danabot | 558204c7ec59cd2ede9e9e7f6fede6c69aa14acb292d467c68fce1f4e77bb437

Analysis

max time kernel
482s
max time network
626s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2025, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kami Export - Marcus Plummer - Economics Scavenger Hunt - Google Docs.pdf
Size

337KB
MD5

bdc07cb358d5c010b2013c0cf849644b
SHA1

7aa9dcc5ef159cc5b26a2108c5738bf30b1947da
SHA256

558204c7ec59cd2ede9e9e7f6fede6c69aa14acb292d467c68fce1f4e77bb437
SHA512

fd85b8afb5d4748c7b51665f7cf1ea4787ec230473a6f203231eba76748205f79057fe419859cf33061c38ae0144740e6f2765d03b0a465d3d66167ce6d634a5
SSDEEP

6144:dwWA6rXulXa0S44x4LRivZ6iORrkCDm0yXXdbpsMa/0:dY6rXu5lS44QiB6iO9kCDTkvsMv

Score

10^/10

danabot mydoom banker botnet discovery persistence trojan upx worm

Malware Config

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot family
danabot

Danabot x86 payload 1 IoCs

Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

botnet

resource	yara_rule
behavioral2/files/0x00080000000253b5-9958.dat	family_danabot

Detects MyDoom family 1 IoCs

resource	yara_rule
behavioral2/memory/6596-5824-0x00000000004A0000-0x00000000004AD000-memory.dmp	family_mydoom

MyDoom
MyDoom is a Worm that is written in C++.
worm mydoom
Mydoom family
mydoom

Blocklisted process makes network request 1 IoCs

flow	pid	Process
363	4896	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/memory/6596-5825-0x000000007E1A0000-0x000000007E1A7000-memory.dmp	acprotect
behavioral2/files/0x0007000000024c46-5691.dat	acprotect

Drops startup file 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Configuration Utility.exe	Lacon.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Configuration Utility.exe	Lacon.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.a.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Axam.exe	Axam.exe

Executes dropped EXE 9 IoCs

pid	Process
4376	Winkxr.exe
6400	Rundll32.exe
528	Rundll32.exe
1240	Rundll32.exe
7340	Axam.exe
4304	KdzEregli.exe
7728	Axam.exe
2388	Axam.exe
9372	Axam.exe

Loads dropped DLL 6 IoCs

pid	Process
3532	msedge.exe
6596	MyDoom.A.exe
3732	regsvr32.exe
3732	regsvr32.exe
4896	rundll32.exe
4896	rundll32.exe

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Kiray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "c:\\windows\\temp\\Kiray.exe"	Kiray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XRF = "C:\\Windows\\system32\\PrTecTor.exe"	Duksten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnceEX\DevicePath = "C:\\Rundll32.exe"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Q4 = "c:\\eiram\\quake4demo.exe"	Quamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\quake = "c:\\eiram\\quake4demo.exe"	Quamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\quake = "f:\\quake4demo.exe"	Quamo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Q4 = "f:\\quake4demo.exe"	Quamo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bndt32 = "C:\\Windows\\System32\\Bndt32.exe"	Lacon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MediaPath = "C:\\Rundll32.exe"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Rundll32 = "C:\\Rundll32.exe"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe"	Amus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sysaxam32 = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe"	Axam.a.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bndt32.exe	Lacon.exe
File opened for modification	C:\Windows\SysWOW64\Winkxr.exe	Winkxr.exe
File created	C:\Windows\SysWOW64\No Call List.exe	Lacon.exe
File created	C:\Windows\SysWOW64\Bndt32.txt	Lacon.exe
File created	\??\c:\Windows\SysWOW64\regme.reg	Merkur.exe
File opened for modification	C:\Windows\SysWOW64\Winkxr.exe	Klez.e.exe
File created	C:\Windows\SysWOW64\DALLAH.exe	Maldal.a.exe
File created	C:\Windows\SysWOW64\Winkxr.exe	Winkxr.exe
File opened for modification	C:\Windows\SysWOW64\PrTecTor.exe	Duksten.exe
File opened for modification	C:\Windows\SysWOW64\Ska.exe	Happy99.exe
File created	C:\Windows\SysWOW64\Ska.dll	Happy99.exe
File created	C:\Windows\SysWOW64\wsock32.ska	Happy99.exe
File opened for modification	C:\Windows\SysWOW64\Bndt32.exe	Lacon.exe
File opened for modification	C:\Windows\SysWOW64\No Call List.exe	Lacon.exe
File created	C:\Windows\SysWOW64\Ska.exe	Happy99.exe
File opened for modification	C:\Windows\SysWOW64\wsock32.dll	Happy99.exe
File created	C:\Windows\SysWOW64\Winkxr.exe	Klez.e.exe
File opened for modification	C:\Windows\SysWOW64\DALLAH.exe	Maldal.a.exe
File created	C:\Windows\SysWOW64\shimgapi.dll	MyDoom.A.exe
File created	C:\Windows\SysWOW64\PrTecTor.exe	Duksten.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1172-2291-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/files/0x00070000000245f5-2434.dat	upx
behavioral2/memory/6596-5825-0x000000007E1A0000-0x000000007E1A7000-memory.dmp	upx
behavioral2/memory/6596-5824-0x00000000004A0000-0x00000000004AD000-memory.dmp	upx
behavioral2/files/0x0007000000024c46-5691.dat	upx
behavioral2/memory/1172-6772-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/8012-9286-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1948105172\kp_pinslist.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-bn.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-el.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-gu.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_524064343\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1948105172\ct_config.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1948105172\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-bg.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-hu.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-sv.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-ga.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1948105172\crs.pb	msedge.exe
File created	\??\c:\program files\eDonkey2000\incoming\IPspoofer.exe	Merkur.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-be.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_426993008\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_426993008\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_974772666\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-it.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-sl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-te.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_426993008\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_347029285\data.txt	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_3205384\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-nn.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_347029285\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1948105172\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-eu.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-hi.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-ml.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-or.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-ru.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-uk.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-gl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-la.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-mr.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-mul-ethi.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-pa.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-et.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-fr.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-sk.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-sq.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_779319239\manifest.fingerprint	msedge.exe
File created	\??\c:\program files\bearshare\shared\IPspoofer.exe	Merkur.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-cs.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-da.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-lt.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-nb.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-nl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_426993008\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_347029285\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-de-1996.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-hr.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-mn-cyrl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_524064343\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_524064343\sets.json	msedge.exe
File created	\??\c:\program files\kazaa\my shared folder\Virtual Sex Simulator.exe	Merkur.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-af.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-cy.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-ta.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-und-ethi.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\manifest.fingerprint	msedge.exe
File created	\??\c:\program files\kazaa\my shared folder\IPspoofer.exe	Merkur.exe

Drops file in Windows directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\KdzEregli.exe	Amus.exe
File created	\??\c:\windows\mail.vbs	Bugsoft.exe
File created	C:\Windows\LucKey.exe	Maldal.a.exe
File opened for modification	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\Pide.exe	Amus.exe
File created	C:\Windows\Ankara.exe	Amus.exe
File created	C:\Windows\KdzEregli.exe	Amus.exe
File created	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\Pire.exe	Amus.exe
File created	C:\Windows\Cekirge.exe	Amus.exe
File created	C:\Windows\Pide.exe	Amus.exe
File opened for modification	\??\c:\windows\screensaver.exe	Merkur.exe
File opened for modification	C:\Windows\LucKey.exe	Maldal.a.exe
File created	C:\windows\Program Files\Kazaa\My Shared Folder\Norton 2003 Pro.exe	Gruel.a.exe
File created	\??\c:\WINDOWS\taskman.exe	Merkur.exe
File opened for modification	C:\Windows\My_Pictures.exe	Amus.exe
File opened for modification	C:\Windows\Meydanbasi.exe	Amus.exe
File created	C:\Windows\Pire.exe	Amus.exe
File opened for modification	C:\Windows\Ankara.exe	Amus.exe
File created	C:\Windows\Adapazari.exe	Amus.exe
File opened for modification	C:\Windows\Anti_Virus.exe	Amus.exe
File created	\??\c:\Windows\Notepad.exe	Merkur.exe
File created	C:\Windows\Anti_Virus.exe	Amus.exe
File created	\??\c:\windows\jk.bat	Bugsoft.exe
File created	\??\c:\Windows\System\AVupdate.exe	Merkur.exe
File opened for modification	\??\c:\Windows\System\AVupdate.exe	Merkur.exe
File created	C:\Windows\Meydanbasi.exe	Amus.exe
File opened for modification	C:\Windows\Adapazari.exe	Amus.exe
File opened for modification	C:\Windows\Cekirge.exe	Amus.exe
File opened for modification	\??\c:\WINDOWS\taskman.exe	Merkur.exe
File created	\??\c:\windows\screensaver.exe	Merkur.exe
File created	C:\Windows\My_Pictures.exe	Amus.exe
File created	C:\WINDOWS\Start Menu\Programs\StartUp\creative.exe	Prolin.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 3 IoCs

pid	pid_target	Process	procid_target
6840	8012	WerFault.exe	251
7184	5932	WerFault.exe	199
9756	10204	WerFault.exe	287

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bugsoft.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nyxem.E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pikachu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Happy99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magistr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quamo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Funsoul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trood.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klez.e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Duksten.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gruel.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NakedWife.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Prolin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeltingScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DanaBot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anap.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maldal.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MyPics.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KdzEregli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Axam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mari.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Merkur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsWorld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MyDoom.A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amus.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "kIlLeRgUaTe 1.03, I mAke ThIs vIrUs BeCaUsE I dOn'T hAvE NoThInG tO dO!!"	Gruel.a.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874819889254159"	msedge.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Kiray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\\\Rundll32.exe,0"	Rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx\PropertySheetHandlers\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\\\Rundll32.exe\" %1"	Rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\\\Rundll32.exe,0"	Rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellEx	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe,0"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\\\Rundll32.exe\" %1"	Rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\ = "Shell32.dll"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InProcServer32\ThreadingModel = "Apartment"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1279544337-3716153908-718418795-1000\{DA2A40E9-53AD-432E-A780-C80A890ED69F}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\InfoTip = "kIlLeRgUaTe 1.03"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell	Axam.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\\\Rundll32.exe\" %1"	Rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ = "kIlLeRgUaTe 1.03"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon\ = "%1"	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Roaming\\Axam.exe \"%1\" %*"	Axam.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon\ = "C:\\\\Rundll32.exe,0"	Rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\shell\open\command	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htafile\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "c:\\windows\\temp\\Kiray.exe"	Kiray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\Shell\Open\Command\ = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa	Axam.a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Spitmaxa\DefaultIcon	Axam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\DefaultIcon	Gruel.a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C6D8BD6-116B-4D4E-B1C2-87098DB509BB}\ShellFolder\Attributes = 00000000	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Email-Worm\\Gruel.a.exe\" %1"	Gruel.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "Spitmaxa"	Axam.a.exe

Runs .reg file with regedit 1 IoCs

pid	Process
6148	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
4588	powershell.exe
4588	powershell.exe
4588	powershell.exe
4592	msedge.exe
4592	msedge.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe
5168	Axam.a.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeRestorePrivilege	6088	7zFM.exe
Token: 35	6088	7zFM.exe
Token: SeTcbPrivilege	4868	Klez.e.exe
Token: SeTcbPrivilege	4376	Winkxr.exe
Token: 33	5732	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5732	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3324	AcroRd32.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
3324	AcroRd32.exe
380	Amus.exe
5168	Axam.a.exe
4612	Bugsoft.exe
5072	Gruel.a.exe
2436	Kiray.exe
1172	Lacon.exe
5624	Maldal.a.exe
2572	Mari.exe
5992	Merkur.exe
7364	MsWorld.exe
6400	Rundll32.exe
528	Rundll32.exe
1240	Rundll32.exe
7340	Axam.exe
4304	KdzEregli.exe
7304	NakedWife.exe
7728	Axam.exe
2388	Axam.exe
7484	Prolin.exe
2304	Quamo.exe
9372	Axam.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 5688	3324	AcroRd32.exe	95
PID 3324 wrote to memory of 5688	3324	AcroRd32.exe	95
PID 3324 wrote to memory of 5688	3324	AcroRd32.exe	95
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 4744	5688	RdrCEF.exe	97
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98
PID 5688 wrote to memory of 400	5688	RdrCEF.exe	98

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Kami Export - Marcus Plummer - Economics Scavenger Hunt - Google Docs.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5688
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5131FB7845299D8882C23598F6A0C09F --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4744
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=72C8233D4D041023BDED2152D3E95833 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=72C8233D4D041023BDED2152D3E95833 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:400
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E4ECEB14A9A3C60B862643DFA1DF1C32 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A595217F857A9599A8579F4FC06770DB --mojo-platform-channel-handle=1952 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3532
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5CB70FC0951FDC592D9F8EB7E8369A03 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5CB70FC0951FDC592D9F8EB7E8369A03 --renderer-client-id=6 --mojo-platform-channel-handle=1984 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1476
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=845481F4A542FB0155C1F3A009869963 --mojo-platform-channel-handle=2724 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:3532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ffb1449f208,0x7ffb1449f214,0x7ffb1449f220
    3⤵
    PID:3044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=2308 /prefetch:3
    3⤵
    PID:4992
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2280,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:2
    3⤵
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2560,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=2748 /prefetch:8
    3⤵
    PID:5252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:1
    3⤵
    PID:5856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:1
    3⤵
    PID:1476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5172,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:8
    3⤵
    PID:3592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5084,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=4964 /prefetch:8
    3⤵
    PID:4144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5096,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
    3⤵
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6044,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=6180 /prefetch:8
    3⤵
    PID:4184
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6044,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=6180 /prefetch:8
    3⤵
    PID:3660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5524,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:1
    3⤵
    PID:3612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5108,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:1
    3⤵
    PID:5632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5384,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=6492 /prefetch:1
    3⤵
    PID:4608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6536,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:1
    3⤵
    PID:6096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6896,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=7052 /prefetch:1
    3⤵
    PID:5708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=120,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=6856 /prefetch:8
    3⤵
    PID:1580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7912,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=7884 /prefetch:8
    3⤵
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7904,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=7924 /prefetch:8
    3⤵
    PID:2816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7896,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=7796 /prefetch:8
    3⤵
    PID:824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5716,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
    3⤵
    PID:2600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6180,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=6760 /prefetch:8
    3⤵
    PID:1484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5288,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
    3⤵
    PID:1132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7244,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:8
    3⤵
    PID:3524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=8100,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=7248 /prefetch:1
    3⤵
    PID:2544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6756,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6824,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=5684 /prefetch:8
    3⤵
    PID:4968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8080,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=7164 /prefetch:8
    3⤵
    PID:6088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4972,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=8112 /prefetch:8
    3⤵
    PID:4252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1400,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=7136 /prefetch:8
    3⤵
    PID:2724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8128,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=6232 /prefetch:8
    3⤵
    PID:6024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=6240,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=6480 /prefetch:1
    3⤵
    PID:2524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=3828,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:1
    3⤵
    PID:1372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3532,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=7120 /prefetch:8
    3⤵
    PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3848,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8
    3⤵
    PID:5480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4016,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=3348 /prefetch:8
    3⤵
    PID:2356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4912,i,14621713100684742392,16457332046478847222,262144 --variations-seed-version --mojo-platform-channel-handle=5200 /prefetch:8
    3⤵
    PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5216

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6088

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.bat
1⤵
PID:3672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New Text Document.bat" "
1⤵
PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New Text Document.bat" "
1⤵
PID:1720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\New Text Document.bat"
1⤵
PID:1200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\New Text Document.bat"
1⤵
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New Text Document.bat" "
1⤵
PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New Text Document.bat" "
1⤵
PID:2296

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.bat
1⤵
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New Text Document.bat" "
1⤵
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New Text Document.bat" "
1⤵
PID:2628
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5932
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll f1 C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.exe@5932
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3732
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\DOWNLO~1\THE-MA~1\THE-MA~1\BANKIN~1\DanaBot.dll,f0
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 416
    3⤵
    - Program crash
    PID:7184
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Amus.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Amus.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:380
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Anap.a.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Anap.a.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4840
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Axam.a.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5168
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Brontok.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Brontok.exe"
  2⤵
  PID:376
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Bugsoft.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Bugsoft.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\windows\jk.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1704
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Funsoul.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Funsoul.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1632
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Gruel.a.exe"
  2⤵
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5072
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Happy99.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Happy99.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3812
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Kiray.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Kiray.exe"
  2⤵
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2436
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Klez.e.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Klez.e.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Lacon.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Lacon.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1172
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Magistr.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Magistr.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:904
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Maldal.a.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Maldal.a.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5624
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Mari.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Mari.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2572
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\MeltingScreen.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\MeltingScreen.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Merkur.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Merkur.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5992
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s c:\Windows\system32\regme.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:6148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\pr0n.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6484
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\MsWorld.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\MsWorld.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7364
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\MyDoom.A.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\MyDoom.A.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:6596
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\MyPics.a.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\MyPics.a.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6076
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\NakedWife.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\NakedWife.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7304
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Nyxem.E.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Nyxem.E.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8012
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8012 -s 232
    3⤵
    - Program crash
    PID:6840
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Pikachu.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Pikachu.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1380
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Prolin.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Prolin.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7484
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Quamo.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Quamo.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2304
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Trood.a.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Trood.a.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4564
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\White.a.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\White.a.exe"
  2⤵
  PID:9384
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe"
  2⤵
  PID:6652
- - C:\Windows\SysWOW64\WIN2C78.pif
    "C:\Windows\system32\WIN2C78.pif" ~~241118328
    3⤵
    PID:8176
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Xanax.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Xanax.exe"
  2⤵
  PID:10204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10204 -s 400
    3⤵
    - Program crash
    PID:9756
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Yarner.a.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Yarner.a.exe"
  2⤵
  PID:2788
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\ZippedFiles.a.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\ZippedFiles.a.exe"
  2⤵
  PID:9036
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Lentin\Lentin.c.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Lentin\Lentin.c.exe"
  2⤵
  PID:2968
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Lentin\Lentin.d.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Lentin\Lentin.d.exe"
  2⤵
  PID:2052
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Silver\Silver.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Silver\Silver.exe"
  2⤵
  PID:8992
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Avoid.exe"
  2⤵
  PID:6180
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ChilledWindows.exe"
  2⤵
  PID:10116
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe"
  2⤵
  PID:10584
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CrazyNCS.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\CrazyNCS.exe"
  2⤵
  PID:10460
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Curfun.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Curfun.exe"
  2⤵
  PID:9848
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\DesktopBoom.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\DesktopBoom.exe"
  2⤵
  PID:5348
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Flasher.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Flasher.exe"
  2⤵
  PID:9832
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Hydra.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Hydra.exe"
  2⤵
  PID:12212
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Launcher.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Launcher.exe"
  2⤵
  PID:3436
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Melting.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Melting.exe"
  2⤵
  PID:4736
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Popup.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Popup.exe"
  2⤵
  PID:14356
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\rickroll.exe"
  2⤵
  PID:6680
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ScreenScrew.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\ScreenScrew.exe"
  2⤵
  PID:12048
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Trololo.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Trololo.exe"
  2⤵
  PID:12352
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Vista.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Vista.exe"
  2⤵
  PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\PrTecTor.exe
1⤵
PID:388

C:\Windows\SysWOW64\Winkxr.exe
C:\Windows\SysWOW64\Winkxr.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\Bndt32.exe
1⤵
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Rundll32.exe
1⤵
PID:6252
- C:\Rundll32.exe
  C:\Rundll32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Rundll32.exe
1⤵
PID:6260
- C:\Rundll32.exe
  C:\Rundll32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:6400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Rundll32.exe
1⤵
PID:5896
- C:\Rundll32.exe
  C:\Rundll32.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\KdzEregli.exe
1⤵
PID:6840
- C:\Windows\KdzEregli.exe
  C:\Windows\KdzEregli.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:2824
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:7340

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408 0x328
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:2520
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:7728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 8012 -ip 8012
1⤵
PID:7400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5932 -ip 5932
1⤵
PID:7000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:2112
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:6340
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:9372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\eiram\quake4demo.exe
1⤵
PID:6632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\eiram\quake4demo.exe
1⤵
PID:8092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c f:\quake4demo.exe
1⤵
PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c f:\quake4demo.exe
1⤵
PID:7464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:6980
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:904
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  PID:8364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:6508
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  PID:7576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 10204 -ip 10204
1⤵
PID:7780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\ZwVJhbicpdpMmaPBTOUnXKZaZQViGBoEn.exe"
1⤵
PID:7668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:8324
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  PID:4860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:8968
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:9876
- - C:\Windows\SysWOW64\WIN45BC.pif
    "C:\Windows\system32\WIN45BC.pif" ~~241124843
    3⤵
    PID:432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:9840
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:10036
- - C:\Windows\SysWOW64\WIN45BD.pif
    "C:\Windows\system32\WIN45BD.pif" ~~241124843
    3⤵
    PID:5432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:5480
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:1136
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:8272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:9156
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:8728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:8600
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:9928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:3216
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:8988
- - C:\Windows\SysWOW64\WIN7151.pif
    "C:\Windows\system32\WIN7151.pif" ~~241135953
    3⤵
    PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:9380
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:6220
- - C:\Windows\SysWOW64\WIN6ED0.pif
    "C:\Windows\system32\WIN6ED0.pif" ~~241135531
    3⤵
    PID:7040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:6660
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:9880
- - C:\Windows\SysWOW64\WIN6ED1.pif
    "C:\Windows\system32\WIN6ED1.pif" ~~241135546
    3⤵
    PID:7524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:3596
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\WIN6FAB.pif
    "C:\Windows\system32\WIN6FAB.pif" ~~241135531
    3⤵
    PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN45BD.pif
1⤵
PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN45BD.pif
1⤵
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN45BC.pif
1⤵
PID:7488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN45BC.pif
1⤵
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:6880
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  PID:9392

C:\Users\Admin\AppData\Roaming\Axam.exe
"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:6984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:8200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:8720

C:\Users\Admin\AppData\Roaming\Axam.exe
"C:\Users\Admin\AppData\Roaming\Axam.exe" "C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:8548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:9328
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:6452
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:10284
- - C:\Windows\SysWOW64\WIN99E7.pif
    "C:\Windows\system32\WIN99E7.pif" ~~241147437
    3⤵
    PID:6476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:5956
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:9532
- - C:\Windows\SysWOW64\WIN9AA3.pif
    "C:\Windows\system32\WIN9AA3.pif" ~~241147437
    3⤵
    PID:9268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:3372
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:2696
- - C:\Windows\SysWOW64\WIN991C.pif
    "C:\Windows\system32\WIN991C.pif" ~~241147203
    3⤵
    PID:8480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:3732
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:10276
- - C:\Windows\SysWOW64\WIN99F7.pif
    "C:\Windows\system32\WIN99F7.pif" ~~241147437
    3⤵
    PID:8088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:7940
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:1440
- - C:\Windows\SysWOW64\WIN57B9.pif
    "C:\Windows\system32\WIN57B9.pif" ~~241194937
    3⤵
    PID:7664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:7320
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:10348
- - C:\Windows\SysWOW64\WIN9A07.pif
    "C:\Windows\system32\WIN9A07.pif" ~~241147203
    3⤵
    PID:8872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:10092
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:9320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:8564
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:9760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:5280
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:10252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:9292
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:10320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:7964
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:7000
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:5964
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:5640
- - C:\Windows\SysWOW64\WIN98ED.pif
    "C:\Windows\system32\WIN98ED.pif" ~~241147218
    3⤵
    PID:10148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:8984
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:7676
- - C:\Windows\SysWOW64\WIN58F2.pif
    "C:\Windows\system32\WIN58F2.pif" ~~241195265
    3⤵
    PID:6680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN6ED0.pif
1⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN6ED0.pif
1⤵
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:7412
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:8496
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:8608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:3544
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:9496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:7028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:6988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:8680
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  PID:5764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:10592
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  PID:9564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:6220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:8516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:7948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:6832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:7968
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:6892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:10316
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:8884
- - C:\Windows\SysWOW64\WIN5C4D.pif
    "C:\Windows\system32\WIN5C4D.pif" ~~241196109
    3⤵
    PID:7384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:10332
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:12332
- - C:\Windows\SysWOW64\WIN8253.pif
    "C:\Windows\system32\WIN8253.pif" ~~241210734
    3⤵
    PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:10404
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:9504
- - C:\Windows\SysWOW64\WIN766C.pif
    "C:\Windows\system32\WIN766C.pif" ~~241202812
    3⤵
    PID:7208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:10428
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:3112
- - C:\Windows\SysWOW64\WIN9D3E.pif
    "C:\Windows\system32\WIN9D3E.pif" ~~241212734
    3⤵
    PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:9352
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:14320
- - C:\Windows\SysWOW64\WIN7B2F.pif
    "C:\Windows\system32\WIN7B2F.pif" ~~241204015
    3⤵
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:5744
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:10932
- - C:\Windows\SysWOW64\WINA201.pif
    "C:\Windows\system32\WINA201.pif" ~~241213953
    3⤵
    PID:11748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:7756
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:11700
- - C:\Windows\SysWOW64\WIN81F6.pif
    "C:\Windows\system32\WIN81F6.pif" ~~241210734
    3⤵
    PID:7148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:6084
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:5880
- - C:\Windows\SysWOW64\WINA202.pif
    "C:\Windows\system32\WINA202.pif" ~~241213968
    3⤵
    PID:7296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:10448
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:9164
- - C:\Windows\SysWOW64\WINA156.pif
    "C:\Windows\system32\WINA156.pif" ~~241213796
    3⤵
    PID:11840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:10440
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:5272
- - C:\Windows\SysWOW64\WINA155.pif
    "C:\Windows\system32\WINA155.pif" ~~241213781
    3⤵
    PID:12876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:7408
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:6348
- - C:\Windows\SysWOW64\WINA05B.pif
    "C:\Windows\system32\WINA05B.pif" ~~241213531
    3⤵
    PID:12308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:2152
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\WIN9D1F.pif
    "C:\Windows\system32\WIN9D1F.pif" ~~241212703
    3⤵
    PID:8068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11096
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:10632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:10812
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:5452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:10744
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:6444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:6944
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:12512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:10656
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:14312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:8828
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:5196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN9A07.pif
1⤵
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN9A07.pif
1⤵
PID:7952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN9AA3.pif
1⤵
PID:10016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN9AA3.pif
1⤵
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN99F7.pif
1⤵
PID:8620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN99F7.pif
1⤵
PID:9364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN99E7.pif
1⤵
PID:7872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN99E7.pif
1⤵
PID:9280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN98ED.pif
1⤵
PID:8096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN98ED.pif
1⤵
PID:4960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN991C.pif
1⤵
PID:7428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN991C.pif
1⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:8816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:7172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:8208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:11168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:11256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:6176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:11056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:11112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:7976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:7268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:8332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:11192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:9628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:11232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:11104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:9700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:9008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:9132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:7504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:7476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:7152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:6016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:8792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:8240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:5232
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:16320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:7540
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:9024
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:7272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:6328
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:16832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:6456
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:11032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:3336
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:10164
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  PID:14372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:8796
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:8188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:1728
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:14928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:7700
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:16872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:5356
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:6664
- - C:\Windows\SysWOW64\WINB896.pif
    "C:\Windows\system32\WINB896.pif" ~~241219750
    3⤵
    PID:11072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:5784
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:12788
- - C:\Windows\SysWOW64\WIN176.pif
    "C:\Windows\system32\WIN176.pif" ~~241238656
    3⤵
    PID:10532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:6884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:6812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:11340
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\WINF62C.pif
    "C:\Windows\system32\WINF62C.pif" ~~241235750
    3⤵
    PID:16644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:11348
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:10080
- - C:\Windows\SysWOW64\WINF34D.pif
    "C:\Windows\system32\WINF34D.pif" ~~241235640
    3⤵
    PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11384
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:13792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11392
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:16328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11400
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:12060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11408
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:16616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11416
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:14728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11424
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:7824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11432
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:1696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11440
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:7756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11448
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:8064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:12392
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:17076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:12400
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:17000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:12408
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:8620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:13292
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:10896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:13300
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:16864
- - C:\Windows\SysWOW64\WINFA81.pif
    "C:\Windows\system32\WINFA81.pif" ~~241236609
    3⤵
    PID:13260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN58F2.pif
1⤵
PID:6204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN58F2.pif
1⤵
PID:8000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN5C4D.pif
1⤵
PID:6796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN5C4D.pif
1⤵
PID:7864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:9480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:12196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:6604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:11012
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  PID:8472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:12600
- C:\Users\Admin\AppData\Roaming\Axam.exe
  C:\Users\Admin\AppData\Roaming\Axam.exe
  2⤵
  PID:7132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:9180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:13048
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:16308
- - C:\Windows\SysWOW64\WINFF92.pif
    "C:\Windows\system32\WINFF92.pif" ~~241237906
    3⤵
    PID:9076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:13060
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:7404
- - C:\Windows\SysWOW64\WINFD30.pif
    "C:\Windows\system32\WINFD30.pif" ~~241237406
    3⤵
    PID:14752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN766C.pif
1⤵
PID:8276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN766C.pif
1⤵
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:3596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:13572
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\WINFD50.pif
    "C:\Windows\system32\WINFD50.pif" ~~241237406
    3⤵
    PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:13560
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:16576
- - C:\Windows\SysWOW64\WINFD31.pif
    "C:\Windows\system32\WINFD31.pif" ~~241237343
    3⤵
    PID:15532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN7B2F.pif
1⤵
PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN7B2F.pif
1⤵
PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:12652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:12640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:14060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:8576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:4816
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:12192
- - C:\Windows\SysWOW64\WINE67C.pif
    "C:\Windows\system32\WINE67C.pif" ~~241231484
    3⤵
    PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:7924
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:9744
- - C:\Windows\SysWOW64\WINFD7F.pif
    "C:\Windows\system32\WINFD7F.pif" ~~241237375
    3⤵
    PID:6508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:13368
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
  2⤵
  PID:16296
- - C:\Windows\SysWOW64\WINF409.pif
    "C:\Windows\system32\WINF409.pif" ~~241235718
    3⤵
    PID:14932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN81F6.pif
1⤵
PID:14120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN81F6.pif
1⤵
PID:14088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN8253.pif
1⤵
PID:12612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN8253.pif
1⤵
PID:7904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:6700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:12976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:13044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:12932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:12972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14328
- C:\Windows\silver.exe
  C:\Windows\silver.exe
  2⤵
  PID:12852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:14184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:11844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:10476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:11284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:11312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:11720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:11728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:10852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:11620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:13544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN9D3E.pif
1⤵
PID:6160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN9D3E.pif
1⤵
PID:11776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINA155.pif
1⤵
PID:13380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINA155.pif
1⤵
PID:13316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINA201.pif
1⤵
PID:9196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINA201.pif
1⤵
PID:11328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:12780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:12812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:12228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:12684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:10084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:15196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:15332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:13200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:14164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:5844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINB896.pif
1⤵
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINB896.pif
1⤵
PID:9188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:14624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:14632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:10428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:10048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:10052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:7944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:5520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:8544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:7080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:12056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:10844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:10332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:9488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:10452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:8964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:6100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:9596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:12340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:7408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:10880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:16692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:16700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:16708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:16716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:16724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:16732

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:15312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:15580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:15568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:14496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:15040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:3108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:5880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:16940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:10156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:17064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:8196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:7480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:14324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:17128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:9368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:1096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:8028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:16964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:16988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:7320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:11524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:8084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:13632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINE67C.pif
1⤵
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINE67C.pif
1⤵
PID:8336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:11548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:9092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:17036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:17044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:17116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:15920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:13308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\silver.exe
1⤵
PID:13232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINF34D.pif
1⤵
PID:15412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINF34D.pif
1⤵
PID:15368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINF62C.pif
1⤵
PID:6032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINF62C.pif
1⤵
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:11248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:16732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:16096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:16200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINFA81.pif
1⤵
PID:15916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINFA81.pif
1⤵
PID:1436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:15636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:15632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:15624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:15616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:15600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:11164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:16184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:16192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:15352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINFD31.pif
1⤵
PID:12432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WINFD31.pif
1⤵
PID:7648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:11076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Winevar.exe
1⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:9868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\system32\WIN2C78.pif
1⤵
PID:11516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Axam.exe
1⤵
PID:8412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Autoexec.bat

Filesize
219B

MD5
b07df864ac7d9554450820704c688548

SHA1
074d19eaabc1d5c2b0a8ba45738c05037d2a3018

SHA256
184453618aa3e3e2f1d39e9e06ea41b8c33a7402c086010346bdfb4336142a30

SHA512
eebb7ee137d96d5031754616ba02ab8bfc5bf29b4a1154e059f65eec4c0fc97773a6c7c9e897aa1fe7dbb9bf77c9507b3d5f98f37c8fc0e5199b65ca65b9b87c

Download Submit
C:\Autoexec.bat

Filesize
302B

MD5
3565a089a0f8b2b5afb04ec4379b44dc

SHA1
4075ac633db35b158e4142860a2fd4f331780f9c

SHA256
941689078f2ed21767fd0aa5ad330df33b8a0ac96acccb2020f307558d6087cb

SHA512
112538d7d1af9c02536db20acfc6cea3225341d0f1468ad49ab980a65c74c9111fbf2514776e4e40bd2fbb13d1703dc47cc647b780dc503be99f6fa712c925a5

Download Submit
C:\Autoexec.bat

Filesize
453B

MD5
3c134fc18e7bdaf02d63571d193799ad

SHA1
7e6f22569d16202195410f29e6c74d093f1fa930

SHA256
087f1acb6ed4d7563daaf6f0e1110dc7b3d5b4d6130ba19389cdf3eb90e9d347

SHA512
5b02fda689e01d570fced10841daea8f543467b9a0ea138149c486c6d9fd56a0684901af16cbf2b3ad7f1d0b6cf6b08bc36288afcec4d5552b5863ef854570d6

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1485554225\manifest.json

Filesize
82B

MD5
2617c38bed67a4190fc499142b6f2867

SHA1
a37f0251cd6be0a6983d9a04193b773f86d31da1

SHA256
d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

SHA512
b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3532_1948105172\manifest.json

Filesize
102B

MD5
a64e2a4236e705215a3fd5cb2697a71f

SHA1
1c73e6aad8f44ade36df31a23eaaf8cd0cae826d

SHA256
014e9fc1219beefc428ec749633125c9bff7febc3be73a14a8f18a6691cd2846

SHA512
75b30c0c8cef490aaf923afbdb5385d4770de82e698f71f8f126a6af5ef16f3a90d0c27687f405274177b1a5250436efddd228a6d2949651f43bd926e8a1cc99

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3532_3205384\manifest.json

Filesize
76B

MD5
ba25fcf816a017558d3434583e9746b8

SHA1
be05c87f7adf6b21273a4e94b3592618b6a4a624

SHA256
0d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11

SHA512
3763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3532_426993008\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3532_524064343\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3532_524064343\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3532_779319239\manifest.json

Filesize
141B

MD5
811f0436837c701dc1cea3d6292b3922

SHA1
4e51a3e9f5cbf8c9c96985dabe8ffc2de28dae87

SHA256
dbfb38a16e33a39c35ac50bd81782e4608be14954f1df69ac8272c0b9ce87a5d

SHA512
21e7bf2f8333b2900bcbcb871ede14684073249597d105095dc7d3f101e7ccc326068732f11d4a167365f245a3f2205793f520c7666d7f948e70919b40b43d35

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3532_974772666\manifest.json

Filesize
118B

MD5
86095c966115d8fbabfe3e7496461e73

SHA1
9f6af2a9e4608c25b5c9257acdf77ba9838abc1d

SHA256
9313c1c29918e4a75e85b3146647555080286d61517f0ac9c62c1993e274a6a6

SHA512
51970ae96e6af2a2dbf086ea25a7ec6912a76954346dc85c885e6fd81128699abb14b368b09dd18c5d34183734fc6cfc8dcf0db03b916cd1dc21af7180653005

Download Submit
C:\Rundll32.exe

Filesize
100KB

MD5
b0feccddd78039aed7f1d68dae4d73d3

SHA1
8fcffb3ae7af33b9b83af4c5acbb044f888eeabf

SHA256
5714efd4746f7796bbc52a272f8e354f67edfb50129d5fdaa1396e920956d0d6

SHA512
b02b9476eeb9c43fcfef56949f867c1c88f152d65f3961a2838b8bff02df2383945aefb9a8c517ac78d79b5a9163c7677f5b6238f4624b1966994c9c09eb428d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
998db8a9f40f71e2f3d9e19aac4db4a9

SHA1
dade0e68faef54a59d68ae8cb3b8314b6947b6d7

SHA256
1b28744565eb600485d9800703f2fb635ecf4187036c12d47f86bbd1e078e06b

SHA512
0e66fd26a11507f78fb1b173fd50555dbd95b0d330e095cdd93206757c6af2780ece914a11a23cd4c840636a59470f44c6db35fa392303fb583806264e652016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000007.log

Filesize
21KB

MD5
8dde61f51b7148c23fdcf41759912deb

SHA1
e4e7d1e886286edae65ceb55921ec001fc3bf0c6

SHA256
bbc405881c9d6c33ffcadc6c90de84ac8148596ef86ae22f5b15902aa29558a9

SHA512
a62aef13818f8b1b4dd39f53f0e138eb0ccb686985557861314b74e318f9a40d5ebdfec59277c9fdccc327114e9cbead7d9a96850ad0d60ea3df6ec238747506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
331B

MD5
571393bfe563374f71bbb38704cf2bb2

SHA1
c4b5b343b625329fbb14c65e09cf81824fe763f5

SHA256
f0884a9d0a127b61a8cfb1c56d390ca65ce95768c48b85359ef35cf4d39c3922

SHA512
328c5b4e5f99675e3f4a1f780f95773fd86d86ddc6b25b8dd177ca5b5b07ca84886ead4ffd75ef0dcc76cd66f69d3ab19d3d4628bd9089103ea79911b2f05f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
334B

MD5
ba7a8f4c028bf5e8f536ed6dd754e967

SHA1
cb0c6672883898d50f388a97ecd31e930dde6b07

SHA256
25171c355158f51faf2f5ffdb39a47b6b159c6c95016a4c84a05e3b22ea3979a

SHA512
1c4ebbb1a1a4016903cbbd34c596776fca969843dad76bb9c3f8a89a9c1da8767b17e4a5594860e1d04b8ad980bb7f91fe93d4bdea71252570f02bd67bf8a97f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000072

Filesize
128KB

MD5
e729e8699547cb5bfb4f424406b8f551

SHA1
5ab8f998ba9fc47a60c1af131c29bc9f6b656b53

SHA256
8b584c48779d727e3638c8922aa47b1413d8906130bd3c480dbe0774186d2915

SHA512
027438641482b3deb4c3ef779542f0ea5c1a97fa90a24523b645b9d53ff13e03da89a102f6edff4752d0a0b517cb131f3a8c7a4f54fe20f23ead8d357ad970bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000074

Filesize
128KB

MD5
29e7cfa3e5de55d603a211bc5561e684

SHA1
4f3af2524b97a5f4e5f9d765e9f9f792efc3cb02

SHA256
60ef8879a9fbd2419b58c1f614abb7019dd677ce45ba9f092c14760c8c7dce65

SHA512
175af94d1aaeea119f8b02344a5ae5b1a1abd5328a17b8ec8b9159e6346b00d5ee38bb34a36f67567b80a0c98a59b66a69a7f868057b3f4dd444720287c4285a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000075

Filesize
64KB

MD5
55db53a89098f4b6b215e1cc6e9efc60

SHA1
4a1d73f9c6e11a1597c8e1237e99487aa5bcf05c

SHA256
d2ffa7fdd7892b4822eff4a89232bb1a4a37a52474819e5fa6b2c0b1d32e8e43

SHA512
cade704e8ae437799fd726b92c8ba98020878e7bb2c0d5920986745b11e5542e55170597cc9da5d20dfd525f47c3a1c2c85a1c67e6f281801cc63bc44fa35102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007a

Filesize
19KB

MD5
ea66db1aab3841cfcdee53b86c65a13a

SHA1
d0415dcd0473b4f08ff6ba34bb4da0cf3a7d8836

SHA256
f51605783e3bc97e858892e14d9c4809c8f18b791271e30ab4a9d165da94a2b6

SHA512
a5596f31c311fabb4cb214d6bc43a8b37b2291fe4ffe7e3d94b8b414341ec2264fbcd1ca4e9236a2db551ba009ac380e4264995e70a145e4a4857781bdae9ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008a

Filesize
77KB

MD5
5aa503f79e9eb3b861df01f9be3d4dbc

SHA1
72e930106eb27863cf4d7a46ad876e7880286d2b

SHA256
022e30ebb02fa7362c508a92dc432b6daf25ce3bd811f05d146cd03b6483e82a

SHA512
e7f3d2624e17e13816dcdb5beace5c18533de68aed92649548791dcb0c72cbf3a101d40bea8d58effe8475677a727e45ac4b67f6d6a34f89757cb6e38c833d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00008f

Filesize
24KB

MD5
0b11138d6edbf73c26cb77e74f47e6b6

SHA1
a0b1e404f768a7309ff742379024751152b1f5bd

SHA256
89726d43d9efa8a719ffc118b138a490d9058919a1f5cbf8ef212888e2bddd59

SHA512
c739f8fa5d614b62df60d1579be298ce9ad85fecc0f933cc42085a9feca4a77117c0160cef790660e720e9fa4bb513a0340c17e5a7b1c9bd03659d463b1fb36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00009a

Filesize
29KB

MD5
5ad02708bc9c2c93ab071d3a8ac24fce

SHA1
7d3f922675032f2bc399612e6c20e97db48fc9fd

SHA256
20953c610693528b15f1477164412a1f5d50501574885fac93f31b4918f75363

SHA512
aeeb3505d7303d4cfd915ea06304f3c740c62d9e17a34aed5fd815e1736f59f187902c6f0ebfcc06146dd11aa37a3efb02f00ca09f7f51a7b0ef99be5fb938b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00009d

Filesize
17KB

MD5
edff2a505ddbcf57d72bcd16ed0d84b4

SHA1
edaa2dde0ada20c983a3df59f15b8653e1c3c3bf

SHA256
230249c55b3085bde5eab2fadddcd9a77e7995fcec2ef059e5e9dc2c99e1e61f

SHA512
17cb71705f68767728ce7f9faec1c88872886f73c5f9a936da5bf1dc4614c03675d64913029da1c4b4d3129c1a099cea015273a397f83127cee1fccc0e782c7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00009e

Filesize
36KB

MD5
4eba8b7a83900589e5b6db5d7c4f0cb1

SHA1
c7a9bfa9ae61dd8b031e00f69b2d847f894be936

SHA256
7395d03c3eb61260741a66b9f685798425a27599f4dc9b351cc23bc1fb2c37d7

SHA512
bbdf026fe6a50ac1f0013501245c7b2501a96e23653ee470a0555934ba68645c78b8e8a217d87f99a1a45a4e540ad9f45e24cb557ad6c40923e2a8ad9a790363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a3

Filesize
16KB

MD5
efe184dc2bc8036bed28a59224ec1d25

SHA1
357a088e31a1c3e9ff1b6e11215ae09c269a14ff

SHA256
47c4b9dc5958c9aea73676671fee412779577c9ff27a92a756fd4f4ec33146cc

SHA512
3612949b8c4e6275b0f551224541eb06bb704fbb47b0f8994dfdebe29ab8c50f699f122d91f9748e41718bb4a16380d6388c4e0ec385ddca80c4aaec15d04fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a7

Filesize
127KB

MD5
ccb2e5594c5efd285b5d69adef66f3da

SHA1
4888a3365d29f8577826ba2b23bcab19f69baaec

SHA256
a1a730cfea5f69583e2dff42422ec8691f7b2ac4d7b36829ae5a99890b5be4ed

SHA512
0fda4239bffc0a32bddebb1dcc6c71ec7c66d6bba9cd10ae0b9b7f75b1d4964a8f5f3f9ca5f16900c5a59d185548831d370aa5d21728acef1ee5c660fff2bd64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ab

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ac

Filesize
67KB

MD5
cc63ec5f8962041727f3a20d6a278329

SHA1
6cbeee84f8f648f6c2484e8934b189ba76eaeb81

SHA256
89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1

SHA512
107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ad

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ae

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c4

Filesize
162KB

MD5
65624e68b93fdfba6d0e364f040db5e0

SHA1
263fae08ee908652641324c10e68598697bf87cf

SHA256
110afd0885802a2129b28a243ccda31688cd7c87759e6f29c5ae48ee531fa998

SHA512
48a8a6f6d3e16c85cde57c91e4509cd28a22a5b928425d716ab9590c9a94d3ca608ba020736c355adafa1c4f658618ec6ea4e534d5e57891a8ef2c3cb1871866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
3654d96a5386a81b2b14da5962675043

SHA1
4635ba68f594f74412a209b57e07d396e185b76a

SHA256
9f5ad5eeb2810f1c281d0785f16bfe14729c60e1fc70fdb2393be30ce4e33aba

SHA512
5801b3d215d8a0936f56459e8a7eda064f9f9ab566654ebfe62930c32a9faab6ddf348c3e7d27496a7265c53bf229ec6a495e4067c6252585830cc095b2a1063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
dd9f9fd7b00f3cda6de023880eb3e0bb

SHA1
505b54cb328f720b088ec2c8eafbcf4c456c54b1

SHA256
a7bd0831891782b7384a3d59449dba1d4362636dc1c0f463dfca04a318fa407a

SHA512
b743feef744b149f0c09cd2e446ef9fbc06190a03b1a9a12322d18b9283ca33b832dc77dd6b77318b187dcdb6d3beef08cd50e8f79f8e9230a61fd0b27b3669a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5aa114.TMP

Filesize
3KB

MD5
87ba26e52059d17c3f84e9dae96d2e4a

SHA1
f829d54e19f89b012c0f4f148133edb299965354

SHA256
48a1aa88e1a40708cdbcd9d88eadcdba229301a73cf89bf2af8e5661913907ad

SHA512
fd43e6d7adce18a8aa8c92ca79b317ae44a33e5112c7f983dce48a2f458d247c57196aaeaceaa604a4fe9e8145f4e6256a781fac46c6cb617a7d2b6c1ef5276d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
9e03a8d8fa2b462f9bc83560eae48a66

SHA1
641fac619d5855f39fab252b41c89a9abc49e714

SHA256
646318d96c124ef6a8af9c71f4062ce6d5c802a7f5e5445e79e7f84ff15516d1

SHA512
da2166624652bfd225c767526c123a5c004321286a41aa782b9b82dff690a3e29b7a6705962147594b79444908121bcba5e0eeaeff3e46bdf4309323c51e3108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
1b23424b697d87c58b7171ae7c9e0b86

SHA1
5e20d4d4f7e9e4ab29b954f6b03c945091b7581f

SHA256
f52d1c4ae78ed3dfd0a5417efe1714e65aaeed4a6be032e68ff88ec6e43e9203

SHA512
9026d9f28939095eda087cb12259e8774f2954b9495c0bcb0a6589b34e738a0c85ae74f632717e6cac134e0f60eca26c63234db18fdc70e1679996252e966fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
38bd0ab43d0a1b67f37d1bafab988210

SHA1
08c9e7922e295535e0cf37e9860a52561fd3cb00

SHA256
c0def367a0bfc8d29466b752bf00100bb6c31e741f473a3a48f8a0a006e968ff

SHA512
f8da307b0efd4fd4283642a6dd62939b63e320dbceda2251a988fc75031e38885b92cf5b96df643c85e21377c50f52b8fb8b00f6bf8bbf88ba013076302d7cd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
8e0cfdcdf926ac3e76eae8e7094b2caa

SHA1
11d27ee143e28d06b2985671e068e441fdf36361

SHA256
54a73d890a08e053c572ff41c39381da9364e363a44ca4a35c1fe6bb7ae5f204

SHA512
e69e367a1d991c031c825f6b844b012bcbe3e7c2a626261b70d0ce82a297814725ae88cbbd201bd4b2026bd5c911efb094c7dbc2a65dc8196476cd0d5631668a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
cbb744291c9ef14197e83fe8f948d3c9

SHA1
7fce7c5f063a8059a37f6901a849fe9aa4e966cc

SHA256
3b2ddf4e758785d8b55aec3c125dd66f127782f16599e83ea15a0e923c88e881

SHA512
d5529ea04a4800aedc41d3b2fcb34a55942c4f820b892486d9c16724a899b9edc47ef16a869861b0eb1b6528827409ac597d42ade43fec7fc3e37c23636c0b8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
a442a34f825be913b173561d3292f0c6

SHA1
88773970ba1ff656ce06b4853577688039c8fab3

SHA256
25ce6c08f5914ba1d04eace04fcba4324def9b95f59945ac4854a838a9140517

SHA512
909d8a9d18b284d2dba2f9ced5e7ba8ab4ca80f1e6baaed5ea64c012391f7dbef69d52b7d334eb4b1580caa803310865e00686db8b74aef6dea022d91ae0f00f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
a093972847b9e440c5a8d6001ddc851e

SHA1
7ef597a6ba990353678c4ce5c385c7b013e2fb97

SHA256
5603001e411b94a1ba2d2a45d756c6fae4d358083be3a87c97cc801054a8d9df

SHA512
3368ddd390f337d8a67384115f1ddec0db220903f7343ff529952f4cb749d49aa6c8c70dd82afb76143746ff469b65a05836daf5ad8becb09290cc9d76d6e4c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
81c48b0a41a4d6e9107f7d9acaa6564e

SHA1
a5493dea6df05f153c8effcad4942ab19567453c

SHA256
54cec72bc5673b1f6709c7956e770df664bf53780a74152d446ee9e87b2ce2b0

SHA512
3d6896deb37ca6cec29904535f7aa13b6a202b86d3b8c37b1be92d56d0240635762777446a08718269772f8377e5e0b5a09590e95e32d5c050ac7c51e11f8b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
93d22780fdbeb5e6ebe3da4928922a9e

SHA1
c833032a9d9d7b6b5fb648da9280198895f65105

SHA256
c443bcc8d7277e8ededee6e05197ec873104bccd120be0c25521d909401fe071

SHA512
769de06a180937c6aca8d6558293af69fa3de2c817974e03b666b858c6407a5039206a48cb7ab868ca9b43af382963280742455268130241e5a1319a31195cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
4e75ebe9ec7e656402ff6f24189b1996

SHA1
ac166e1236a17c3c11e9db24500baa5137334812

SHA256
084efa586b207ac1c948f72bda5e044301e98890a052cc8524b1f836056cf762

SHA512
edfe7f86d31101bc004a293f80f0a47706f3930cf54dbd33eaa0ccee365663dfd511204219193f886a80266d9964a9aaa2d7779cd4ef72c9f2c912945acefb95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
6cd38e8784d7c8ecdd691ba5065a664f

SHA1
958d4e5162898fe69a1d6812a987b54d122234fa

SHA256
339ab16ba992c52d5a8045968136de13ae7e0a84bc3b1c67a5ac84079172fd5c

SHA512
64d8bfd87942491885ae8c83d39b2555db643e781908b05c036cd94067e44411128699fe2249b51cc05d5db06419913e2162d00ead76a8d92442eb1594dc4236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
9b018da3cba50f20ccc175b89de728f2

SHA1
a67aab571ee6c16c539e17a33ad5967d9798fe73

SHA256
996aeb2f1dbb88282aba6000945e473a4b78a6a3f8786040894492b227d81042

SHA512
0cdf8c13dca6b346f974db47d2e58bbd79cb791c1237a1b3a7ddf0a0b4f985733b9b7fd3e17f895af4fda034db6d2f282249487902f30140bc437553af813e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
84e6fdfed84568a665b41a461dbff971

SHA1
82c28334448c5f83df2623e73c32cef6f48375d8

SHA256
ececfd6468df3d3ce918715a5db489056bfa7b909a999014f58f2be1752a6cce

SHA512
f49c20a350fe45a285ce075742c9e06b2fe42feb210b6587712467622709f285e198d2fe831a453315748d56236b038148d86f5ec5567b3c78ab58e8b000e022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\3b23d876-3b29-4552-b5ee-c094dacbfe2e\index-dir\the-real-index

Filesize
1KB

MD5
5d3f45e0610b8792978b4fc821519425

SHA1
133ba33106f0d70442e99006adaf9efdb3c96a06

SHA256
32d924c0b9c5c6e5d9ab5f1facb7b8ca1d9fe736e3734fd59e0520cedccf5e31

SHA512
cd6c5edcd271eaa5642b414aa571904f9619919acd30d0ebda0d5de9f9ba5b8a0b43c76f603f62efe6a192474714d49c5279ee0bddec3fb1179f59363801a0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\3b23d876-3b29-4552-b5ee-c094dacbfe2e\index-dir\the-real-index

Filesize
2KB

MD5
a9d0fbcfb3386ef836480bbac3f0bc14

SHA1
54b90b38eb34c93b79eb7e5d7a307937ff4b5f1d

SHA256
a71a872cad9afa0df2b2635e4fe418a9ada2c5020f47c36c1315abefffc1dad2

SHA512
a94c231e844ef34cc7a5398dd842c18cdf84d0e97008cc5976d44ffe38dde2b9cb1615c9163a6ba67fb1ae85bbb5c8fd2d5dff72b7adc7c16ad743ca7878f63b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\3b23d876-3b29-4552-b5ee-c094dacbfe2e\index-dir\the-real-index~RFe59fcf4.TMP

Filesize
1KB

MD5
b98ef2958418d6a704b8c6472cefb3a7

SHA1
073bc2ff34794b111a9d9f1f8dfcdca5bf7481cd

SHA256
ddd1288ce36d948005048f9e24d82d9b6dab94be8bed09f7c4c9d2be4172b424

SHA512
121f7ac4b7043dd0a228627295ce326af36a16966254b7cf05ac9c5d8b742c364f9cc50391a83422a49c50b5b69ecdeeebd8e93df4b94456d59da97e408ff8e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\509375a3-c058-458c-86e8-dc2911f03d11\ee91b116cc2005be_0

Filesize
56KB

MD5
7bb050f2767b7fb35f85770604f71c1b

SHA1
c404c3d05405553ff468bf6b4ccc2aaa93534e75

SHA256
e590c2f55e7565bc8ab7d354b887684215b14a45a62d63ccf2678cfb696a9397

SHA512
e29b09353f77429f1c79a57b44d69ae4cea423e0d51d7deb48261819e59e91481cb2e8a0ef603818aa138dd0fa998238336335a552be0a1712bc115cba7d2c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\509375a3-c058-458c-86e8-dc2911f03d11\index-dir\the-real-index

Filesize
72B

MD5
235fef32497a7353067161018041efd1

SHA1
f108adebddda6354e8ac7866577dd9b66372e3c5

SHA256
9798c17119b96d11d0671072fe67b6a1dd2918b4cb2800c95d868acaf6b37885

SHA512
fa4a9b69de175a018b3804c0fa470df9fbd6581d9031c56fd7e8edb8569333f9eccd5b97733776112ec251d5f4f511a51633211230964e95d087e6c13b16dd96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\509375a3-c058-458c-86e8-dc2911f03d11\index-dir\the-real-index

Filesize
72B

MD5
eb33c66b5c4d6036b9ecd57ef756d142

SHA1
6930e675c03b4b13250f079f9930e38177d1e780

SHA256
210ce966c22d5dcd17023c2253af556623e790246c82cab83e2c855d5e24aff7

SHA512
c9245e02ab00d1fa36082e5761f0caed764587e1e8d78d0f4de42a90bc6f53541cd46717b61e9e02d457fe7459b4605c4c9318fbcdd16615e27bf8a1b77bf846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\509375a3-c058-458c-86e8-dc2911f03d11\index-dir\the-real-index

Filesize
72B

MD5
f4b6a8904563b4fac021f543b7301c5e

SHA1
0dac6bf96f23faf170c01c7a60f5ee1076bbc83e

SHA256
e1fc34134702bf270670d526c7afe665bb313d210b08abc5e797b39a495da1e5

SHA512
eaf3b0efc7c4d48f7c00d245ebd4e31a20432b2b5af53579acf6091c6d8d18f6ae01a5f2ee71bf7cdbb69cd1d66f62a1f3ddec2d39f59d91f6e4c9fdb3083e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\a069ae0b-be61-4d50-84ef-3cf33c8ca9ac\index-dir\the-real-index

Filesize
72B

MD5
e9ad0aa3929e148b897089b11b9576ea

SHA1
d31537423fa5df0ae39ad71194c74260c719e320

SHA256
a657fa3182be1f34392a7414274d59926b3abccfb2ad9d716b83eba6d8e9c43e

SHA512
c0a0285e8d596b1b01393b4b4f96ff58a33affdefc9c17154a419f5184c07d72133976950978771101f70c6e9d07b791a8b72189f4ecfa49eba2b49bd806f464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\d6eefebd-aead-4b6a-9eb1-9b9c8afad06c\index-dir\the-real-index

Filesize
72B

MD5
39356c7861d852ddb3033d55127b1036

SHA1
c9d62f605e8dc797da7d1a948862a5aa7abb651e

SHA256
25576a96a3b3567fc64d9bbc549c946727b4fda33b3dcf9b4bc107a1c61c46b2

SHA512
9fcdb11e9578304018ea0643ffc4a5f5a5ceb11d33bc36655ba7c59cd693ac69edd14454b58e50054ff8ec7d3201ec1b1292bb7782f4e85283fd1d7751be892e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\d6eefebd-aead-4b6a-9eb1-9b9c8afad06c\index-dir\the-real-index~RFe5de0dd.TMP

Filesize
48B

MD5
602c320b4b6fee26d2e4c07a97f6a018

SHA1
6732bc52334fec61cb2a82702484fd2a3ea88f89

SHA256
046beb72a84723499a1fb6f48d4f43e226cc615f71f6ae0f87894fe1dbc623d2

SHA512
39646efe80bc53c906e5998693640ddcd4af7228d7bbe1ca003282fbce319105cb49d4cf655e77233a6710fd2853ca1563192e3fb32d25687818b3ee8f71799a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
9411e804fce328a8d8409005adc47b0e

SHA1
4b287b58ff7183fe3df35647ff37a2817b2bd9d1

SHA256
cbbbca51d73284d6540bfe8220f302118966b07e88f4e80c7de209e2dddc0e01

SHA512
e62fbce6bdf3a65a02ad77aeeed8b2767cf9446831b29a196cf364574833202d9a85ccde0ef7e32517447e81e992d6aa9890ce94709189651740ebd8968a19b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
efd2fb1789be92ef6c90abe80415d392

SHA1
1685a56bc4bc5821a84057aec07c0c6426395b5d

SHA256
f3440d7a354cd05ccbbd1965b23072fd6ece7e9f8fbb08693ce55907f70badf0

SHA512
0e7ef175eddc4863b5929016e75314839cf135687f0734e7836dfd12d1700743e2090a6b49f747348725d79eb29d1b52cb39651eea3a25f74099a9b0a6b3c5f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
322B

MD5
4f987b44234c8e2659207b5fe988982a

SHA1
f2915ee962c30e04611305f017ad15ee0b134835

SHA256
bdff57702697f6b65ada0655bb8e78a27bc052cbf035dbe13962ebb0f90fbe84

SHA512
04f7966a3636c84c9d483cbd964bce59ac2f079ae5dc7a42c3b5d600ea771ac94ba23239c97bfea5cf16d95d97f45b0a4fa79db2b4b38ccacab043a20988b1ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

Filesize
116KB

MD5
888105751627d2b2ad1f68b1d86d0667

SHA1
728cbd9855940ba129930a1092ac3c9f8ca7bfe4

SHA256
7a8ca073eb504a4d5f56798636223b1430e1a40304125ebffae128bd0788879f

SHA512
c6e5f4f71c8cd4ea30c17b550e89a0d1fd49b3bc3af565669a552bf5a66b1957a86b857614d75b0cb4886bf8194f0a6a857e62ae7cf9063ee5b9fc20bee5f63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_1

Filesize
203KB

MD5
2593f6410889c5d2cfd3644823e02994

SHA1
2e7794595de503d8cfc30bb35a66bfb70c52b734

SHA256
df969fd33b0dbcdc9c8db1922306e8741c92d4fdb0e1c61fbbf4c4ade71051e3

SHA512
2fcdf2a728a0bcafdb209d03b11bfa6ea9eca8b48d542abe4af2af61753d95b8db88cca7325aa059e2d3a8d61f154f8e0a02fc73e72df9041acb2be548602e26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c19afdf8f3df3661ad06f6cfa640f575

SHA1
08e94f96d3116ca5e7d9115f839f7c96c38d693d

SHA256
398023a7929ad16c3a28c1b6408e1e015d561e19d2b1f266e2beb00d4a29deb4

SHA512
1deee49a296401765e1c69aeb106de125fbe5014a000a120522f90555e9cd303441107c19f54a9b947fdd7f5eef643ff815f6dbbef5c3db1e8ea764cfc038be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a541c.TMP

Filesize
48B

MD5
3bf18d5d2221e32049a9be6571629759

SHA1
fa83a93814a712edca10254b83ff4f56578347bc

SHA256
3bac07b79801c54f70e59459415232797434677f96792067c82c0be84fd9f6b5

SHA512
0fb1b30d0b0383587763080ddde622d606f3ca0079332303e7dc76188852ef43d34255773fa2988cee4808f2cb688cecbd5b45b62ae9308a1281fb9fb1b5ed17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
388fa81f55d68b7d732b13bf8c7c4969

SHA1
55bd1e0f60c71af479d3d889cb8332227c92fffd

SHA256
47e4bf45954d03da971ccf1181eb75e6db843488609fc4b50562c7bee3863a94

SHA512
5c5079e100f879595559f8e21fc55699b67c235f10b510b5541d67574f356d2ef04e3e066caf0e1834e2ecebaad7279a1edd908e9a4cf1ec95eee95c41320924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
4079aceea95d6dad6c1629becbf957a6

SHA1
2c909df78c9d36f6ace3b7166b47f04b9776d809

SHA256
01f6f1fa2471152eb161276d83853026ec7f3bfb9f6488d66bd529579159e743

SHA512
65e8eaae3b398172e1d3d7b8daa4c77fc346110f9bde417161c201978bab537db1f91b91ce115bd9dd5581cb844c0ddd6d87beb3b16207f85dcf75fe12956bac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
4205f6a50ffb58f915797bcc79300a83

SHA1
c242bc554f9eebb79782437658d9c99c8c7f2f76

SHA256
e3805f5511cec878491a7d4c7118485dec78106fd9cbfff98e6e52325de17c6e

SHA512
a5a34b5123cc003a9984471d0e431a5b04879c927fc8dd2ed17d49bfa3c8837dad7e2cd8ed83b09cf6a78bfda0ac78c6b77669dba05322d79b348f5c4734e6b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
0f930404463c3daa7c37e73892f3afb7

SHA1
db663a8eca5b4da1d69c2acd89d8d3015932e78a

SHA256
adf3f962129c71a5b5ee57d75b91345a201bb79a5ed7bc0fe7f47541c62de52e

SHA512
5ae40d896421211987b95089559e61c6e53080370e4e24602ed65f6bb24e2d8c63791dac3abf696c46c83a4c6363cdd635f6c744d2cf06405cb3217e038678b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
52779f21240e35230a0f62161da30100

SHA1
61b660ce4f8922f09622eada756a71a0622eab0a

SHA256
4328ca30b922a655987434350c8139d42a7d35302e3a238a076d2753c46d2d23

SHA512
8d3790ca240a31321ec3040d915bb50c5bf38c98cfa0045e8f88b547cb3fc55aa2289db2d378353237ba940f51514b7dc89f236ec377aeb1166b6298e5d34114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
517453600e570a20fa783318e8da3367

SHA1
3fba3ba69db22f71bb5bd33b5a99a6f9e359ab75

SHA256
40824a720ec0233c0238ccf3c161d6cfca6516e6837dc599a3f04d8e29dbd88a

SHA512
044f720bc8814101f446fc5d3d1a09b2a43046b114c2d138cb69ae71b950aef509625dc465ab9875ecc47281da20062677372236927a64f8da802c272081a5b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
ca92eaecbe7a062b3272a025c331a205

SHA1
03f415f5a1b87cae823b9397b41ff48ddf58fde5

SHA256
bddc8399af132a88f133994ce4b025b06124e018da408331853e5a7a83fc3a59

SHA512
f8c624633de89049b7deb2642eea5b2b5aa5287386ab6bba1cb1de6625609471cc083c6a264dd984763638ed206f0c9ee3478b21dc834933b1f04238247804e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
ee5935bb0d35fb30eaf31fcba2ccbc77

SHA1
08351a56ef7bff633e978cea2e44f120283f1262

SHA256
71273461852e97dfea2922d3a7c3663e89e91363012043a4eac370fa7839c601

SHA512
efa37c2cd838b719705bfc7dac1804f3090a4c0f70a349a40269b538d4156e549ce6a352943939474c13a0e799cd36b6fc66520a2a27a8d9a3e017767ef690c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
ee2c55e22ae6af8e869759ac70e21f17

SHA1
6f7324601aa7a0ee1806e72ac81a7a7c453815e8

SHA256
1361b46c91cae634c94e90e968890ea85919b2ece382cf31e1cf85020a89f099

SHA512
6a5d67b38087146d93071190b872b73f4951ab1700064f6ef2d1d5dbcd967232fa75f866eeea00861ef569387df8b904eef317bdca1947b81324d6040a1e382b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
0b7999e4a3ffc1f00cf973a3a0703d19

SHA1
0e86759edad1b621055e84871a3021a9388a5314

SHA256
376392ad30bc7a1f69af6592074df4e891bd70c6d3b59bab6f757653a109c9d8

SHA512
86142b33813bb105666c4cbac9ae84cb8a59f033884ef99785be3372d9581d3a43241ae1655666bc8b223da2b1f9d5c3dcf66f1a20ebe61354268780634fe0d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\crs.pb

Filesize
289KB

MD5
2b59269e7efdd95ba14eeb780dfb98c2

SHA1
b3f84cbc37a79eeecb8f1f39b615577d78600096

SHA256
ff2ced650772249abb57f6f19c5d0322d6df22c85c7cf2be193b6134e1b95172

SHA512
e4b454db2248021e0d198805ea54f1c0cfd84b9716a9348b1d0e0acb7c6fb5dd0839e532a5eb6d4410ab759d6688dd6cce8375ad55a150d738d280993142e9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\ct_config.pb

Filesize
8KB

MD5
811b65320a82ebd6686fabf4bb1cb81a

SHA1
c660d448114043babec5d1c9c2584df6fab7f69b

SHA256
52687dd0c06f86a2298a4442ab8afa9b608271ec01a67217d7b58dab7e507bdf

SHA512
33350cce447508269b7714d9e551560553e020d6acf37a6a6021dc497d4008ce9e532dd615ad68872d75da22ac2039ef0b4fa70c23ec4b58043c468d5d75fd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
0779206f78d8b0d540445a10cb51670c

SHA1
67f0f916be73bf5cffd3f4c4aa8d122c7d73ad54

SHA256
bf0945921058b9e67db61e6a559531af2f9b78d5fbedb0b411384225bdd366ec

SHA512
4140b2debe9c0b04e1e59be1387dca0e8e2f3cbc1f67830cbc723864acc2276cde9529295dcb4138fa0e2e116416658753fe46901dfa572bdfe6c7fb67bd8478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
919a82fc945bb84047a7f5620c1a06b2

SHA1
9e0443c60310a50dfcdb26cdf85cf3fd1b62ff7e

SHA256
f4050e34c5e298d0afff9b0316f1974705485adb1cc5d8599115851da5f16c99

SHA512
acf636abf2df878a29cf8cb4e4d6e726fd8e0e8d8773f362b6c41005df0effd26044a52052c8607a744c42d4868cba8fb0ffbda0556d6fe93daf0a0af28450f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
89a6df7ad332197437ae9d3aa472d2c0

SHA1
bfd455554d8a1b29de6b99e71c1950d18870acef

SHA256
295e74d90e0820d826d62b0cae200bc08dbf1f2a5d7f3727c35454f04c59db8d

SHA512
6fbc27e7b8e2d385b3569fb4a0ab00ef8557d7153092436c954ef500b5e37d1af6f9f3f3a245e3dc0173cc82245f3aeb7edf76331495a10f55f0dcf4312f3cd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
efea990124f56f7be38d79d1b552c965

SHA1
c9e4062f6683092f06bed5ab586d60dc9c0b48b4

SHA256
1a1f86a090218dcb2b8caad72a3b899340e7028417bebd3bf461dae269c1c468

SHA512
ce79775d4162427913df32703015e6225ae1360f4c9b319e4f6b2fba3b4d2720b3fde482c048c3e515eb12740f5341abad4fc384a180bbb9dc0e0b23a4d4e242

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
1480205b97bd13839b7ae837ce36de3d

SHA1
2ba897b921b5399bbeeaf8987a6ece1c65adb149

SHA256
58df36da1ddfbdca0a878e87f077fda4db7134dbf62448181419b430f1fa46db

SHA512
8a6436afab46baa28c360aaf5325234043cc6c360bea1f6781f25dd951a3df47d790f3e58f6268dbf32b104904c2f43d097dd63d96122f0d697ae02c681b4082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe5a4c0e.TMP

Filesize
392B

MD5
a6d8ba404bdac741199be49e155e881f

SHA1
e21a29995e374409171b472175fe609d37e052f3

SHA256
ed75563ec6aeec4d7c862238656a8ba478266b1f0011cb0cb6452656bef2f294

SHA512
e5e38678d47b85fc0b2fc98689946cb2a0bd63c8f482d1098f665167c857d5774ed216a7e9b5869951d84b1ec67800546597a2c6f3cfba9aec33e1bc5b8aa0e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.26.1\typosquatting_list.pb

Filesize
628KB

MD5
7c411ccffc2c011ba155c4bae74c9217

SHA1
6e0f96399bea0c45b188caf7c11b2549a2bbb551

SHA256
71529860ca9874c1b29017b1b4846986d14f51f9f60dcbd8c7af7559cc0e0ac8

SHA512
cbeba7735948e9565f4d7ee462366693a6915758486c5d7a84a4d6eaf0bcac948f579e91d883e1d6ffa27268acd10db86f02d7f9111837c757349e8cfa8fc0da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll

Filesize
572KB

MD5
f5f5b37fd514776f455864502c852773

SHA1
8d5ed434173fd77feb33cb6cb0fad5e2388d97c6

SHA256
2778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e

SHA512
b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
63650a9b391d0e4879e89a8aec714ad2

SHA1
d2d5d32bda65c4ae11e8d6a8e84b50b223b39ea7

SHA256
6ad38a6450371c44f3daba9750dcd158b050c07cdc2d7ec8b3ce132f62a6f4c9

SHA512
3fab5e10ffd04d515ffc7f667c2d75359ee781f8ecc8de94fcd7b5464c4c70ff4403f82457b81f91e53f191a06be409d873c4c6ab4ba4645baaf71fb6e1d359b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hoz5hrti.roc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Axam.exe

Filesize
11KB

MD5
0fbf8022619ba56c545b20d172bf3b87

SHA1
752e5ce51f0cf9192b8fa1d28a7663b46e3577ff

SHA256
4ae7d63ec497143c2acde1ba79f1d9eed80086a420b6f0a07b1e2917da0a6c74

SHA512
e8d44147609d04a1a158066d89b739c00b507c8ff208dac72fdc2a42702d336c057ae4b77c305f4ccdfe089665913098d84a3160a834aaebe41f95f4b4bfddeb

Download Submit
C:\Users\Admin\Desktop\New Text Document.bat

Filesize
90B

MD5
5a128befd21a89bd0e0e839453dfc2d6

SHA1
fe822d08f22d93a1edf28ebc571a2fe2460f6a2e

SHA256
af8fd6a31e8896937f61ce0d99cf9b16c671a4234c48a993934aad22ebb51cc7

SHA512
0f6488d3dbd0e27cbacc1b5f7fbc4f56b0ae328ff65b20e48b25e764ce72a44374357d5c71ea2998b8611eddc948805c4187da503f163cfc9ab2a5a278d58f1a

Download Submit
C:\Users\Admin\Desktop\New Text Document.bat

Filesize
47B

MD5
5bf933c9b972e1a8f204c7a4b60a6471

SHA1
f14b7404c861511e02a8daee5982c149c23b76aa

SHA256
62aa1a70ef74c3c76bd46480b2968ed39a69b783a62fd1e3fe02612c9352c00f

SHA512
6967d6610893f9daae7b6e1ec807ec1cb516208f56c0fa18b5921b1d50d23aeb7eee3127d5cff0cb1f2010141a7f1d7f33c829a94974b0d80aa90529751c5c96

Download Submit
C:\Users\Admin\Desktop\New Text Document.bat

Filesize
118B

MD5
17d88abe74779f969468e080e5ded54f

SHA1
c38fa66b89e3b0ede0a537bf1f63a71f75c3c8bb

SHA256
d42fb544186587d7222b571b70a537d2b8959714acd31e9adda11dac5189f044

SHA512
23fce8b3d92a0ed8e403534cc4a125bfaf42ff010f92db69d524ebde2b5a9c1b776880e7b32dcf74fd78212ac2a92e75255cd78750b19d3c0e303dae9f3ad7e3

Download Submit
C:\Users\Admin\Desktop\Sharoon 1.exe

Filesize
80KB

MD5
cbcd34a252a7cf61250b0f7f1cba3382

SHA1
152f224d66555dd49711754bf4e29a17f4706332

SHA256
abac285f290f0cfcd308071c9dfa9b7b4b48d10b4a3b4d75048804e59a447787

SHA512
09fdcb04707a3314e584f81db5210b2390f4c3f5efa173539f9d248db48ae26b3a8b240cf254561b0ecb764f6b04bb4c129832c6502d952d1960e443371ce2a9

Download Submit
C:\Users\Admin\Desktop\Sharoon 100.exe

Filesize
119B

MD5
d6174dce867e791a3a08df6b8b772598

SHA1
b777cc1c3538f92212c36d8bdf5665b5e0976b0f

SHA256
47b92d9da91c884b7cb01ba401b5591c7b5cec7d24abc2b08a2d72a86eca8576

SHA512
cb1c36e8297cea3f173263d3a01d00c5cb2669a2d13a3fb1849132bb345400ed9be5affdade63fcd5eddafdfa6990e868befe02d37777f9995ed4272371bb937

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.dll

Filesize
2.4MB

MD5
7e76f7a5c55a5bc5f5e2d7a9e886782b

SHA1
fc500153dba682e53776bef53123086f00c0e041

SHA256
abd75572f897cdda88cec22922d15b509ee8c840fa5894b0aecbef6de23908a3

SHA512
0318e0040f4dbf954f27fb10a69bce2248e785a31d855615a1eaf303a772ad51d47906a113605d7bfd3c2b2265bf83c61538f78b071f85ee3c4948f5cde3fb24

Download Submit
C:\Windows\Messenger.exe

Filesize
50KB

MD5
47abd68080eee0ea1b95ae31968a3069

SHA1
ffbdf4b2224b92bd78779a7c5ac366ccb007c14d

SHA256
b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec

SHA512
c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a

Download Submit
C:\Windows\SysWOW64\No Call List.exe

Filesize
12KB

MD5
cb0f7b3fd927cf0d0ba36302e6f9af86

SHA1
32bdc349a35916e8991e69e9be1bd2596b6321cc

SHA256
9b3f73a12a793d1648f3209e1e3f10bbb548b1ec21d53b8ac060b7b95ae4ef1f

SHA512
e6152f3645d73c63f3f3aa9881fe8b404f9794b14a8ecaea659621828462baf042c13c88bb7f2c32277fa854ceda3056d09aa5603e92b107c6c8194464154252

Download Submit
C:\Windows\SysWOW64\WIN45BD.pif

Filesize
89KB

MD5
e79d0b1a342712ea9b96104086149d65

SHA1
a10177aafebb035e104eb22d30bdacb3894e0e1e

SHA256
e68ebecd17bb8e91079bd4fe9bd24059a2bc007b4baac477127eda7c5d5c6706

SHA512
f8cf1b773024784fe28f29af2200ad1d8f333b0dc251a1d39bef5a988c0c08c24328a6d9bbeea0370454c46c76835887f4792a55ec4f21608fa60b26977f27bf

Download Submit
C:\Windows\SysWOW64\Winkxr.exe

Filesize
86KB

MD5
d3b56124457580e3d9decbd08782ff16

SHA1
661a45828e948726292cb3c8620145c66e796b27

SHA256
e750c949b3bdfba9a0aac22e109888d97b6dfa6f4261ecf71508e01df40f4ba1

SHA512
297082d84e5607de53560771d77d857f19499ba266e2a73fb422543a3743a638a984473b38c10ccc1ac1b8aaec76d6f2fd208a8c885aa2b56f08e0071d121d20

Download Submit
C:\Windows\SysWOW64\shimgapi.dll

Filesize
4KB

MD5
8750df7c3d110ebc870f7afe319426e6

SHA1
a770fff05a829f666517a5f42e44785d6f0b4ae7

SHA256
fa3f934083746a702de18b927284f0145d4b82a92f2111693e93a4f762b50c00

SHA512
dfcbc2ba358ec40143e842d5242781a59943e646f50c41010a8cc4e2c5a15d5b19dcd2ee9556a0317ca73283e84d1f9d1b0b8b7470b493fe38e4e027336b8a2a

Download Submit
C:\Windows\System\AVupdate.exe

Filesize
44KB

MD5
e6f8f701d646b193139cf0a92229455f

SHA1
b7747d41fcf52c3611af1153e46183dacbb3c709

SHA256
7e89fabfdbe214bf6a6f9730f3e451e69f752b62bbd54c0a81d2aae2320abd2c

SHA512
135d69ed4b3acdeaf45639090cefd48fa02f9ff1fb168d249717d0e2d3295530b697d8ff3fea84fa20a66aeb99437e5b0f2a2c3936f2a109c1068816263003ae

Download Submit
C:\Windows\System\xanax.exe

Filesize
33KB

MD5
df24e1ccceb3c75dada950a1c1abca4d

SHA1
dc8120829a5593a3246d7bad126420282feaabca

SHA256
910c03d210381f0443bfcefe682717f28378dcfe5415071dd127a9837a97b0a6

SHA512
0df46654815eaeb13eca7e2bcd0fff6c62f34ddebe237dda41fc8dabfbf3512ceb12ef06a7c2bf9fcc52e0a4f87a886743b541d5b5b616eb9954e83892c429c7

Download Submit
C:\Windows\erxdeu.txt

Filesize
367B

MD5
6d1c6014bb4602f3364213260f674397

SHA1
dd1fbd5fabadac0ffe9fa6bc09b86f9bacc586c7

SHA256
87d17b7f0c94d93c6d339ceab31c6aa7d965185413444c5218c7ca3267ab96c5

SHA512
3f86e5dd5754e1bfdc95353cac8945cb6a2edf6b3d9f83b69214933abf92d15809c4dc1d9b155a154984a1e544b0add655886484db66eaba0deb618470e2c021

Download Submit
C:\Windows\naked.jpg.exe

Filesize
38KB

MD5
63db723516db09bf837938254e8cb1d3

SHA1
259b45f1b6ef457e1f41f3ea3844bc6da41d97cc

SHA256
1772928750d316f1046f5e83a73fa3e121686ccfebdca9496e5a62c2c5af23d4

SHA512
59e57b9ea82e30232a4e6cdc3e0723290788b6b0eb4a6c636c48048d4aa71bdf7c6d344995700e5ba9e62a03217c35acf7efaf1d3147e3afa2ddccbaaa14e00f

Download Submit
C:\Windows\owntwr.exe

Filesize
26KB

MD5
d9ce0273f791da275ed2a69446413a87

SHA1
38cf7ea93d74fb770bfba766845cf29bef0169df

SHA256
aa2e8d70654e30cf11e2b57e92cea72a9823a048f75fc9029da04e1e4d8a9810

SHA512
a521b2a55207c9996c0399bc0403c0865c23bf7457b5cfa80d0bec2c2eeb898a30599d99dda15ece4aa5db405c46ea4183d4b3bac20a3d5836775efccedd0f8e

Download Submit
C:\Windows\qpoii.txt

Filesize
535B

MD5
566a1954d079696e656dd8ff89815032

SHA1
2f03676a496517e33df2382f67c415b4b5382496

SHA256
7c8137c53a4db6051fb81adcdc5424e6795eba65f1c8ea9659f0de814c6cedb2

SHA512
26c6d43fe8927dc721866cf6041c63bea46b56958b40b02ab62a59ffd79d81a6ce1912dfb8220341190a86389ae64abcebddcc5268173b5f16e67ea8d8a005d7

Download Submit
\??\c:\Windows\SysWOW64\regme.reg

Filesize
126B

MD5
1065f6f41c70e40297555b6d1878e823

SHA1
18b6b3b6da306b12c7b1f197d6242d2f66703023

SHA256
ab59535ddcea09a82c549ab4f72e0459cc57e41f5b887c42afde0a1dc1ae9947

SHA512
25aac67f601ad21878bd0c92bec8e68433dbdb05621f74d5d23c0b0db1960313e695ce6082abaa82e7ab922323e1fbdd0f9a484ae2cf01abecf431cb4bee5ea8

Download Submit
\??\c:\windows\jk.bat

Filesize
3KB

MD5
a725af7c07b52549023be73328e55809

SHA1
c9d8072aaac80f6cf1edfaeaba6c934196631c81

SHA256
e009a52eeb2138531c799905010f7677b0fdd4190abe4ac0a25e0e15eb30d865

SHA512
d4cd904da5c6a5c6112d212b218abc76429da0e4d6382f4fbd9ca51a976eedef26e202607ff6041c4de7e9db783f62e5a24ee560fed068945aef69fa5491a3ce

Download Submit
memory/376-2281-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/380-2275-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1172-2291-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1172-6772-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1704-2282-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2388-15156-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2436-2290-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2436-6771-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3732-9820-0x0000000002600000-0x000000000286B000-memory.dmp

Filesize
2.4MB

Download
memory/4304-6970-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4304-6770-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4588-72-0x00000209E1340000-0x00000209E1362000-memory.dmp

Filesize
136KB

Download
memory/4588-83-0x00000209FA7D0000-0x00000209FA846000-memory.dmp

Filesize
472KB

Download
memory/4588-82-0x00000209F9730000-0x00000209F9774000-memory.dmp

Filesize
272KB

Download
memory/4840-20709-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4896-9959-0x0000000001FA0000-0x000000000220B000-memory.dmp

Filesize
2.4MB

Download
memory/4896-46143-0x0000000001FA0000-0x000000000220B000-memory.dmp

Filesize
2.4MB

Download
memory/5168-2276-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5168-5826-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5764-46145-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5932-8301-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/5932-10960-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/6596-5825-0x000000007E1A0000-0x000000007E1A7000-memory.dmp

Filesize
28KB

Download
memory/6596-5824-0x00000000004A0000-0x00000000004AD000-memory.dmp

Filesize
52KB

Download
memory/7340-6769-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/7340-32317-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/7728-46142-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/8012-9286-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/9372-15157-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/10116-31090-0x0000000000180000-0x00000000005E4000-memory.dmp

Filesize
4.4MB

Download
memory/10116-34391-0x000000001C460000-0x000000001C468000-memory.dmp

Filesize
32KB

Download
memory/10116-35050-0x000000001C4A0000-0x000000001C4AE000-memory.dmp

Filesize
56KB

Download
memory/10116-35049-0x0000000020B70000-0x0000000020BA8000-memory.dmp

Filesize
224KB

Download
memory/10204-22609-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/10584-33277-0x000000001B540000-0x000000001BA0E000-memory.dmp

Filesize
4.8MB

Download
memory/10584-33859-0x000000001BC70000-0x000000001BCBC000-memory.dmp

Filesize
304KB

Download
memory/10584-33804-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/10584-33330-0x000000001BB10000-0x000000001BBAC000-memory.dmp

Filesize
624KB

Download
memory/10584-33238-0x000000001AFC0000-0x000000001B066000-memory.dmp

Filesize
664KB

Download
memory/12212-40381-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/12212-40392-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/12212-40383-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/12212-40380-0x0000000000DF0000-0x0000000000E00000-memory.dmp

Filesize
64KB

Download
memory/16716-49497-0x00007FF6F33F0000-0x00007FF6F3457000-memory.dmp

Filesize
412KB

Download
memory/16832-49710-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download