8559745f6b3a9b

SHA1
bd5acf785368ea91f4837b41eae3a396e7ee6a01

SHA256
171d9822f9cdec120ccb466eeedafc906b04728e2ddad66c22880bd8bdf6a182

SHA512
2dbe32c2c650f52dfd7ee3e1b219c4b7f06922afc427dc2fea89ed0d73ab1ec159f63473e1a118c13c043095cfd4445185d20b4d1dd3899f6ca18e149d884075

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb1930e9bfc916fab62b43562ae4545f

SHA1
3df0a75601cbde53bd35b155e79d3af5f14e4c78

SHA256
07acf4b8426346853a04f419173a4e488380c65ded24f6b7d18f25344f3492b0

SHA512
3bd0210c304aa5d56bda31799b32282c37d9dd13191f9ad88214a9bf35c1a5b426a2b1f5a75682943b613866e8cb729fb9c789d82724b79ef8845dc9e3478883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64b4adc74401094d5650d12ea8ae84a4

SHA1
2425c87ac3af0f47ed15f25501c43247bdbd0de1

SHA256
5b3230f038e1cb6bbff79be4070b576ff7a2f20f80de9b60af0810be29a04947

SHA512
cf00edf6367a9e38ba3110301f93e87083a2993f5756094c4433555426f863277a0fc09f3de7403bfe52f0d0bc4394b0ff4db94672427783424bb1914e90bb73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e2f0d0d1381dc5645097442f9dd5dd44

SHA1
390a81910452cbc7614caa91b9ec299546c6294e

SHA256
6cc4b4b4afc9b73cdf199ebeb4127e80b6f06f6431415291ab67bc24b52218af

SHA512
b98b1a19c140802bb920b83e7730433368593b62e85de87df0672ae3babb765c8df0496f8547604e01f51b29113be4bc17ab93e5a454510c89e800cd96390a89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8633ef29e69db25eb066781faf618aaf

SHA1
1742451bf6e50fdff77f70ec2a9eea771b9d09f4

SHA256
68b46525e4aceb80b4778dfc96c4214f0241e40a1d1cb91656f54e48615498f0

SHA512
f2e56f98b930485c7aad4af65530ddb6a5780e5d73e515ebc1f881cf3f0e7b7850872e14153bbc2fc12440794ad60b1e331c61d8c26ff6695f3d67fedf025309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a3b606ec565d8793b988d0fc454f27da

SHA1
dd15702386296caaba3ea06a7f0aad59e2cfd140

SHA256
32820dd73577cf33f23b3a069678667c0fcf8bd981c1119415cc13be33f31167

SHA512
b54d532e80873492d1285cedad36b438eb0a78cb2c579cd1f677b89853f561a42aa64acfe00a4ebe379bcf2d93a06f30815f5a1a885c2c98131aaa367b867903

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8a59cfb18cc68edcc69996c2b6737548

SHA1
d34a7718ad42d21b3f38738619838d8e612fd77b

SHA256
14f5749641277fea7ab8905eb0888137fc340e99942c2eb2c587269ccb14533c

SHA512
c48fef643cf3c1de23d53a2a415b28ab7113bb95a46c9849f941e5f5817c7d00481760f35bda1345718de6aceed86ccd35d031f283dd07bfa94c0d5ec3f698e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b06215490f2922ca0bc325810ce5cafb

SHA1
b8c968ffe59cbaee25951c7aac0a7d497a265fc7

SHA256
52bacb9a663156b4e2592fff8081bdfe4211b7ba27d5e2740dc71e7f7d4b19cc

SHA512
220e564c7c9c885fb8a2fae93287d7734b64693b6b9c0c0de90570c40b4d2e822f7ae446d111f7d766703848f67b0af18752711c39b9f8b969d2b86568a7a997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
173717677def73e6598484b8baa88d4f

SHA1
a3a7413bbe9949ac15e58017ea7501105cfe932b

SHA256
8df7f004db5214d8d82c3d72fa65b2f8897d57a2f7a045a1594a67c5d7ce81a2

SHA512
4d7cf31d336bd3b4d223ab25704d1bb37768f4b8be54928b1b2a2fcbb6e9fb57e79f28fefc4cd8f181b512317cb8608812d341f13d187bd7b7b65d700076c633

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
11f66290e4f3f800c73aedf9123b41c8

SHA1
d9325ea6acb2e68e1e5439e34fdaa44e97f80816

SHA256
0b25315c1398f9faa5307abd9864dbd3601c1a5902da4f6b8e1b24aa54fc6651

SHA512
5dbf502935c8903fb2cd2ad793dda201f1383be0dce19569fef35f41fbff6c25026d754222f590f3fbeca289c02ceefb255c1e2259d8e86ff3b571051bd7bf31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
076bc8baef71abc809561d25aa21a43a

SHA1
85df0e42837a0df9f5f3e004af81ca7c2c556b0f

SHA256
5eb36a8bec321befb6354e558223fd0bbfd3de53fa11d3695da985dfd69a0a06

SHA512
a44ad25a832949b2e9749b4ff1c15d8ad72b05493fb723d42cb6eb4ea96f6ff92a6b0acad68afc007056da1cc07d955fc7d463392d30145a029c54a917b75f69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a5ee9b83b798f9362ec799d06ec9baa5

SHA1
67b0ce177bbd5338ed6337575e4e290dcaceb5d5

SHA256
458e08aa69ac20e4f2ea23cf8a80efb115f159aeee8dd8c6021b19a4decdb6e1

SHA512
719ccda83377909fcecd01641bb615a26ebf67e03d4324be2696a4a9289ac515a2f083dd769581e00e21f3027fd7863d2953e1e80b1cb792fd83af5ea7188d30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cd29a174931fe3272fd2fc0101c21eec

SHA1
1ba4b2e55cbe2e1bc2dfbb4efdc7e53c792b64ac

SHA256
6c144904ae33a942ed4942d773c1899611eae76f67ba1b7484ae7cedc64bf392

SHA512
829dfa1b44531e8b7c9ac0b0e1085f3e918403c3b89166e4befadc1f82d9b409335c68075f4c415af28d467404c15b9d8ad5a2f30253cf7346e97f8b4ef7b5e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b8ac34fc3143b374257badd907868f7d

SHA1
2313adaf0014ebcede73858fe01dc6f8e3462c55

SHA256
089821b7d1737b66b4204ba2cdb4f003ef9e646992f9ef3e75069bfe1838ad79

SHA512
f34f80f5f7adacbbda747818c7b49e1c2bd9e1043fdc5c65314c5e9e43c9c3e743878c4d0455179e61b046e33707b6a651153d7911e4a82049995567f09fab96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a6ccf2b1570a004c2c4496becab3c6b2

SHA1
a1f9f4f122e8a8de88eb27e54917ee7c58828f2b

SHA256
6a889701e88bfa47df3d1b2fc6c824b7a189cc477b325b8355311b7657c6930a

SHA512
2806200f8ce4135c7d456a55011b67bcb11ac83cdcecd6e82027ae1ed9a99c401fb6a4672aaeace7b7868978452820deea5cca9111a97b15f8948e78db2551fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8e70a9b6e65ae182d2069ba9e834bc5e

SHA1
1b886c92f15e91455abed1ff42b209d4f1b4c5a0

SHA256
b196da5edb1f96e329d4341fc6dee70a4edbd6bae4df4c2aa8b7bab005ff6831

SHA512
c936eb33ae71c827e40f8a6bd74b7863190bfd2cc11bf6b4007144cd3794e13ba880647173a98463e487fc850f76607a91a8127ceaa513c5ea1b58ed2db12fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8b6bf9d66281fd5628eb8181e58ed2e9

SHA1
dccc84edfa10fa5fc75d0b25abfac828bd0ad96a

SHA256
e0964dda9efa4635d49c8d67de302d987fe6207c2a70c99b5464afcf1fc8be75

SHA512
cf901ce89e4710eaa2a7df2d8c3f9cde3e1221008d5ee0a2d9dcb769f3bfab6f704695d19e5a7b115690b4e210bb22c5e95ef91566bfd902d1389a549e82ae34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0f7fca9ed08f3464739033185f927fa6

SHA1
7d565067dcdb065626143c10a533a4a03197cb0e

SHA256
dd3c99e3c3c190ed28914ba8fab643223a25a90e9666e71e18611dcc278079d8

SHA512
48a484d0761a48dc321046e04fde9d0b2ab04831056674bfd8d4ed453b64596e4f8dd30931f86801fe2e7761b8c0ce6c169fbba0080e8c27bfe352207314e4ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ed7d.TMP

Filesize
874B

MD5
ba673f5d809a45879c2a10dd140d8360

SHA1
bd9a9d823bfd28d24ce60e89f1e9c16c7501e292

SHA256
0b2b6f03664400f74292eaab5d936538f8f987ccca4f7f3833aa01622db7fbc7

SHA512
a1e7b5c277be14202b90c4dffd4848f285cf641da5eace4177c5a62e74096f455a32c2b5e3633c48c382bed73d21c43c28fd35cb6c53e4d49e24688476430da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
8fd77117dc7f995c3aa02e8bbf539d79

SHA1
ffae5c2886a1c9e35815af102159065934cff860

SHA256
dc91e04edbcd7ae25be730341ae09aee9e9562ab411623e32876a373552c95ad

SHA512
20562f170fd4ebaa1b69e0370d6f21d481ee4cfc5c226694a7c20f09741cbb5b05976fb2c4b277b36b1007b78ddbf0ff5f58a1028cf34d46e65bd925fcf7ace4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f51ab4632a9fdd5354c0de693338ca18

SHA1
920db18aef8c3070f31598ef45de973d6c5e4bb5

SHA256
4512d5d080d873aa787752f12249bc312e4f9382e417ef09722d2b76feb45958

SHA512
d297e25ea7b89c94f6b32de01e0ad2c9f52406fc9fe16d4b0c339bde13a6bde0cbd34e955c0cc7b262493cb2739e6ae212b568febf9396c92aae826246c897fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
38bf63d18d6205ce8998f326a061a68e

SHA1
916dbb19dea3e84f37fe95508680e8b7d0740cea

SHA256
6db71c10777c0c9cfa745bce5a9e05cf4ced6609d831175247e0391cfc00ad1a

SHA512
d211c7857a651a3af112fb4f6bf9e8f48a779a874d7bdc449bd06958a6faea2847f071fa89bbd2a2f8ad26152986fbd0c90b02f378acd9682a538ec80f20f4f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
20KB

MD5
2a029687e73114ebcb4fad10c0114e8a

SHA1
f09cbbed46b9f8c731568bdcee13024e89bda397

SHA256
fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b

SHA512
211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003

Filesize
20KB

MD5
ef9588ca82f853399e5968af99985e74

SHA1
80d9df4f75c3e789ddf10584d9ff9de2b6154cb0

SHA256
9d550015f47a4d5d502f8a2f5b33bd9cbd136f4fea7c64754c8cc5a9651f7fe5

SHA512
a77b6b0bcea459ab4fc1e5d0983e85b86a6b0835849345f6afbfb27a5e84d8d1a38ff16e21ecf862e95d0a74e3fe97fda28bea66752b8bd64fd44c8ba680a5c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000004

Filesize
17KB

MD5
c163efe909c3e529ef27177fd126f9d1

SHA1
248d4c24fb1fb7f8d6f37629cb04b8175ac2e8bc

SHA256
f816041d56546ab402df3210ba540f9c3e645a2ee7b4fd4608a6da48749b6489

SHA512
4613a2bfee55f12b8ef67a01a45f164ecd40ece1c3e41f419b490d8ab5e112a66257806585e1c024b421677e6453e07ebc6c68faba5ff7cd1efda99afc55a1c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dcabb9af21fdd8d6c17561618f08b8eb

SHA1
ac6adb49e0314c3516687f4a039d28b1140dada7

SHA256
5771b7746b39ea97a944a2e90182646352b217a027f7073770770d71b021e441

SHA512
197c42030706ee62b7d75e832b1369367ede0fdf5b864319442051d1f1307fc65c131106e2b92617fabaaec522569ccc7ae1e678bb0265c96a78e37649fc4614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3445e0d983a9af619360ec297b6d9dba

SHA1
63520e22f78fad145f14f4786e565514f2a18cd0

SHA256
12cd29f88886339893afcb14a98a6356bded9179e8172ab5f312931b3c915813

SHA512
1aa8b0c97a18268a6c5ed8530a5d618875d11d52cce6454ec431c49c2917756c968cd60f83f88d76c3f6fa808eb14040df4ca9c86ec72ac9bcbde8e4ce1d39ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cee217df3f35ec2d2b725b3fe4da4f9a

SHA1
5626496b5f8bca01c13a8b42a7c3d8d16c0e6a1e

SHA256
801ad105b05637c676d369a770852eb4d7fc8d56613795962f6ffd1662cf859f

SHA512
79bbeb4b3f736e86baf89679bafe30bb6906e54f469959411474cfe7be7f94728061104ccbb9b4019d94ef0db91b04f2b68a6df617eaf0cc69bdd79e178a9857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3de1e48fc3898fa127944a21a2546688

SHA1
a9cc2f4970d55534bfd051373f2c93757aa0bf19

SHA256
0063a66e602d50364b9b0264a5124673d781b428495383c3c6dd375bfae7b88e

SHA512
ef8a93e8a0ce74f8c03ca28e65c9b185d20ce2929f08e01578a50fcb11f93f578fa9805d936d9a1584aa9cdb138abed9726f378c6ee5d4c43f8622f7ef53f40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
eaa5ddbc7dd76b6999c7ac3ed78b7e24

SHA1
3b00e9d517a0d14f4d54d6a99d7f01599c05d873

SHA256
a628a8ae16186f0999ab2a1d88b6b254eee58b4c26137170578a87cae1d1977f

SHA512
c98fe7a08ec2f7e4e2eb60ed5d489e69a389b1e2b4296fa08e4f1b6d0c82ffd32eaf450f963da5fc1f7e0d1045958d14512ec5224001eaba7fb292407601e18d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
38a3d7715e7293c23719f9702bca2321

SHA1
97e7a89bec0a3036b4c857bea495adc30daffa1e

SHA256
efc404e7d051348d642d81908dd7eb91a5ef5e85e3143473fb15880ac68795e0

SHA512
32376b7ef8a48c4455565adad640cd2f2132465908f1182ded2a54725a1f530464f17e6ef6dfe425f25e1cefe7c86cc752489594b4f8e62e65e626f771231839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bfd9b396b5943be018cbb8db48e8f9b7

SHA1
968fc3e32a16df8730e7964e785cb803cee8aef4

SHA256
101d9324d5e482cb1676dd285515c8f917660feb4b743c8fab52d73d6f900416

SHA512
ddbda68320cb0be96f2f86fdc33f6d85fd3d2279ccfc36c470b671ab97b6cf654a7d68312476a146c201b6f6cb45075fd23a3d930d236287de020fce8f69626d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f66424c322008a0bac66771fdb6499d0

SHA1
3b8a016357721a765af752c806f6db4ce32a4bf9

SHA256
68289391405e1987df2e8c89d02e0ce2ef616d09c9b69b27ad9eebc4a3a8469b

SHA512
7416584c2fc0f21ac9cab5c13f5440a16edf2ba87991229384aad9ab9bc9c1eb43bf98e26685ce2a803ffccd1006fa661050f94314dcaeb9941f2c2d6044a636

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat

Filesize
135B

MD5
90022f82afe48963cc42547209f18f96

SHA1
e60698c77e7df4cccc493f2cfa6d76f7553d71e2

SHA256
046509f2b672f0f5da1b5441649873c736d81853701b67094bb319b025afb2cc

SHA512
6743f17da515c61ba1ab3df53077929d6f480f84978bcf8ae61880015221f245fde6e3a2ffe3dc937f80b37e8774dcc61838ee4ed461658b3a44f02cc0469208

Download Submit
C:\Users\Admin\Downloads\000.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 248690.crdownload

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 261213.crdownload

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 332570.crdownload

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 534158.crdownload

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 55077.crdownload

Filesize
22KB

MD5
31420227141ade98a5a5228bf8e6a97d

SHA1
19329845635ebbc5c4026e111650d3ef42ab05ac

SHA256
1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71

SHA512
cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 570508.crdownload

Filesize
300KB

MD5
f52fbb02ac0666cae74fc389b1844e98

SHA1
f7721d590770e2076e64f148a4ba1241404996b8

SHA256
a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

SHA512
78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 624174.crdownload

Filesize
53KB

MD5
6536b10e5a713803d034c607d2de19e3

SHA1
a6000c05f565a36d2250bdab2ce78f505ca624b7

SHA256
775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de

SHA512
61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 649078.crdownload

Filesize
373KB

MD5
30cdab5cf1d607ee7b34f44ab38e9190

SHA1
d4823f90d14eba0801653e8c970f47d54f655d36

SHA256
1517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f

SHA512
b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 876357.crdownload

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Windows\SysWOW64\Userdata\Userdata.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
memory/4116-689-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/4648-691-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4648-690-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download