hxxps://github[.]com/MalwareStudio/CLUTT6[.]6[.]6---BY-CYBER-SOLDIER

Analysis

max time kernel
357s
max time network
360s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
27/03/2025, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/MalwareStudio/CLUTT6.6.6---BY-CYBER-SOLDIER

Score

10^/10

bootkit defense_evasion discovery exploit persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "satan"	Clutt6.6.6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "satan"	Clutt6.6.6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "satan"	Clutt6.6.6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "satan"	Clutt6.6.6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "satan"	Clutt6.6.6.exe

Disables RegEdit via registry modification 5 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Clutt6.6.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Clutt6.6.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Clutt6.6.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Clutt6.6.6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Clutt6.6.6.exe

Disables Task Manager via registry modification
defense_evasion

Possible privilege escalation attempt 30 IoCs

exploit

pid	Process
5464	icacls.exe
2056	icacls.exe
5804	icacls.exe
5488	takeown.exe
5828	icacls.exe
3576	takeown.exe
4552	takeown.exe
2876	icacls.exe
1044	icacls.exe
4980	takeown.exe
5804	takeown.exe
328	takeown.exe
3676	takeown.exe
6100	icacls.exe
3576	icacls.exe
5936	icacls.exe
4172	icacls.exe
4368	takeown.exe
5468	takeown.exe
2824	icacls.exe
5348	takeown.exe
4916	icacls.exe
1160	takeown.exe
5320	icacls.exe
3872	icacls.exe
3516	icacls.exe
4504	takeown.exe
4844	takeown.exe
2724	takeown.exe
2240	takeown.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	Clutt6.6.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	Clutt6.6.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	Clutt6.6.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	Clutt6.6.6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	Clutt6.6.6.exe

Executes dropped EXE 6 IoCs

pid	Process
1132	Clutt6.6.6.exe
4012	Clutt6.6.6.exe
1672	Clutt6.6.6.exe
412	Clutt6.6.6.exe
5788	Clutt6.6.6.exe
1052	Clutt6.6.6.exe

Loads dropped DLL 1 IoCs

pid	Process
3076	msedge.exe

Modifies file permissions 1 TTPs 30 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1044	icacls.exe
5348	takeown.exe
2056	icacls.exe
6100	icacls.exe
328	takeown.exe
4172	icacls.exe
4980	takeown.exe
2724	takeown.exe
5804	icacls.exe
2876	icacls.exe
4916	icacls.exe
1160	takeown.exe
5320	icacls.exe
5828	icacls.exe
5804	takeown.exe
3576	takeown.exe
3516	icacls.exe
5488	takeown.exe
4844	takeown.exe
5468	takeown.exe
3872	icacls.exe
4552	takeown.exe
2824	icacls.exe
5464	icacls.exe
2240	takeown.exe
3676	takeown.exe
3576	icacls.exe
4504	takeown.exe
5936	icacls.exe
4368	takeown.exe

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Clutt6.6.6.exe
File opened for modification	\??\PhysicalDrive0	Clutt6.6.6.exe
File opened for modification	\??\PhysicalDrive0	Clutt6.6.6.exe
File opened for modification	\??\PhysicalDrive0	Clutt6.6.6.exe
File opened for modification	\??\PhysicalDrive0	Clutt6.6.6.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Temp\stretch.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_edit.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\tunnel.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\stretch.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\mirror_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\crossHD_small.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\mirror_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\stretch.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\mirror_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\clutterus_ico.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_edit.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\crossHD_medium.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\tunnel.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\crossHD_small.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\static_color.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\rainbow_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\plg.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\crossHD_medium.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_short.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\clutterus_ico.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\crossHD_medium.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\invert_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\rainbow_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\clutterus_ico.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\clutterus_ico.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\mirror_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\tunnel.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\invert_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_short.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\crossHD_small.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\plg.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\mirror_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\stretch.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_edit.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\invert_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\invert_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\plg.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\static_color.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\static_color.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_short.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\clutterus_ico.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\crossHD_medium.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\crossHD_small.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_short.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_short.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\rainbow_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_edit.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\tunnel.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\crossHD_small.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\wind_edit.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\static_color.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\crossHD_medium.ico	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\plg.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\rainbow_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\rainbow_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\plg.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\invert_snd.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\static_color.wav	Clutt6.6.6.exe
File opened for modification	C:\Program Files\Temp\stretch.wav	Clutt6.6.6.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_611137347\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\en_US\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\sl\messages.json	msedge.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1205712226\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_165326391\manifest.json	msedge.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\128.png	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_775920306\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_2101280854\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\pl\messages.json	msedge.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\ro\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1205712226\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-af.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-ga.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-mr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_2101280854\Part-NL	msedge.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-de-ch-1901.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_907174914\data.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-as.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-gl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-hu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_2101280854\adblock_snippet.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\th\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\fa\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_644024385\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_2101280854\Part-ES	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\si\messages.json	msedge.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-lt.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\en\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\es\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-cy.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-sl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\hy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\gu\messages.json	msedge.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-it.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\uk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\hi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\ml\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\hu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\fil\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-es.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-sv.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\kn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_644024385\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_2101280854\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1879320680\_locales\cy\messages.json	msedge.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	mmc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875688152628717"	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zG.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-73851796-4078923053-1419757224-1000\{6F3808A4-AAA1-4998-B3BE-E37B8A649E10}	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3416	NOTEPAD.EXE
2112	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1004	msedge.exe
1004	msedge.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe
1132	Clutt6.6.6.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2044	OpenWith.exe
5324	OpenWith.exe
2676	7zG.exe
3960	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
4968	mmc.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeRestorePrivilege	2676	7zG.exe
Token: 35	2676	7zG.exe
Token: SeSecurityPrivilege	2676	7zG.exe
Token: SeSecurityPrivilege	2676	7zG.exe
Token: SeRestorePrivilege	1196	7zG.exe
Token: 35	1196	7zG.exe
Token: SeSecurityPrivilege	1196	7zG.exe
Token: SeSecurityPrivilege	1196	7zG.exe
Token: SeDebugPrivilege	1132	Clutt6.6.6.exe
Token: SeDebugPrivilege	1132	Clutt6.6.6.exe
Token: SeTakeOwnershipPrivilege	4844	takeown.exe
Token: SeTakeOwnershipPrivilege	4368	takeown.exe
Token: SeTakeOwnershipPrivilege	5804	takeown.exe
Token: SeDebugPrivilege	4012	Clutt6.6.6.exe
Token: SeDebugPrivilege	4012	Clutt6.6.6.exe
Token: 33	3228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3228	AUDIODG.EXE
Token: SeDebugPrivilege	1672	Clutt6.6.6.exe
Token: SeDebugPrivilege	1672	Clutt6.6.6.exe
Token: SeDebugPrivilege	412	Clutt6.6.6.exe
Token: SeDebugPrivilege	412	Clutt6.6.6.exe
Token: SeDebugPrivilege	1052	Clutt6.6.6.exe
Token: SeDebugPrivilege	1052	Clutt6.6.6.exe
Token: SeShutdownPrivilege	4552	control.exe
Token: SeCreatePagefilePrivilege	4552	control.exe
Token: 33	3960	mmc.exe
Token: SeIncBasePriorityPrivilege	3960	mmc.exe
Token: 33	3960	mmc.exe
Token: SeIncBasePriorityPrivilege	3960	mmc.exe
Token: SeSecurityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: 33	4968	mmc.exe
Token: SeIncBasePriorityPrivilege	4968	mmc.exe
Token: SeSecurityPrivilege	4968	mmc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
2676	7zG.exe
1196	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious use of SetWindowsHookEx 46 IoCs

pid	Process
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
2044	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
5324	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
2056	OpenWith.exe
6064	mspaint.exe
6064	mspaint.exe
6064	mspaint.exe
6064	mspaint.exe
3960	mmc.exe
3960	mmc.exe
4968	mmc.exe
4968	mmc.exe
5700	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3200	3076	msedge.exe	82
PID 3076 wrote to memory of 3200	3076	msedge.exe	82
PID 3076 wrote to memory of 6044	3076	msedge.exe	83
PID 3076 wrote to memory of 6044	3076	msedge.exe	83
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 2936	3076	msedge.exe	84
PID 3076 wrote to memory of 5252	3076	msedge.exe	85
PID 3076 wrote to memory of 5252	3076	msedge.exe	85
PID 3076 wrote to memory of 5252	3076	msedge.exe	85
PID 3076 wrote to memory of 5252	3076	msedge.exe	85
PID 3076 wrote to memory of 5252	3076	msedge.exe	85
PID 3076 wrote to memory of 5252	3076	msedge.exe	85
PID 3076 wrote to memory of 5252	3076	msedge.exe	85
PID 3076 wrote to memory of 5252	3076	msedge.exe	85
PID 3076 wrote to memory of 5252	3076	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/MalwareStudio/CLUTT6.6.6---BY-CYBER-SOLDIER
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x30c,0x7ff88813f208,0x7ff88813f214,0x7ff88813f220
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1936,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2164,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2504,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3472,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3476,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4776,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4780,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5404,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5412,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5412,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6120,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5924,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=6360,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6188,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6164,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=6800 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=604,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=6828 /prefetch:8
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2568,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=6948 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6328,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=6968 /prefetch:8
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5088,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4984,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3980,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5832,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1420,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=2028 /prefetch:8
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5588,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=3200 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4904,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=3280 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4972,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=6960 /prefetch:8
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=776,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=6776 /prefetch:8
  2⤵
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6204,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=6800 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6292,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6952,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3668,i,1183029689531376318,17023707835698108181,262144 --variations-seed-version --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:6104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1392

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2044
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\6f470a78-83fd-4cc1-b550-831c60841740_CLUTT6.6.6---BY-CYBER-SOLDIER-main.zip.740\CLUTT6.6.6---BY-CYBER-SOLDIER-main\README.md
  2⤵
  PID:2584

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5324

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\" -ad -an -ai#7zMap20143:116:7zEvent869
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2676

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\README!.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3416

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\" -ad -an -ai#7zMap28083:116:7zEvent18242
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1196

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\README!.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2112

C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe
"C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && takeown /f C:\Windows\System32\Boot && icacls C:\Windows\System32\Boot /grant "%username%:F" && exit
  2⤵
  PID:2876
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4172
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\drivers
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4368
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5828
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\Boot
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5804
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\Boot /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4916

C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe
"C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && takeown /f C:\Windows\System32\Boot && icacls C:\Windows\System32\Boot /grant "%username%:F" && exit
  2⤵
  PID:2384
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1160
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5320
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\drivers
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5468
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1044
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\Boot
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3576
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\Boot /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3872

C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe
"C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && takeown /f C:\Windows\System32\Boot && icacls C:\Windows\System32\Boot /grant "%username%:F" && exit
  2⤵
  PID:2060
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4980
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2824
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\drivers
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4552
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5464
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\Boot
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5348
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\Boot /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8 0x4d4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\LimitUndo.ico"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5292

C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe
"C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && takeown /f C:\Windows\System32\Boot && icacls C:\Windows\System32\Boot /grant "%username%:F" && exit
  2⤵
  PID:3740
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2724
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5804
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\drivers
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:328
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3516
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\Boot
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2240
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\Boot /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6100

C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe
"C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe"
1⤵
- Executes dropped EXE
PID:5788

C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe
"C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && takeown /f C:\Windows\System32\Boot && icacls C:\Windows\System32\Boot /grant "%username%:F" && exit
  2⤵
  PID:3532
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3676
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:3576
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\drivers
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4504
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\drivers /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5936
- - C:\Windows\system32\takeown.exe
    takeown /f C:\Windows\System32\Boot
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5488
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\Boot /grant "Admin:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2876

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4552
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3960

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4008

C:\Windows\system32\eventvwr.exe
"C:\Windows\system32\eventvwr.exe"
1⤵
PID:3204
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: SetClipboardViewer
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4968

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5700

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:4852

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:4360

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:5012

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Temp\clutterus_ico.ico

Filesize
66KB

MD5
ea13cdd199f0ecafe05830524144da89

SHA1
064432579aa36dfd4af297407fd44b03f95c30e5

SHA256
73294bfa3e0b060180da471fdb8e5032ebbc69d498e7b9549ef2529d85453e1f

SHA512
8fb1d3627e740070706ca93e782d471204545b5b9303cd72822f3cdeef1012ca75350b61910a1920c75a8e3e41a905e0b95b098e1f5dbefc01daa4b727284991

Download Submit
C:\Program Files\Temp\crossHD_medium.ico

Filesize
37KB

MD5
cb6288cf95587d1ec97926d01b0822fa

SHA1
fa6e750f0035ec27928b0a709717a9066000bb34

SHA256
9c0bd298965c55f79475400609831002c6881c610145af14494b9b4767df0ffe

SHA512
943d6b463ef69dc3d9a4b606e98137439c1bb5a579ed96ecf5d8be5c5d6722124e55e1b6608e357b3fb0be66496a0c62bdf8e8a150c6064bed41e55d413bd5a3

Download Submit
C:\Program Files\Temp\crossHD_small.ico

Filesize
9KB

MD5
6e014cd95b9a2c614fe970372143edde

SHA1
66b88afc082feba369b9dedc60594d7b4333b338

SHA256
152ed7058b18491e08d7fd9a05f9acd5790f96304e31c6a2f2fb6406b5173f0a

SHA512
28d22814190df1cab9318b1f30b94bad35dc44aa1b51372eaa81026d153e77426c95090fe57eb539d8a4de9d8470f8310ed0b98a12455946c10f2e1486433bae

Download Submit
C:\Program Files\Temp\invert_snd.wav

Filesize
92KB

MD5
e92af8ccdea796d91d23129abb1e43eb

SHA1
6a0f3dd62820badfbf985e911e78091fd8e243ae

SHA256
5a4ed094e9d37496f2b394ba6656209a153160fc17088c8da94f45dc34d77ab0

SHA512
df0ec5976c78731e87e5cf3b54fc636c1a27480e1ef7f508e9301e6cbe072e80a75f52578ca74e9381edd8b626f4e8fb99a37c2f614d49f923eb71431f8554fc

Download Submit
C:\Program Files\Temp\mirror_snd.wav

Filesize
71KB

MD5
5808d7dc65d5e0fd74b0425eac6f91ea

SHA1
bdc45478885bee8aedf8e02701d0ea3d96477261

SHA256
aa1b7166dd817c63330323039d7be95ae3475ff8a99e5e620cb3aa75cd75186a

SHA512
b0b85faefacf05a6f234ca5eaf2a7abde5b970c409776abc6d28e9a7ae4af4b0e9139390e7b403c17023f967ba932889bf9bb5258bb809e27f3c9178635dde11

Download Submit
C:\Program Files\Temp\plg.wav

Filesize
850KB

MD5
1532b0c3c59989756d5fc5773881eb16

SHA1
68fc2b39310df1f53156c635135fb92c6fd0d5d8

SHA256
6baa849a09233484305b88fff95bf44b52f3e4948b10cf434eb7e18930144f40

SHA512
e46a45c45f0c8eaf864f78f230f92ba8dd79e17ad5e3a600e6ba594552af4d617a49b82b830848800166e269824e36d2ce557ffaedcf3fa079c53da2d282e6d2

Download Submit
C:\Program Files\Temp\rainbow_snd.wav

Filesize
466KB

MD5
1b1471b680d9b64a4bffaca87f1f2acb

SHA1
efe06b26a3a2b3de4555308ba97cbba20bc07021

SHA256
3efe413dd987919aea8d693f85c46a0db76fb2351a9e09917ed3dad874394b66

SHA512
39136b30695b1c9b110057560ca42427cf357cd04add4b2fb7aac610341f9bc201317c1138170c71fc9138c41ce42f87967c993c617384834656efa02b4d4f45

Download Submit
C:\Program Files\Temp\static_color.wav

Filesize
468KB

MD5
63898c8efb4a14bbf5246caecaa3e80d

SHA1
e05fe67b4eb622d270463f9f6e33a38435db67fa

SHA256
05a175b48591fb971143f131b985b44b87d709523e4383d4054aceb674c4a4a2

SHA512
43dbe57375040cad6e70130090559f16f3a76d388a91d2537e3e7f3e588ccea8d9ba98eb635c6462e66f750645c7a0a631157f8106582e3a8b2d898052f53abe

Download Submit
C:\Program Files\Temp\stretch.wav

Filesize
22KB

MD5
df1f1080b54197fa4df0dbabf9bd98d7

SHA1
af87d9fae1b67f524586e47b4f952f53bae0a50d

SHA256
fbbad6eb56936ae2bd187e1a37e91ee92308aaaa688381c13fa469b2552d2a61

SHA512
a7f541f1d1bd2b30f54580d058696e26cbe3fb898a09e45cc658fcf6d9fb2c0d6bdef6c2345ee9302e3aaad819dc0e489f13ac5ffe7b7fd60569cb0de2ee589f

Download Submit
C:\Program Files\Temp\tunnel.wav

Filesize
63KB

MD5
d62b477c7120d8f83727ecd2105409f2

SHA1
7123fed535e92a6291e88a6565ad3057040fb535

SHA256
23d512b23eca1771f7dbf437b5b06b2fa04e73ee053a06ea325ee641912d0817

SHA512
82319b62376cb412a55dc5a139987bb9ce7aa018601b631eb2014cd98d39765fb28d97632b379a8efa256850d759c4f889e3976b07598bc4fa36908005b5fe71

Download Submit
C:\Program Files\Temp\wind_edit.wav

Filesize
22KB

MD5
2d63aa593201e288abfd337eb7f94ba6

SHA1
a8aeaa4cb1c4fce54076fe8b288e5174b810e348

SHA256
fe80d31da1979eeabcff63bf058bb45cd254f827942b4fc52e187a2f3805c4fc

SHA512
4c0849ac2f7ef7684a6d842e7292cf69da6ef4f6dd24f51e2dde3f459569726e5f89db4d87bcf57deef342a0f6babacb8c8482bbb482ce01295063d7cf8e4882

Download Submit
C:\Program Files\Temp\wind_short.wav

Filesize
22KB

MD5
96ac9187f4af6dfcb9d986c234bcdcb3

SHA1
9179c24cd8f81aeb11a42d9a3651460710bb2184

SHA256
6f4ba3247d6b59f2f45c3b763718d7c0edbfea8d9b2290dad99595d5a83f03d5

SHA512
a3b6b948af43bb0d27b1fb3f6c2592f793696acd381772821cc6fbd7d4a61913559722593b9da7269e619f80a276d4a20672511c1338722b35787b73d5b64cf4

Download Submit
C:\Program Files\Temp\wind_snd.wav

Filesize
22KB

MD5
186413c31a5408d89ffd5373534c83e8

SHA1
9e6d66cbc2907ac315989ca19766b82a93499789

SHA256
b801436219a3da10c9badeef7deaf61e31bf308c86c36a823728226b592b330c

SHA512
4a7b57a4c3407a0da637ab94c4bb4c4a4c24c01470354d81d32e9e1fecaee021159af8762ca89b2b994fcc4aba88f0e76356476694cd3d89f68c6147a416a888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
aad9ef568b38aa2ab42b57a3cbd8d8eb

SHA1
efe601b188069ca6b54ba6bd63866687c5574780

SHA256
ef0ca3af55b0eb83ea83d3376038feecaef97236df7c556f821c93bd08e86a9a

SHA512
5a3e66a1f995ed2779c7260787a2688118406190312d31e7a77bbfef233d81bbc17dd1bbf77a08ba73e390e22dd973c173b5eb39851b359a9196f48bb6fea963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000007.log

Filesize
21KB

MD5
d9c1050e6d7ddceb3501c408cc1d87f4

SHA1
89c1859602954b8c5b8e00d0c6413a1506347362

SHA256
98e752851c1f05d818cd96d84cb107e86c29402415e1550f5b6b7e0617391142

SHA512
c2accbf8985546cf1416406eb10f437fc643da6fc767c3b6822d6beecf0acab12bfa23cfea522e64771af5cdd4357c77fd9c279a9d758c6912f5b14a4b5606cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
352B

MD5
0380571b7421b543410a4f081751a716

SHA1
b112f228358f1fcfd8853a4d08b44082f7abdccc

SHA256
de0edb387731045306e2599e7a72e75c2db4eb45a5091dd416819a8ebaa1d2d1

SHA512
c46a9f26974b1aa4d05538be7a71361a15619fe4064944c15d9a0be8ab40240d13a1308ba9d6bb0b40049e89eec6adb45016d8110c8899205c26ae1707e46b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\MANIFEST-000001

Filesize
268B

MD5
16b8f6d6d2d1575e106c19ae45dc60db

SHA1
65c7c3f4e2828085a5d1d6620b9113fa6c6891dc

SHA256
31821e7c98146ddbcf9e020372fe3c4578dbfa121c9ae06dff632552568f9049

SHA512
a1ccfc0971f8dba98a0cc6be90babecdf2e529daa2545a9462ad6377b99bdaa4199a55a2ec8837b465e7f4ffb6e503ee1cb4c27edd1c0d8ca0a07ac0d1222e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
1061637ec188013cbab5590c042d643f

SHA1
58f9c2e60cbf8c29b69d9a7b89dcba876a420648

SHA256
3899955d8da97bcc8bace65a957e6309fe9375185b8e3f3d5d136b9e7a4222e3

SHA512
b7c453c5bcae368f9ce143944347902fbc5e29913ed4b43d0a3a09ee72a5f83d18a82184aff83389e43d7ce4b2af9a764a40409f45273891a72b8de9789db1c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d745.TMP

Filesize
3KB

MD5
93ed54abc264109934a4adca3d3a3ffa

SHA1
aa65f492d14977b3da654161a0f82b9382a158d1

SHA256
f4067c9ee71e47e8a3715c91d62dbaa86afdded88d241013ac3428661abc013f

SHA512
74d571f2c85325b6c466ac2b01e8c46277ed79dc683c2a899ef2ed79b06456cc52ecfdaad521c66fbbc0126151e9c25b825c411c419d28c0c32f652993083694

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f933035851814a51584c3e2e2cd31098

SHA1
e2e052f4bb507530961fb289d0ed3665779c7c8f

SHA256
135f2062653642e4db301bf1dbd0331836e1c6154ca7db983bb27100174cab46

SHA512
ffcdea0265199931d1223ce40068adc19e3c795035e348a84724547994db46080d1f25de1964f741fdf75caa5d8161972252b684ffb1b8ac2bc8692bde5cb665

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ec840f653d485f72a8803054b8eabc86

SHA1
11da6e236cf48277602a3e60598cbc4e7bcadd1b

SHA256
05de69070ac3530c7111387cc667ec5ff27345edb5bf5b5f6d7247e460539f3e

SHA512
38e1e2985d738db202c14263c57a2d65f3b2f12bf72002cdaf77f85f305862186e0fddd92fdb7f3a47fd32d369fb52291c081d6d3ed589d540f2e7c2d180c6cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
93c43ca94cae89ca37fe818798c66167

SHA1
d17dae2c41422436e9c17fdecb9c337eafcada15

SHA256
1de3ccc792ea2a47fff27a5fad5504d7ce6789e616657b05ed2d8f13ae59080b

SHA512
1aacba27cfc35bd6a1ff017af98c1b660c593dea68ec5609959a2b4a95f81d4880e66dd0e7ffde46f8168378ec0d5bd0f2ae6a8623f9d2eb489bd6e51cc853ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
b9a99a4affe099c9d8ec43aa91d21d9f

SHA1
5370c58714ad5dd03965728fd8a969d6f1b21228

SHA256
7b61d5e50b9db8eec6ec124d9e571a865ad000f9772f5631c3421a13c80155d9

SHA512
fd4c1a21d14bcfaf9183c95f48ad320d35491b5a698d526b7dcfb7889a155a7d18171e206614bcc27210ba9766ad03a46bb19c8a807be5cd9f9e6afa450af441

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
4c8aae3a6b7ce29b582a85daf83bdc3c

SHA1
0107bd05e1b7f107b1e7b7da6e77d91c2b99021d

SHA256
caa8d143307f4d0cd5f2f64f5971206c073c5a8ff268202b4e93f6885b64aaef

SHA512
ef85b9de6dc8e715c61cbf236f44349ef6e15e25ca5c2d46c6435224ac638d67bec6e34a6a4ebffee25dae12d15de4569ff8c685f5ad44b268a4234886914b10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
ab533489050b230a81fd5696b47fb479

SHA1
7b94b6990d96f200384aee30841b318f11e4db5e

SHA256
127c8ad1efa9950ad2479cb1bae1b8b799c18f9dfe62de20174bbeb855e85227

SHA512
4f598d022e3381fff879f0ab955ac2e7b4f8782cbb87ee15e576dc94e590468c1daf77cfd2a221e844c7662396d02cce99656475dc9f9a77b2a0398287601fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\d923b4ee-d009-4a07-8977-5321f7564922\index-dir\the-real-index

Filesize
2KB

MD5
6d5ccbd9d25a2cf790bdd5b2bd1b9ac8

SHA1
866849c698dd51fecc2a1c074866dc2243dca83e

SHA256
4a5d11c40b6869138622d99cd76c3cf8c4623cbb44f3776f0d22810973ca2701

SHA512
c6ec5e467b391a4f08d0dcffb4a145d3744dbb71cb27bb500cf74413b5a8faddda7e41743b154bdda80f3cb97a1029b3ed24db7b6e693e1624ab42bf1c9b09e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\d923b4ee-d009-4a07-8977-5321f7564922\index-dir\the-real-index~RFe5c19f8.TMP

Filesize
2KB

MD5
eaa34d4901f184872f80bad9b6338786

SHA1
f14d230a1c755965d0686a69c3f9e580fbca0490

SHA256
442c22db10e70f884ac65effae1fa4b3683522b9bc047b08c0bcf86dc6817ba4

SHA512
7a3b5e3225716bd12bc2ad82ea1660f69f21d8c7e93b6b69fd641090b707757920d968a359ae38617d1716e4a01fd206f32b989168d02766ca2565dbccc0c24e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
b8e7cd5c38cb9c920da973b61d38ee62

SHA1
a1d482780607e8b2ea5567d7c7dd5bde1f29cb34

SHA256
8a50013e02dbf530a7bef0efe3fb523e6ef28f6e05c85a4d827389a59ca94e07

SHA512
294bc1d0676d07b3624d7f7f852ba2d7b0d5f55951009981eff997092c9b991e613ed1a2255fe96e9ee5a290ed808dc14f47088abb0f83605825c64bfe3ef54b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
666a0ab806a8470d8997ac2f139dc6df

SHA1
e2ade2ecfa39256c4350cb72a2652e40081202a6

SHA256
d344dfcb95dbef4d5c872f4d3e4617fdc04e7d4bef59b90e11ff972e5e1e05b5

SHA512
129fb5640764b6717024cb9c27dc0bd84a066b75c8492d562419c659450483620b5f8bb6ce8a9a238170dbb101f91519dff216906230cec9a2d9f378c28a1ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
ffd142826a7d51db932e51e4b863649f

SHA1
5408a6a27ea66fb98ac8916d98440bd815972e1e

SHA256
cf3af671646ceb8f3e7ad6f8d1b6cd245dc8065a7815e5f8421bcf01279e1332

SHA512
29bcd8cef7a46edf724b0cba2043d3a6ba82cf5d84f96898e63983ae00447045b6f791ba8a7a40941e9297fab26502301790847df68c738423a1628327957f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
57260cd8c3946794df85300a3654c91b

SHA1
3f969999b73fa3c878f5e6315b85ce23979b0bc1

SHA256
e833da1276a5e53d70b32ad2b478676c73c5897477c6a92620c0c0dd2c1bdcef

SHA512
bbefabcd4e1e7070c3c4cf3bae6bf7af1597986c67f9063d448cc65c9c4ac3c2c3693180f419a2170cbb958bfba6bc75e46a5bd53f3b175e9ba4c1ca83f8ce30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
8e06677ffa75be53e825729abc6f68e5

SHA1
793c5b884bb9daabcd037477b65b2de70ee3c5b9

SHA256
4477eaebe3e21534cefbf2f93d37ea712de6493840417acc8e621bb76b54c48f

SHA512
ca2130fab522aa44ffad9b1739270fe0420bffae63ecea46f5833d569843797e90df07dfb5e9ea2eb9d79c169ccb867b4312a551b2834e8ecbef6ed38c5e705f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
1fcf7cbf78b1e9e19768f1bb0959f281

SHA1
782a0d18d35c897f469b5770e689986d9851bfb4

SHA256
66ead34336382f86d11093233703f374ad193155daee89634fb4eed808b7ef88

SHA512
d8f25c47e1010b8f07d19744a97cae9773ed421968076d9a8ddcd113a58bc232ba501825168bf082c847806be9e830713cce680f1bc6e34c1519f7441943dc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
d3bda2935b86f7d1d72ebbcc44a6285c

SHA1
893d985d7a556eb0f47d7c58bba1fe5c01b5b20b

SHA256
c70fe1e4280019f6e0a55287471eb1ccf92bd5bcec1efc5a77742eb87db0748b

SHA512
c7853e9550228dade6e7f9f3daba9d2a2388a68c3094f34407cc37e31d508f8e073f2bd40935696b92c77bef43d2a21510e37b696db9d371a8c456d1aac536ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
858ae946e1be099987ab15e3c0a7014b

SHA1
f96c1676d89c4684b025a7ade4cc7144b2a13dd2

SHA256
8e7d20d299ed9fa6dfe01a722b9a4ae1770761e7e345106b5a5e59a0f6c1e8ab

SHA512
44fb64b52853efeee6432fad4bd2595e82fdfe349b1504522fcce5a2650901a5fa55302c533f45e2e0d50c1045782090533e0be14afb55ed84a3f3ad00744dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
7fdcddc42e6f5acb40ec849580729738

SHA1
dd5b55d79097f2f3656573213a1797fd63cbabf7

SHA256
86f8d4091233b8d4e44f3fcc4c7c150a3995ae44408b8407329e2428eab4d590

SHA512
9ca09a74b849394cbd51401056161a969cd8779bb0ab677d54fe7ffe58d1bf60c582ce8b78d9b7aea0469df44025d5b054ab2ae1d53fcf28ddfd92d11d29b923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
c741c3597630cb99cb2f90fc23b46645

SHA1
99b7cc293f504dfb31fec233d9e61fe4da84acee

SHA256
c1ff68050e08caee00c85ed08634bc479f1706a24199dc80cc0e5a96aac07a82

SHA512
4716673a9f57a6449b62a3f7aeddd7f76e59162cd88d8dbd62a00079a85c8d74617b4f1627725b2ea8e1407cb25417c5285d572ac6a6df137101cc18fccf2dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
0a72447703b39fe72c407a595d23742e

SHA1
f42630ba6b654bd1b72818244b56f908ccce6822

SHA256
106e1419d60141260374b8e9d948fac911687e5c0e965b0fd3bd35f8c3042f13

SHA512
77a3317401c9c46b0add4dfc193e1cbd6a1644380c5f70b9652913a654729638fd8bb6eff0de72ef6102a4790be2ef9cee281b40e94a70c1edba0a0e3ce37d57

Download Submit
C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\Clutt6.6.6.exe

Filesize
4.5MB

MD5
ebe2598356ddaa94e3c507a3bf3fbaaf

SHA1
12fbb71303fbad2d1d6b644d67f3d895ed417ea2

SHA256
bce721a6081d418d0e00bce7dfb5a6b957767b0138690f7e5d642181556b8296

SHA512
e541c1e25c081530b7102445d57c70ceaabb3a719ac895b1322305d3b2e0c6d8cd42dbb231285473a48c8221d94cfd3f9aab431a2aaaf551b55b060d83f87552

Download Submit
C:\Users\Admin\Desktop\clutt6.6.6 - by CYBER SOLDIER\README!.txt

Filesize
79B

MD5
1d405029a4401746f3c611553f972194

SHA1
b768f2494fd15705a540c992fa32fb30ae7e38d3

SHA256
ba99602ca6466df52b215bd81beb0b0dfcf817b5d74deccdcac1535b7bdc5e88

SHA512
6b5386eb14c14fe9acd5ef2cc45898846d638ff23edb92ebb0b8f2b661ec7479cb962dd84ffeb01a49fd40287df6b404b98bb02455207eb768309500af0813d7

Download Submit
C:\Users\Admin\Downloads\CLUTT6.6.6---BY-CYBER-SOLDIER-main.zip.crdownload

Filesize
1.2MB

MD5
a13a08aac9f25d0b7f41b89348fd50e1

SHA1
c91e19d5b31b0baac9b58a15cdad232e8fc10c3f

SHA256
7edc3f16770698c0d9eb302f534560ecc82c0e35cdbb44189cfc06adaaa10641

SHA512
f8af2744f6909c52876ec4a52b82f1624b571d10082fa240f8091c6867919354510f52611eb1dbdd4bf6594eea03f8145208d4618f36342cc5e2a87be2efc223

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-bn.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-mr.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1143872580\hyph-nn.hyb

Filesize
141KB

MD5
f2d8fe158d5361fc1d4b794a7255835a

SHA1
6c8744fa70651f629ed887cb76b6bc1bed304af9

SHA256
5bcbb58eaf65f13f6d039244d942f37c127344e3a0a2e6c32d08236945132809

SHA512
946f4e41be624458b5e842a6241d43cd40369b2e0abc2cacf67d892b5f3d8a863a0e37e8120e11375b0bacb4651eedb8d324271d9a0c37527d4d54dd4905afab

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3076_1205712226\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
memory/1132-1006-0x0000000000780000-0x0000000000C10000-memory.dmp

Filesize
4.6MB

Download