badrabbit | hxxp://dq

Analysis

max time kernel
257s
max time network
267s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-01-2025 15:48

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://dq

Score

10^/10

badrabbit mimikatz defense_evasion discovery persistence ransomware upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000000ef6c-758.dat	mimikatz

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 10 IoCs

flow	pid	Process
81	852	msedge.exe
81	852	msedge.exe
81	852	msedge.exe
81	852	msedge.exe
81	852	msedge.exe
81	852	msedge.exe
81	852	msedge.exe
81	852	msedge.exe
81	852	msedge.exe
81	852	msedge.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\mistdrv.sys	MistInstaller.exe
File opened for modification	C:\Windows\SysWOW64\drivers\mistdrv.sys	MistInstaller.exe

Executes dropped EXE 12 IoCs

pid	Process
4060	Amus.exe
484	Duksten.exe
4616	Mari (2).exe
4156	Mari (2).exe
1508	BadRabbit.exe
4412	32BE.tmp
4392	Floxif.exe
464	WinNuke.98.exe
2076	MistInstaller.exe
4344	MistInstaller.exe
3412	000 (10).exe
3580	ArcticBomb.exe

Loads dropped DLL 2 IoCs

pid	Process
640	rundll32.exe
4392	Floxif.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XRF = "C:\\Windows\\system32\\PrTecTor.exe"	Duksten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe"	Amus.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	000 (10).exe
File opened (read-only)	\??\V:	000 (10).exe
File opened (read-only)	\??\A:	000 (10).exe
File opened (read-only)	\??\E:	000 (10).exe
File opened (read-only)	\??\G:	000 (10).exe
File opened (read-only)	\??\H:	000 (10).exe
File opened (read-only)	\??\J:	000 (10).exe
File opened (read-only)	\??\L:	000 (10).exe
File opened (read-only)	\??\M:	000 (10).exe
File opened (read-only)	\??\N:	000 (10).exe
File opened (read-only)	\??\B:	000 (10).exe
File opened (read-only)	\??\S:	000 (10).exe
File opened (read-only)	\??\Y:	000 (10).exe
File opened (read-only)	\??\Z:	000 (10).exe
File opened (read-only)	\??\P:	000 (10).exe
File opened (read-only)	\??\O:	000 (10).exe
File opened (read-only)	\??\R:	000 (10).exe
File opened (read-only)	\??\U:	000 (10).exe
File opened (read-only)	\??\W:	000 (10).exe
File opened (read-only)	\??\I:	000 (10).exe
File opened (read-only)	\??\T:	000 (10).exe
File opened (read-only)	\??\X:	000 (10).exe
File opened (read-only)	\??\Q:	000 (10).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
81	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000 (10).exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PrTecTor.exe	Duksten.exe
File opened for modification	C:\Windows\SysWOW64\PrTecTor.exe	Duksten.exe
File created	C:\Windows\SysWOW64\PrTecTor.exe:SmartScreen:$DATA	Duksten.exe
File created	C:\Windows\SysWOW64\PrTecTor.exe:Zone.Identifier:$DATA	Duksten.exe
File created	C:\Windows\SysWOW64\regedit.exe	Duksten.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	Duksten.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Control Panel\Desktop\Wallpaper	000 (10).exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4392-864-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/4392-868-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x0002000000025cdc-1401.dat	upx
behavioral1/memory/3580-2395-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/3580-2397-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	Floxif.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Windows\KdzEregli.exe	Amus.exe
File opened for modification	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\Meydanbasi.exe	Amus.exe
File created	C:\Windows\Pide.exe	Amus.exe
File opened for modification	C:\Windows\Cekirge.exe	Amus.exe
File created	C:\Windows\Ankara.exe	Amus.exe
File opened for modification	C:\Windows\Anti_Virus.exe	Amus.exe
File created	C:\Windows\m_regedit.exe	Duksten.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\Messenger.exe	Amus.exe
File created	C:\Windows\Pire.exe	Amus.exe
File created	C:\Windows\Cekirge.exe	Amus.exe
File created	C:\Windows\Anti_Virus.exe	Amus.exe
File opened for modification	C:\Windows\32BE.tmp	rundll32.exe
File opened for modification	C:\Windows\My_Pictures.exe	Amus.exe
File created	C:\Windows\Meydanbasi.exe	Amus.exe
File opened for modification	C:\Windows\Pire.exe	Amus.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\KdzEregli.exe	Amus.exe
File created	C:\Windows\My_Pictures.exe	Amus.exe
File opened for modification	C:\Windows\Pide.exe	Amus.exe
File opened for modification	C:\Windows\Ankara.exe	Amus.exe
File created	C:\Windows\Adapazari.exe	Amus.exe
File opened for modification	C:\Windows\Adapazari.exe	Amus.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 9 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Floxif.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MistInstaller.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\000 (10).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Mari (2).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Duksten.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3960	484	WerFault.exe	113
4432	4392	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000 (10).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArcticBomb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MistInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Duksten.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mari (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mari (2).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
1600	taskkill.exe
5008	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon	000 (10).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	000 (10).exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000 (10).exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2253712635-4068079004-3870069674-1000\{52F4798C-5F91-41C7-8497-149EBDB47637}	000 (10).exe

NTFS ADS 32 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 825227.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Duksten.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 508921.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 84012.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 905361.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 772041.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 836725.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 682718.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 51399.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 153917.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 288444.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 838192.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 640483.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 952997.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 458932.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 763478.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 458031.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 408799.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 316818.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 55067.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 181492.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MistInstaller.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 72870.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 343571.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Mari (2).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Floxif.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 579817.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\000 (10).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ArcticBomb.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4816	schtasks.exe
4992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
1240	msedge.exe
1240	msedge.exe
1380	identity_helper.exe
1380	identity_helper.exe
2148	msedge.exe
2148	msedge.exe
1624	msedge.exe
1624	msedge.exe
1972	msedge.exe
1972	msedge.exe
3048	msedge.exe
3048	msedge.exe
4104	msedge.exe
4104	msedge.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
640	rundll32.exe
4412	32BE.tmp
4412	32BE.tmp
4412	32BE.tmp
4412	32BE.tmp
4412	32BE.tmp
4412	32BE.tmp
4412	32BE.tmp
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
2636	msedge.exe
2636	msedge.exe
1388	msedge.exe
1388	msedge.exe
3724	msedge.exe
3724	msedge.exe
800	msedge.exe
800	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 39 IoCs

pid	Process
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3372	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3372	AUDIODG.EXE
Token: SeShutdownPrivilege	640	rundll32.exe
Token: SeDebugPrivilege	640	rundll32.exe
Token: SeTcbPrivilege	640	rundll32.exe
Token: SeDebugPrivilege	4412	32BE.tmp
Token: SeDebugPrivilege	4392	Floxif.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeShutdownPrivilege	3412	000 (10).exe
Token: SeCreatePagefilePrivilege	3412	000 (10).exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1116	WMIC.exe
Token: SeSecurityPrivilege	1116	WMIC.exe
Token: SeTakeOwnershipPrivilege	1116	WMIC.exe
Token: SeLoadDriverPrivilege	1116	WMIC.exe
Token: SeSystemProfilePrivilege	1116	WMIC.exe
Token: SeSystemtimePrivilege	1116	WMIC.exe
Token: SeProfSingleProcessPrivilege	1116	WMIC.exe
Token: SeIncBasePriorityPrivilege	1116	WMIC.exe
Token: SeCreatePagefilePrivilege	1116	WMIC.exe
Token: SeBackupPrivilege	1116	WMIC.exe
Token: SeRestorePrivilege	1116	WMIC.exe
Token: SeShutdownPrivilege	1116	WMIC.exe
Token: SeDebugPrivilege	1116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1116	WMIC.exe
Token: SeRemoteShutdownPrivilege	1116	WMIC.exe
Token: SeUndockPrivilege	1116	WMIC.exe
Token: SeManageVolumePrivilege	1116	WMIC.exe
Token: 33	1116	WMIC.exe
Token: 34	1116	WMIC.exe
Token: 35	1116	WMIC.exe
Token: 36	1116	WMIC.exe
Token: SeShutdownPrivilege	3412	000 (10).exe
Token: SeCreatePagefilePrivilege	3412	000 (10).exe
Token: SeIncreaseQuotaPrivilege	1116	WMIC.exe
Token: SeSecurityPrivilege	1116	WMIC.exe
Token: SeTakeOwnershipPrivilege	1116	WMIC.exe
Token: SeLoadDriverPrivilege	1116	WMIC.exe
Token: SeSystemProfilePrivilege	1116	WMIC.exe
Token: SeSystemtimePrivilege	1116	WMIC.exe
Token: SeProfSingleProcessPrivilege	1116	WMIC.exe
Token: SeIncBasePriorityPrivilege	1116	WMIC.exe
Token: SeCreatePagefilePrivilege	1116	WMIC.exe
Token: SeBackupPrivilege	1116	WMIC.exe
Token: SeRestorePrivilege	1116	WMIC.exe
Token: SeShutdownPrivilege	1116	WMIC.exe
Token: SeDebugPrivilege	1116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1116	WMIC.exe
Token: SeRemoteShutdownPrivilege	1116	WMIC.exe
Token: SeUndockPrivilege	1116	WMIC.exe
Token: SeManageVolumePrivilege	1116	WMIC.exe
Token: 33	1116	WMIC.exe
Token: 34	1116	WMIC.exe
Token: 35	1116	WMIC.exe
Token: 36	1116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5076	WMIC.exe
Token: SeSecurityPrivilege	5076	WMIC.exe
Token: SeTakeOwnershipPrivilege	5076	WMIC.exe
Token: SeLoadDriverPrivilege	5076	WMIC.exe
Token: SeSystemProfilePrivilege	5076	WMIC.exe
Token: SeSystemtimePrivilege	5076	WMIC.exe
Token: SeProfSingleProcessPrivilege	5076	WMIC.exe
Token: SeIncBasePriorityPrivilege	5076	WMIC.exe
Token: SeCreatePagefilePrivilege	5076	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4060	Amus.exe
4616	Mari (2).exe
4156	Mari (2).exe
3412	000 (10).exe
3412	000 (10).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 1676	1240	msedge.exe	77
PID 1240 wrote to memory of 1676	1240	msedge.exe	77
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 1884	1240	msedge.exe	78
PID 1240 wrote to memory of 852	1240	msedge.exe	79
PID 1240 wrote to memory of 852	1240	msedge.exe	79
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80
PID 1240 wrote to memory of 1828	1240	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://dq
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe9a0d3cb8,0x7ffe9a0d3cc8,0x7ffe9a0d3cd8
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6276 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- C:\Users\Admin\Downloads\Amus.exe
  "C:\Users\Admin\Downloads\Amus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6528 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6696 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Users\Admin\Downloads\Duksten.exe
  "C:\Users\Admin\Downloads\Duksten.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 612
    3⤵
    - Program crash
    PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Users\Admin\Downloads\Mari (2).exe
  "C:\Users\Admin\Downloads\Mari (2).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1860 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7124 /prefetch:8
  2⤵
  PID:1196
- C:\Users\Admin\Downloads\Mari (2).exe
  "C:\Users\Admin\Downloads\Mari (2).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7224 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4104
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1508
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:640
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:3068
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2334042887 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3100
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2334042887 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4816
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:08:00
      4⤵
      System Location Discovery: System Language Discovery
      PID:3416
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:08:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4992
  - - C:\Windows\32BE.tmp
      "C:\Windows\32BE.tmp" \\.\pipe\{CB8CAD08-E78C-4E91-9FEC-87754EC1706B}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4412
  - - C:\Windows\SysWOW64\cmd.exe
      /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
      4⤵
      PID:4944
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN drogon
      4⤵
      PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6824 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6964 /prefetch:8
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 456
    3⤵
    - Program crash
    PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6988 /prefetch:8
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1388
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3724
- C:\Users\Admin\Downloads\MistInstaller.exe
  "C:\Users\Admin\Downloads\MistInstaller.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:3988
- C:\Users\Admin\Downloads\MistInstaller.exe
  "C:\Users\Admin\Downloads\MistInstaller.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7596 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7592 /prefetch:8
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8216 /prefetch:8
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8440 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7548 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7540 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8784 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4024 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8812 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8916 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8232 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7792 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:800
- C:\Users\Admin\Downloads\000 (10).exe
  "C:\Users\Admin\Downloads\000 (10).exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies WinLogon
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:956
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1600
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5008
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1116
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5076
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /f /r /t 0
      4⤵
      PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7468 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4392
- C:\Users\Admin\Downloads\ArcticBomb.exe
  "C:\Users\Admin\Downloads\ArcticBomb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,17466443069072416314,6571191988940858650,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 484 -ip 484
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4392 -ip 4392
1⤵
PID:4236

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39cf855 /state1:0x41c64e6d
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78B

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
48KB

MD5
df1d27ed34798e62c1b48fb4d5aa4904

SHA1
2e1052b9d649a404cbf8152c47b85c6bc5edc0c9

SHA256
c344508bd16c376f827cf568ef936ad2517174d72bf7154f8b781a621250cc86

SHA512
411311be9bfdf7a890adc15fe89e6f363bc083a186bb9bcb02be13afb60df7ebb545d484c597b5eecdbfb2f86cd246c21678209aa61be3631f983c60e5d5ca94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
44KB

MD5
6513e97cffb6656fd7b5a29859fe47d3

SHA1
9ea95b90f501fa4b1fd4798622e7d736413d56f5

SHA256
efb67be90882ded2d3e53e463ae175a4b4b5229ca6929b835fa7dd4687801144

SHA512
87b34e2f980f446b0372815ee54942d42439c6b063f934f78b8ac1f8f04c9a8a48a2674621e83f62d0d2eae59f134a9eb6e033c698da56ddb8b3919d1f4e59ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c6ebdf683698b7e2b3be8f03f62ee859

SHA1
4c417252d7821db56724d6dbdfe00f572c39b58f

SHA256
2bc2b7fdab5b507e70de0b67edbe86086307ec65d7dc953dbb2ec7e336ae324d

SHA512
0cd5958a30a12b29c69dc03987036fc6addb93ee4a3f4ae98792bc23037c4e6057115e6489dffbf75b81304096cb5317a3f3633936596816a0081f8e88a43987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2841a6920b4a64ecba786d02f5189b90

SHA1
3ae259a4204b31619d99383bf6675182b62eaa3e

SHA256
e3e97d245a1434737bfb4a724523464bc2862628368f7a4cb636a2db27698f94

SHA512
bfbe9ccc9bce86cc9d96a2abeb743186adf699ffd2e4cff5daaecf7673aff2d3a4207fa3f31a20aa221c581ac4ff42f7a72749325ea6527722e576b577be9aa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d1d72c69133fa484dc3d672857496314

SHA1
839de395fc10a9ba0244ca6de5c970cecd3c70ec

SHA256
f32be6179b6fc7b6e9faa11a0d23bbc7294c364a08bb1da81fee53a36222ed16

SHA512
d0d4de28ac94814f4ccebc914178fbe8e7851181a07ca549402de331b0b4506309e8d00ad10a2397b4258997321f0a8e43f506212aaeb2025ca8b74c932b2392

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b3f027d1381ac8d1a4b0cb6293ff71df

SHA1
f2174963aa44f00ab6c7da945e58d82f464c7e53

SHA256
c43b6f54e5ba5f3af6f8e40e0c577dbbad40788874f8c2b2e8aa94f2a526e5ba

SHA512
9af8b4bb579d68200f25f867ab9f556f7c04998838f67f55beaa85eb04c87b46db0282586ed1ac7be0ba2102260ac35ed8dab3637c58cf8acc12605827a3bf99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
60481f754113f1363fa19d49bc45d9a8

SHA1
e7cf24a509a3e21fa207665cb322959b601ee93c

SHA256
31fb7dcee5a282ab7c3ad1100e472b26adec800c4b4a1be36ed290484556d526

SHA512
63e8b1157c2d08e8617f39bd0b9eddac2e47dbbd586180e8ec121c57ce79bd90c7499a48117d3ae7e937cc2f94acea1707a4bd9356be4d8a40e0c3185ab7a06b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7afa078f69d4a8e81e107dcd570c9b76

SHA1
6bbb6a816188e0208dfb04175f4309624d1d105f

SHA256
9797726eea6a33daa8c6830cd93cb73dd6d029b152072332d83b70b87da2c03a

SHA512
06927560a5dc0a78d47ef13dff2f6930e5661aac0fcfcf7af7905f78e1262e22cda9750dbccfbab20b890dd1a9748d3f0211cde5e9b5e0e769cd49eca8317cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab5be1e0ecaee7535813e27041f7f85e

SHA1
e8b70673fffcde9e2793dbaefdfcefad0e35a260

SHA256
08a97480e8b5a8ab954844d2862c82999bea70235986cc48502d8aaf4236df2b

SHA512
2b89e8e441d6a1dde9e358d1cc85b6c5ea69df328050d9d331600bf5bfc1918f68c73e479ce2c346eac5a8e11e4507440c0e41be4d922a8994e8e5a379451d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bdd0e4312f447353315dbaaa997adf46

SHA1
1ee15dab66f001d53229de2af7b0e4e1b7b2052c

SHA256
be7144a8a88b268d6571ccabc2fd34f9d8d48ad0f4a8ecfa94b279f707f279d3

SHA512
2807793b0a8f84d72d681516d5f0b42ad38c284ed918038fe954266e8d3d24bd52e1031c90f589d0618a09de72eecaee6a8ae0cbf11c28b470a29e6ce9b38d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
938f5af5d931189aa48cfd624d603aad

SHA1
f345289531be61f97c1f915b1d3a876bcf827fbe

SHA256
65a0cc566b14e13957db122965b35f4ddac98c0e916c4d6375983880ee535c5b

SHA512
627e501cc9072a7a3aad229fff40ff01af38322b988e20cea1939f8aecda7411c8ac62c3d101ba9c67b9887a3d1fa09f5302a662e94314a4ea0a77195c4ff302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9c3e46d85796f769d2aaa65878ee6300

SHA1
b99905d62a170a363a42143c497e87770369d592

SHA256
b4842bd151c9bb17c86ba956ffd31deb033736e3a66da96aaaa57a4a59dce236

SHA512
8bb01d6dca6bc8dd63b286c7b66ef1424996b097cd56321866c89483f4bab6193eb2c81a4b27dcc1a71b0c3800f19970730678898a2a64a3afd698ea866bc9f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5b5ca4b990333bc7c84f444583cbdd16

SHA1
340d71b4847d6b62a587e267b0f470aabce5efdc

SHA256
26c5d689e1a942feae8f5dd3d99436f62ecfb48ca2ed2a06c85577c647c589b4

SHA512
da18efe114ecfc1e88bf6ab2ef7f324e49b724d92d82d362794402a22fe9f0cd09bd8b7271890d73289b18a7fe123803a5456c35ab696161648ade6ea74fbab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0292d08283b8ca40fd10fe60c586a0c4

SHA1
38bb97aff95d60df0caa8e36413b328f31817114

SHA256
57d4c3f708c6b3849a38a366a6f8ca9f84e908272a2792e1b160138ffa3295f9

SHA512
43ef6b3600534ac8b9c81b6de89711406e13fd20dda6ae35d4b030d1f5f1abe94aa0f3063f83f985a31534ffc129f4537bbdeedc1adff65ce1d7501277ba7306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
857f42406659d4eb0723ac9a2864f786

SHA1
b07cb0927f24fab61338ae786b3095399001c719

SHA256
638b30d5c62066eae5b757df3d7f41c0c115ab93d4ab458ff7d30afa830b0584

SHA512
b35011623d3787752dd61ab3557fde14b778815cc7d6219e44a8465d15c9f40098c05088a8ff2f90c17e8652ff03ef798496ec75d3ce6db6b6a6b23d9753889b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4030f1a2e920cd86e552f60a85dc0cf2

SHA1
ddcb4de8c5fcd5ae898bd48043bfb4f38f7bcb0e

SHA256
ef0c9bbfca6cfb39a15280b99da78f850dc1daca0cbed7fd1e6c823773a7109c

SHA512
6f5b7948ea2411e85a3d34184f132e7f5400cb02fbe5e5429b55c09bfa5a68e6896382b081212a8b0ce31660ac175ec40b286469d46c24a78d8e292cbbcd06da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9f4d1c1a803b8c1b86d5956a3ecd8aa5

SHA1
86f5caede2786600cf21b8cc00bb275f5040e0e4

SHA256
39381511c1beaf138b4da143e7ec8b36516058738c7cd613158ef74966efd866

SHA512
e695d92436966a8b3f5e1b3a3cb5010744680e3dce95edcc050aad453c52e3a421931f39aebd3df7145990dfac43f289ac9c8b22335ec47d5ff08e5cf9b534d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4362baa55756e937da95ce141b8c755b

SHA1
436db61dae84dc60d4965c034599e661c7cd45eb

SHA256
2bec3f85905e4864e11060dd84f27db8f20792463c1c9a38fe15c55eede218e4

SHA512
4b701568a4c7155f83c050e9d3da7498a246b209bd6884bbaa67f9e7ed2964e2fdf76e7777869ea4476cb54daa675f9fb16571dd38fd8de45d8c6823b4659d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0c34436d536e74ba7777339a2b585489

SHA1
24fa5744fc4667d0aaaf0fe8c6226199a1cedcfc

SHA256
ed8a7a4bc62279e50369d83e5deb1a9880288074f2130bf9e9b85258e5860af0

SHA512
a06d884bf5c047a54e0f2cbcffaa9a9a70f058755c03b27a0d82ffb59f996e165ac4bdfb9034a552fe4ce7dfdd0b27bcd06517186700b672f9706963c4453a92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f259335ce9b832bff6c987e88255399c

SHA1
ec10667d7a1e616e0e3b44a13246cf46bd38cf2b

SHA256
ff0c051ad670f32a664a7999509cdc27ca5ae78f9b8dfdfeb6f527d27c4b5ec0

SHA512
ae0db605c716b7a21d3ce90a60d0f53f7c21e616418cd4145ec311eba00a9b848b214fd8ab7f940c1853b862bd6dfae57568184d8461ffabcd363df2ff625ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
adf6a966a9af9a887638949d099da763

SHA1
530598192536002d6922bd3990a1d6ce33120909

SHA256
a5094ef2ac62bd5a0e5e29d7702a09f3563fa0d55ebf7f83d08727e39d298ae3

SHA512
4fbdd39a165552b72ab35d0ef2d19d5e046aacfccf152b279f9d7fcc1a70bf33e0eab10f5d2f5de56148135afaed9b64290daf577a739b8d2c799d067d858ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fde5b21431249be3ea7b034c66f74e4b

SHA1
736b4ff6e619addbf7bfa0a144385dad5dd8720b

SHA256
0f91e8900e57e6b75e076d48494f6de1c8e85be54baca70de1eef203b9b8ed6f

SHA512
eaad5e648c859f6a042f6b3680a00d57e68b41c74daad32e7ca79180d2f7e42d0fe1192b11f49f16adca7750b88521da6ac537686e8df64011a23630bf2a66f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6848b8ec943fc402b41a569782eac1d6

SHA1
bc4cedd7063455c5edf415fcef0acd0fd1700258

SHA256
9ee7fa3e17368387cf146f2052bee74faef0ccf510ca3f5c25704e54b5dc1a6c

SHA512
4013196268ef2c7e7180d0b05fad887e2bd3284bd6dc4040ed1b73790185d8a3c3e51f11ba7c8866a8871e6ddbe4de1705cd52fe71b68216c8242fd37f6d2afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e1c4a0f88e851754f140f1d8044b1099

SHA1
9b6148bffbf1a73177e568c215f6bf4a33666945

SHA256
39bed1857423d6f44838bd99beb7993d066ce0389ff7c72e680f60afa1a8afd7

SHA512
1a2aa7208074476c09b8d6b838a105b0cf0bf7fe13c7f9d89ea5a6a26fea67832d7ed81b8e2252e7dacd488601c4bc28bea5adbc28644e34b23e3679f18b898d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
dcd4f78b1bf2212b60d2479deb985cec

SHA1
86776f94b68d3e12597b0efbbedded5a785a03f3

SHA256
902f179e900151dc8c046098d83783afd4c427f472c53d98ad9134310a3885ec

SHA512
cfa7796a634af2b3f575fb11198b10360630235dc6d09ec2a9a2e7d6b62d0843cb1b3c06e0b070d5b247011bfaf7194d461b1329131f406767003465639a2970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5ce12269a8d1197d095e6009a2515a9c

SHA1
2d96285dcd889513ecbbcb4f290e7928fe8d643d

SHA256
f3782e918595bcd0d54574822c7524a9c1e9cd09a1506c55aba8dbbf1a45d695

SHA512
745d2ede74aa064c4e0d94a29bb803c2dab2efa32a5bfc4fff142125ada5241442ee499c632817614ff2979c7a295b0c80ad134efdee973c23469677d059792e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ed633bf211db2f21c509f82b47532369

SHA1
ae87f7fbd3ae8b0d3586b821cfa1db5204c73c8c

SHA256
29670ae23926494c4563e9f7e3b1eaa4d1c5d83edf651c05043856e8a3105f7a

SHA512
2877e85fa0958f6b48653546cdb7c2cb7025d0933e90bb1ec2b8e1d57aa346649a7758d5099c189b89660b68328b0ae8c86277c899e6f8fb40716f85cc98cdef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51ca4e77547eab95b4c59447da3b308b

SHA1
54fc00a5acd4fbf62853530fe9f38c305f2e431e

SHA256
5329d2079353a4ed09ef0148f719fa3de2db8b4b7f11b60f722c8428866c1169

SHA512
dd217d9ba29413596a97e05899b38ad7e21e2246021bf6364228946671ec17952c095daa5a087232d314a9900814ff2088cf768c77544f96b440a1b14ae30995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b3439caf424e03e4d2e592174ea12c7a

SHA1
a6e0b253984ee9db78eae3e46eedf78f734f999f

SHA256
621b2f5e82f540a0ba95141d5ba41a3afeb66c0f9415aefe0d2bc97bddbcc571

SHA512
1d2061c18a4b03496d54628195301a3c0f91982c96480257f1d1dd298613dc27b2250b6870f646c2f1537e52bde7818133c607f9b5680a87f117eb3e03b470f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f51e.TMP

Filesize
203B

MD5
c69c6bc692a6670bf95ecfbf4806fdea

SHA1
c360d64c80164f05bb4213a2c4bf62e430f5b690

SHA256
d4de35f02c67a7157075e97ff73a1ba9e4a136335d83c791450568021d8882cb

SHA512
f81c6dd4e19b6b920abf757276076b6ef5c7c59fdc11bf20e3b4975ba186f956b7fc1fea11c562ddf384eaf5d4ebb7164d73ec3a151034891f58cb5875a965b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\919187ae-8cb9-49bb-b83b-608deac387f4\5

Filesize
1.7MB

MD5
f7afb25d27a61917a2f26df8df3a1c1e

SHA1
bbfc1acb17d86f6a9562e1bd0f0f740413be2e78

SHA256
82df41538e6d381bc55ff884d5eadbc2dbbfeff57f50782e24842c4341829554

SHA512
ae7cb5d064728256959351d10f8f9f05482b2b796dcb08a378548656a91c1df3754c9225ac69e9462908ae332713202699767033e53aa1c74e0f542fb21b654b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f7bdbd79-87f0-498e-9ad8-e4bacd0c4458.tmp

Filesize
1KB

MD5
1d318fa1c406772901607464555c8e2f

SHA1
c4470ab79628832447ec49cdfb643a553675f44c

SHA256
1a16caf6ef7526eb46722715ee711696499ffade5131c74eb7f5c01b53827325

SHA512
cf60e37bb76d932f43698f0bcfd864148648c5de765ab52e8a13a14ae7e6d104b35c747730850f851e118a2433c7045c81379c23074b75b823d3edab0842ef81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8ffe15238982ec20028a626f068c11a7

SHA1
168ce98864269d7a023bbc5ff17d73a7d0c7a32d

SHA256
b5c868adc08474493d179ddda9474a5efadc6c19e2394d8c32c1c8b28a99ee46

SHA512
18f64738e4273d460d3e2d1f114bd231b1737e1af69e3c16b3120bd81301532f9d4ac82812531a4ccf58f8aa473cddf062eac1763d52ad9823bec7031a8fa355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0e09c7a1f7400c24df92264626cc0cb7

SHA1
5bf761a63748d7daff34b657e8cf75af8d4c80e9

SHA256
61a91ea1f90a0681b0e59bed24ed8ee9b881b41e66c94d4169d13e5a31a25739

SHA512
467ff3fc05d7fb2f0ad1e42ef68ba8a47eb015f4cb44a2c76c9f4f21b8723b4c098ea668d13e030fb41b347fd5167cb0d1a9ecc29e849f48c47f36fa3219e287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9987b396b799fcfbebdd4fdf73b886bd

SHA1
44c66cb6f787f0fecea6ee25d92dac10994f19b4

SHA256
e8f6adb86ab31c67c5a1d59b3afcd30b13354f63e1ca3a0b737a12ea1c305beb

SHA512
440ba476189917530de707d92eaf4576fe79d94af746bb97a4ca9b8bf2a9630da40a777913a176651ff5b4f6ab968a6a1db30a4ff543f21fc43cbc64af7634bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
70f68938942a6e829d13dc5500d65c7a

SHA1
37c498a950fd63cf158b85c619063211f726b89b

SHA256
e7e01b6af844fb01cf654e7a19cfb7d83cd5ffb69ad940978765771d48663039

SHA512
64020e7ac6126399fc1aa84fc248b1325395c226cf323ee4da316b759735d082dbce8ef282b78336b3a1e8723737a7436e5611ced44d340253fe2a6988a69280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3d811da1a86db3d80813f7ac35a2a779

SHA1
b361f4bc62e413747e5f403db0100c65bf279ea5

SHA256
5bdfb8412db0aa632950a25ac78baf7a49d10faae761f904bf0752c6698f8ce4

SHA512
299748e6903a5823f990d251cb312db4c41e06a5bb717423e6a45db23b5aa4b0b8adde05d82b0c8e4f3be8e22f7a9953018e46a3f0bfb15e53c76ca22634d841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
88d30449c07ad8a6e7b114af72ca9df2

SHA1
5950be786561513b7379f94c872e17c2f38f9e6d

SHA256
1177f5751079ca0e1e74d6969a2c99192920cbb6309ffa78789b493ba1661ccb

SHA512
f31e1a6fbd50c11687086cd7e3b2a3c609a3ffce405d2aeea4096fe9dc64a3e758dd9e605ec6f49e29a454aabe408b5fcdcd8c565198476e06d412f4c887082b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
14a169b587f170cc1f4c10f3c27ad359

SHA1
31091c91b8a8179d8ffd4db2b7770822a47f9bc3

SHA256
95924a3a3ca0d51f33c42a051cd6b497c37d5aad459e8119eb026fca1e971fe8

SHA512
5c61983c86c8dd3b441e596129cdd4e1174bd399abad420dbf370b2b300afd167bf3f60950843e428431ecd5cfa04e9fec29d566e64f90e4a89779ee259ec7eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
95218a17448ace07d3d198dced3da6cd

SHA1
7befb67a27bc43b80c254dd8c2278b76d2081456

SHA256
f2e288a89d64e4dfded49a389e8306ebc092536af78cb9aa028e3602eaa613fa

SHA512
771ab879dd27953ce1cd9d98bf93093b7c22d757126e3111d7af0bb2a815b674e7d56f2fc5acfc465cd3fa4a49e7add3c433ccdb116c5557fe514148c0bcd8b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
571b29c0223823aed17b5dcfb6a4216e

SHA1
1d59646f587f816fdd55a54c5fca1f84277cfe8d

SHA256
94422e809c8a3a9e445bb1192dd536d08396c153ba3c022ad8eaa1c723365dd5

SHA512
3328ec5e8bde7536ed564cbcad4d566038e574d2ddd194c830926cfd34c1cd77b65661534bf990734ef5660f4513d355a809527a167afb83d8f2cd347d5dd990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\82b81b04-6d52-4635-80eb-74d0c9b8a72c.tmp

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
C:\Users\Admin\Downloads\Amus.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 153917.crdownload

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 181492.crdownload

Filesize
532KB

MD5
00add4a97311b2b8b6264674335caab6

SHA1
3688de985909cc9f9fa6e0a4f2e43d986fe6d0ec

SHA256
812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f

SHA512
aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 316818.crdownload

Filesize
125KB

MD5
ea534626d73f9eb0e134de9885054892

SHA1
ab03e674b407aecf29c907b39717dec004843b13

SHA256
322eb96fc33119d8ed21b45f1cd57670f74fb42fd8888275ca4879dce1c1511c

SHA512
c8cda90323fd94387a566641ec48cb086540a400726032f3261151afe8a981730688a4dcd0983d9585355e22833a035ef627dbd1f643c4399f9ddce118a3a851

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 508921.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 51399.crdownload

Filesize
107KB

MD5
9890349fe3c68f5923b29347bba021a4

SHA1
fa080a50486b205b75833a6b5c9505abb1e3b4df

SHA256
068f2ee28af7645dbf2a1684f0a5fc5ccb6aa1027f71da4468e0cba56c65e058

SHA512
aedd86837987cbe8c0b1cf3b4ca0c3a875e4cc9bcc8097c160d0d6070427ad9e1d871d5339ea95cc03499c39a6536b5a6b6d43372a49eeaf2e87bf755a3d3367

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 55067.crdownload

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 825227.crdownload

Filesize
50KB

MD5
47abd68080eee0ea1b95ae31968a3069

SHA1
ffbdf4b2224b92bd78779a7c5ac366ccb007c14d

SHA256
b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec

SHA512
c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 838192.crdownload

Filesize
9KB

MD5
900ebff3e658825f828ab95b30fad2e7

SHA1
7451f9aee3c4abc6ea6710dc83c3239a7c07173b

SHA256
caec6e664b3cff5717dd2efea8dcd8715abdcfe7f611456be7009771f22a8f50

SHA512
e325f3511722eee0658cfcf4ce30806279de322a22a89129a8883a630388ab326955923fa6228946440894bd2ef56d3e6dfda3973ea16cc6e463d058dd6e25ce

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 84012.crdownload

Filesize
83KB

MD5
8813125a606768fdf8df506029daa16f

SHA1
48e825f14522bd4d149ef8b426af81eec0287947

SHA256
323060680fed9a3205e3e36d2b62b7b5b6c6e6245e4555dcc733cf6ef390f41c

SHA512
9486a027029a27cbf0424760625c08d73aa62e28e45081751c5bada7c07ca05b4e44239da7774cf4f76298fb6b71769ae62595ae439b470c8308d39e1b2289d8

Download Submit
C:\Windows\32BE.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/484-526-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/484-507-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/640-740-0x0000000002EB0000-0x0000000002F18000-memory.dmp

Filesize
416KB

Download
memory/640-747-0x0000000002EB0000-0x0000000002F18000-memory.dmp

Filesize
416KB

Download
memory/640-752-0x0000000002EB0000-0x0000000002F18000-memory.dmp

Filesize
416KB

Download
memory/3412-1565-0x0000000009040000-0x0000000009050000-memory.dmp

Filesize
64KB

Download
memory/3412-1560-0x0000000008FB0000-0x0000000008FBE000-memory.dmp

Filesize
56KB

Download
memory/3412-1559-0x0000000008FF0000-0x0000000009028000-memory.dmp

Filesize
224KB

Download
memory/3412-1564-0x0000000009040000-0x0000000009050000-memory.dmp

Filesize
64KB

Download
memory/3412-1563-0x0000000009040000-0x0000000009050000-memory.dmp

Filesize
64KB

Download
memory/3412-1566-0x0000000009040000-0x0000000009050000-memory.dmp

Filesize
64KB

Download
memory/3412-1524-0x0000000005B50000-0x00000000060F6000-memory.dmp

Filesize
5.6MB

Download
memory/3412-1523-0x00000000003B0000-0x0000000000A5E000-memory.dmp

Filesize
6.7MB

Download
memory/3580-2397-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3580-2395-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4060-421-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4060-806-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4392-868-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4392-864-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4392-866-0x0000000000370000-0x00000000003E5000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads