hxxp://google[.]com

Analysis

max time kernel
527s
max time network
529s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03-07-2024 05:02

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

bootkit discovery evasion exploit macro macro_on_action persistence ransomware trojan upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

gdifuncs.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\""	gdifuncs.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

gdifuncs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
macro macro_on_action

Processes:

resource yara_rule

C:\Users\Admin\Downloads\metrofax.doc office_macro_on_action
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

5244 takeown.exe
5264 icacls.exe
5408 takeown.exe
5400 icacls.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

resource	yara_rule
C:\Users\Admin\Downloads\metrofax.doc	office_macro_on_action

pid	process
5244	takeown.exe
5264	icacls.exe
5408	takeown.exe
5400	icacls.exe

Executes dropped EXE 12 IoCs

Processes:

Gas.exeGas.exeLoveYou.exeFlashKiller.exeFlashKiller.exeBlueScreen.exeBlueScreen.exeHorrorTrojan Ultimate Edition.exembr.exejeffpopup.exebobcreep.exegdifuncs.exe

pid	process
2204	Gas.exe
3112	Gas.exe
4660	LoveYou.exe
4960	FlashKiller.exe
2600	FlashKiller.exe
4460	BlueScreen.exe
4192	BlueScreen.exe
5280	HorrorTrojan Ultimate Edition.exe
1972	mbr.exe
5932	jeffpopup.exe
5828	bobcreep.exe
6032	gdifuncs.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

5400 icacls.exe
5244 takeown.exe
5264 icacls.exe
5408 takeown.exe

pid	process
5400	icacls.exe
5244	takeown.exe
5264	icacls.exe
5408	takeown.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 538907.crdownload	upx
behavioral1/memory/4460-1102-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/4460-1104-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/4192-1115-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/4192-1126-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

20 raw.githubusercontent.com
90 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

mbr.exembr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 mbr.exe
File opened for modification \??\PhysicalDrive0 mbr.exe

flow	ioc
20	raw.githubusercontent.com
90	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	mbr.exe
File opened for modification	\??\PhysicalDrive0	mbr.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Drops file in Windows directory 8 IoCs

Processes:

cmd.execmd.exegdifuncs.execmd.exe

description	ioc	process
File created	C:\Windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav\:Zone.Identifier:$DATA	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe	cmd.exe
File opened for modification	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe
File created	C:\windows\WinAttr.gci	gdifuncs.exe
File opened for modification	\??\c:\windows\WinAttr.gci	cmd.exe
File created	\??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3104 4960 WerFault.exe FlashKiller.exe
3024 2600 WerFault.exe FlashKiller.exe

pid	pid_target	process	target process
3104	4960	WerFault.exe	FlashKiller.exe
3024	2600	WerFault.exe	FlashKiller.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEAcroRd32.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5536 timeout.exe

pid	process
5536	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWINWORD.EXEWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5660 taskkill.exe

pid	process
5660	taskkill.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

gdifuncs.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur"	gdifuncs.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

AcroRd32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 16 IoCs

Processes:

OpenWith.exemsedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\僿翸	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\䝐ￄɗ\ = "apk_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\apk_auto_file\shell\Read	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\apk_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\.apk\ = "apk_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\㟃ꟁ昀耀	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{DD880388-2506-40ED-B647-8D0A358CCF7F}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\.apk	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\apk_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\僿翸\ = "apk_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\䝐ￄɗ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\apk_auto_file\shell\Read\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\㟃ꟁ昀耀\ = "apk_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\apk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"%1\""	OpenWith.exe

NTFS ADS 20 IoCs

Processes:

msedge.exemsedge.execmd.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeWINWORD.EXEmsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\FlashKiller.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 606024.crdownload:SmartScreen	msedge.exe
File created	C:\bg.bmp\:Zone.Identifier:$DATA	cmd.exe
File created	C:\Windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav\:Zone.Identifier:$DATA	cmd.exe
File opened for modification	C:\Users\Admin\Downloads\Grave.apk:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 538907.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\LoveYou.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 529325.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BlueScreen.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 772736.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 51146.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 15603.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 677401.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 457490.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\metrofax.doc:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{F622B6FB-592E-48F6-A9A8-BED3DA6A16AB}\8tr.exe:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

WINWORD.EXEWINWORD.EXE

pid process

3284 WINWORD.EXE
3284 WINWORD.EXE
2752 WINWORD.EXE
2752 WINWORD.EXE

pid	process
3284	WINWORD.EXE
3284	WINWORD.EXE
2752	WINWORD.EXE
2752	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exegdifuncs.exe

pid	process
2740	msedge.exe
2740	msedge.exe
920	msedge.exe
920	msedge.exe
3252	identity_helper.exe
3252	identity_helper.exe
1624	msedge.exe
1624	msedge.exe
2992	msedge.exe
2992	msedge.exe
872	msedge.exe
872	msedge.exe
1444	msedge.exe
1444	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4424	msedge.exe
4424	msedge.exe
1092	msedge.exe
1092	msedge.exe
4816	msedge.exe
4816	msedge.exe
1456	msedge.exe
1456	msedge.exe
5180	msedge.exe
5180	msedge.exe
5164	msedge.exe
5164	msedge.exe
4900	msedge.exe
4900	msedge.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe
6032	gdifuncs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4432 OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

Processes:

msedge.exe

pid	process
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

gdifuncs.exeAUDIODG.EXEtakeown.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	6032	gdifuncs.exe
Token: SeDebugPrivilege	6032	gdifuncs.exe
Token: 33	6120	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6120	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	5244	takeown.exe
Token: SeTakeOwnershipPrivilege	5408	takeown.exe
Token: SeDebugPrivilege	5660	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

msedge.exe

pid	process
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

OpenWith.exeAcroRd32.exeWINWORD.EXEWINWORD.EXEHorrorTrojan Ultimate Edition.exejeffpopup.exebobcreep.exe

pid	process
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4432	OpenWith.exe
4656	AcroRd32.exe
4656	AcroRd32.exe
4656	AcroRd32.exe
4656	AcroRd32.exe
3284	WINWORD.EXE
3284	WINWORD.EXE
3284	WINWORD.EXE
3284	WINWORD.EXE
3284	WINWORD.EXE
3284	WINWORD.EXE
3284	WINWORD.EXE
3284	WINWORD.EXE
2752	WINWORD.EXE
2752	WINWORD.EXE
2752	WINWORD.EXE
2752	WINWORD.EXE
2752	WINWORD.EXE
5280	HorrorTrojan Ultimate Edition.exe
5932	jeffpopup.exe
5828	bobcreep.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 920 wrote to memory of 2176	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2176	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2124	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2740	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 2740	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4964	920	msedge.exe	msedge.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

gdifuncs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" gdifuncs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	gdifuncs.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff842c53cb8,0x7ff842c53cc8,0x7ff842c53cd8
2⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
2⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
2⤵
PID:2980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
2⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
2⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
2⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
2⤵
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
2⤵
PID:2504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
2⤵
PID:336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
2⤵
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5708 /prefetch:8
2⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5316 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
2⤵
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:2420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
2⤵
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
2⤵
PID:2148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
2⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
2⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7116 /prefetch:8
2⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6924 /prefetch:8
2⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7124 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:872

C:\Users\Admin\Downloads\Gas.exe
"C:\Users\Admin\Downloads\Gas.exe"
2⤵
- Executes dropped EXE
PID:2204

C:\Users\Admin\Downloads\Gas.exe
"C:\Users\Admin\Downloads\Gas.exe"
2⤵
- Executes dropped EXE
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
2⤵
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1720 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7260 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
2⤵
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7384 /prefetch:8
2⤵
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4424

C:\Users\Admin\Downloads\LoveYou.exe
"C:\Users\Admin\Downloads\LoveYou.exe"
2⤵
- Executes dropped EXE
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
2⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4532 /prefetch:8
2⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Users\Admin\Downloads\FlashKiller.exe
"C:\Users\Admin\Downloads\FlashKiller.exe"
2⤵
- Executes dropped EXE
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 252
3⤵
- Program crash
PID:3104

C:\Users\Admin\Downloads\FlashKiller.exe
"C:\Users\Admin\Downloads\FlashKiller.exe"
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 220
3⤵
- Program crash
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
2⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7232 /prefetch:8
2⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6212 /prefetch:8
2⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4816

C:\Users\Admin\Downloads\BlueScreen.exe
"C:\Users\Admin\Downloads\BlueScreen.exe"
2⤵
- Executes dropped EXE
PID:4460

C:\Users\Admin\Downloads\BlueScreen.exe
"C:\Users\Admin\Downloads\BlueScreen.exe"
2⤵
- Executes dropped EXE
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:1
2⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1456

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3284

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
3⤵
PID:832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
2⤵
PID:1452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
2⤵
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
2⤵
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
2⤵
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
2⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6352 /prefetch:8
2⤵
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6264 /prefetch:8
2⤵
PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
2⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,8497357193009836724,5376530546720408069,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6240 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe
"C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5280

C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4166.tmp\4167.tmp\4168.vbs //Nologo
3⤵
PID:5420

C:\Users\Admin\AppData\Local\Temp\4166.tmp\mbr.exe
"C:\Users\Admin\AppData\Local\Temp\4166.tmp\mbr.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4166.tmp\tools.cmd" "
4⤵
- Drops file in Windows directory
PID:1796

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
5⤵
- Sets desktop wallpaper using registry
PID:4600

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:2344

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:4732

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:3488

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:1936

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:4668

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:1636

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:4240

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:3548

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:440

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:3524

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:1368

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:2544

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:4968

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:5772

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:2676

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:3280

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:4904

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:1744

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:3956

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:4060

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:5264

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:2552

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:2284

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:4164

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:4900

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:5216

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:5252

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:5276

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:5640

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:5408

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:5400

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:5436

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:5600

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:5540

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
5⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\4166.tmp\jeffpopup.exe
"C:\Users\Admin\AppData\Local\Temp\4166.tmp\jeffpopup.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5932

C:\Users\Admin\AppData\Local\Temp\4166.tmp\bobcreep.exe
"C:\Users\Admin\AppData\Local\Temp\4166.tmp\bobcreep.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5828

C:\Users\Admin\AppData\Local\Temp\4166.tmp\gdifuncs.exe
"C:\Users\Admin\AppData\Local\Temp\4166.tmp\gdifuncs.exe"
4⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:6032

C:\windows\SysWOW64\takeown.exe
"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5244

C:\windows\SysWOW64\icacls.exe
"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5264

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65&copy "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit
5⤵
- Drops file in Windows directory
PID:5556

C:\Windows\SysWOW64\takeown.exe
takeown /f LogonUI.exe
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5408

C:\Windows\SysWOW64\icacls.exe
icacls LogonUI.exe /granted "Admin":F
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5400

C:\Windows\SysWOW64\timeout.exe
timeout 2
6⤵
- Delays execution with timeout.exe
PID:5536

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "tobi0a0c.exe"
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4432

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Grave.apk"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:1364

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B315FA1EC6932298262B7BE7A19D6100 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1840

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=636FF414B1D0F9D75B9259495989FB31 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=636FF414B1D0F9D75B9259495989FB31 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
4⤵
PID:780

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D0F614AAAE3B864492D6E3F3311907AC --mojo-platform-channel-handle=2344 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4960 -ip 4960
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2600 -ip 2600
1⤵
PID:2736

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5368

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources\HorrorTrojan Ultimate Edition.vbs"
1⤵
PID:5736

C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources\mbr.exe
"C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources\mbr.exe"
2⤵
- Writes to the Master Boot Record (MBR)
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources\tools.cmd" "
2⤵
- Drops file in Windows directory
- NTFS ADS
PID:5284

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
3⤵
- Sets desktop wallpaper using registry
PID:5564

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5388

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5396

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5420

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5432

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5412

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:1524

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5536

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5612

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5680

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5668

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:3208

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:3596

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:1516

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:1468

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:4484

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5916

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5520

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:212

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:1072

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5780

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5788

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5816

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5828

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5836

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5844

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5856

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5860

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5868

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5880

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:5932

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:6004

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:6032

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:6040

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:6056

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
3⤵
PID:6072

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6120

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Winlogon Helper DLL

Pre-OS Boot

Bootkit

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

File and Directory Permissions Modification

T1222

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\169a949d-b1a1-48dc-9b95-74f41c354291.tmp
Filesize
3KB

MD5
d3cb1723ee96c6cc1ad587aa8163e4ea

SHA1
108a2ebcad26a7d2becfb3ff4c085e8a0ebbb448

SHA256
7a56af72181cbbd9cc070f0cab7dcfe02e37a47803d81ac1ad6959e7cf497298

SHA512
c8711219deb83118adb1ccaeb0223df4fcd8a5f5b6300045e49b687de2195a7aa8cd45d47abff91c9bea27015faab3692d39c5beef293e6e9ccefb8ed082a67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3116e49e-20b6-4927-8b28-7fa0e26fd62a.tmp
Filesize
2KB

MD5
d059487a48b12181bface162722fb255

SHA1
dac29803f0364f3fb209ce1210974f42ecfdcca4

SHA256
220a45c9a239ea53e2dc2df87d581f92530400db3260f46bc489daff8a39fe28

SHA512
5159f10269395c6154c59cbc91349dbd02be401f6881bd0afdb6c2a1c50769ad000f02ade6b4d1f2676051d8df83fffca40db29f522746e5daed92e2d251f358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
Filesize
67KB

MD5
9e3f75f0eac6a6d237054f7b98301754

SHA1
80a6cb454163c3c11449e3988ad04d6ad6d2b432

SHA256
33a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf

SHA512
5cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
Filesize
41KB

MD5
ddb8bf0444969fde4ffd0dd3036d9dda

SHA1
b77ba856c51a72a40f69637a9c7980cbbe859897

SHA256
3e634c7e24539826f9f228decb932e1b9c3139c6505bbf6a9d15cc206f1cc6c3

SHA512
bca01e2dbf2b8aed3a08ddd51d68029296175b7a2f2a601a3c3e522ccfbce6c397b3c9a109db07abb053cd812865d930b097888ea58a772a99d4a67821d02f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
1.2MB

MD5
e9260f3d081cf9a5d5c7551fbdc3d234

SHA1
0cc5b721c02dab3301207880871fc97e004c3b88

SHA256
81b05795af8af16e41a86d022730747b7b59a8e96951ec3053f34f91d66cae4e

SHA512
d4445200865a3636e814fcddd9ea21dfdbed943deb68a12279d715879693921e94ca8dd8570853bbed657f47cc8d034f931f500b3591a2001185d9be45bd109a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031
Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e
Filesize
20KB

MD5
0f3de113dc536643a187f641efae47f4

SHA1
729e48891d13fb7581697f5fee8175f60519615e

SHA256
9bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8

SHA512
8332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054
Filesize
15.0MB

MD5
8f5a2b3154aba26acf5440fd3034326c

SHA1
b4d508ee783dc1f1a2cf9147cc1e5729470e773b

SHA256
fc7e799742a1c64361a8a9c3fecdf44f9db85f0bf57f4fb5712519d12ba4c5ac

SHA512
01c052c71a2f97daf76c91765e3ee6ec46ca7cb67b162c2fc668ef5ee35399622496c95568dedffbaf72524f70f6afcfe90f567fbb653a93d800664b046cd5f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
5f5e281173c7315b328cf6697eb960fd

SHA1
436107188ae5870ea2b8b14d3af25cd3c79a19ea

SHA256
99355e706679ca3cc0a76ac5b15f2ec2e177d2400523a5ab062a08f9faf03b06

SHA512
a11aab36a950ff5a711a08690ea17ba3f9a318b0d6c6d071bba34d0af5b1ca92367e1577a6a29b289e1ca63473c159668f5ea5446c4a7023e908b362e0f2f692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
b337b1639687f70b0dc361d211b76cf5

SHA1
70a984f7234f8069d0dce700dfd4ec919d53f4cb

SHA256
df36e5650573b848a2796338d83547663c96220ae73280bd6c47edd8da304322

SHA512
798d9f48399b660da0db56b752a8cc5cd5b94c1b6b2e19aab26d00e1c564ab8fb8333888c9305fadcd7fd35417b6eadad4388bceff96b83465e5c9ea705334a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
4af60f3c1d318d3e85cd9d42708789e5

SHA1
36bc60e852777ee34d8f8c4a9f4cf1a51b38ec68

SHA256
b498370900748fc72f99bad62ebb627c4a3347b92ae367a43bfab62f1b5b8b29

SHA512
ea701a34a2c9ac636815437505d4b85d08d2f1f9096aad2a254db89465cd0761166f04e97fb71e08466df79a3da0329cb109f4dc4d0b866eb6bbaf7e09839904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
c91b09c8b3ac6e631f79be33257225cd

SHA1
95370220568716e06a75fe3269bea019d7b81e19

SHA256
585ceba77d65d6886f2f89521426698da54e5e7433a76653d7ff2c5d1d2f7904

SHA512
904def7d6dc86b0e5f6fdb8a1588d2fe9026165be0fc9972423244ce675f79ade3fabfe460f05f5c333a0b79847a54ab6ed5335b8c54e0720b61501178230871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
5a51c71308e405db6a845c5cdba36ba9

SHA1
c4b090611f6e66821400a1d0e7595f64a59764ad

SHA256
3b195906d9e1d80c975d7c0698d99d980aa4634bf09d70edff01c23bea7c7f8f

SHA512
8dbcc071298d5386791ea7b9670be4b22e3296159ba834f755f02d0b73a74afbeb604352427c6b566828faacac7e6057718a42df56a963ef1cd5e80be66959a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
8588d251aea3ebdb6e2f47310cc0273b

SHA1
fa8c4aa718ea31a2f597d8aa1cc33e4118402c5b

SHA256
1c6d219356afe2f72c25ff08ed71785730ae20fa7ef33eb38f43ec610461378f

SHA512
161a5361c1b952994f65d917de85ccbffad632bc213446297c61306e5c2295808002b9c7086c5c2c085eb487a4d112aa408ae1738f696561688797b3cb50d8c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
9d8f039a9e43b76f200087db8a8f1fa7

SHA1
ed64e165136f0431470da87a8a1e2454180fbe98

SHA256
c3e30ed2c0a175c1e61d5016453d569569411639274947f6f8db2b2c3d5d88d5

SHA512
0703b20af4028e47e8b5648437f666518eeced7dd68f041ef8386a7139980b14f14547da382104ef9e64c5aa5a9025da5f4c6babf86e1abf336ce27bef5341b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9eb82fe42f44c0a9571976264292beb5

SHA1
d9f4b482d434703aeea94f6d9023d11e8460ab7e

SHA256
b97dc3df6a9667ead76baf2ad7510e039c2a02f9b154c0c9c1b5627fe9147956

SHA512
342295d099dfef986d8b608540aa7c873797041f2d44ccd31213773a2becc263ec46af5874784b91318df792d39e3efff2fe54fd0971bc14de20fedbc2532d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6931be188a013506ee82735809b2fc2e

SHA1
f1d492b9e3f017634a87cd109be57800d6cac65d

SHA256
42a82e114c4ea487ec891c5d3326c8e6c177f799badf6af68a6f1c14fa36e7b1

SHA512
b0af19bf69e31939ae7842c522e1e915b84c2c1027ba58220b0ea38917c1214f37d8f578a46fb1f75fac6e270e9cb3cfa4742761230723a6e39fdcc458b794e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
545570020e6a6042b7d4007347ee5b3a

SHA1
b49bbc0f2e369271072c00070594ce70a9d4883e

SHA256
15475149dc4efbeb9e3130f3348db24db1e9a1570d1cd33bfa2bd50e158964f8

SHA512
78b5133e3b0b90fadd877eb6cdb306071becfe8decd396a49fe075292c0ef2a39af897babe9ed210929f7126a750a253de648091bb8c1ae8fbcebea0369c9831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
666bee6433583cf0591e97e072a182d3

SHA1
cd796d3611cba01a57ce24fc2e08065352520628

SHA256
662ebfcdc1f62398efec076f4008d9056d4644b1a878c26a862c69a24f17d23f

SHA512
b6ace46a32b4a4626a1fbc6f2b626551aba6679d5a4926e60f5d0b6d53b16b129fdcf957a5cf75dd37cddb39101e78ea3bdc00c22f7dcca62568b5a6a523d550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c5d7a07ffe5a514c3c041891c3310412

SHA1
2651c85ee73df25e222fe6a5698b9cc3dd8df3db

SHA256
fc5d7743b2f24f068abd9c2c453248df23da7235de6cdd129bea00e967326cbe

SHA512
c7eed3ab55145553f3d2b2ecb5a4c424152e67fab111b93dddefdba334b24d4af8ae6c1bbebc44b9274299e64b66ac5f5c1026542166f2fd0d4da732a6ab19f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
cc623459bf43aea951bea42201add7d4

SHA1
59cb25adcbedcf700b6ef74cdf536f460ee728b5

SHA256
52e7ed10b51ff68098d8432886c89501f35e9eb743294e004ff5b4be234f4732

SHA512
c0a272aadf9d2cd1ddcbbdef2feb822c6b5505a10fd0b956320e07aff1716ee3192e5c1d463fc347fa4244fffeaa9c16a37502d591bc7e5170a7eee9582add14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
f8338be2e3e19355965a48200756e569

SHA1
be31d67b9d6bea63745738f0c9743d098f63899a

SHA256
eafdd405c78a7de6911df4839bc4ca7b057c2d9fa907c394997be060a00aaf31

SHA512
b17b04548aad8d8698df969578826344924c49045c8cb577bb2f87457461e3c9d1877711915e8be8786b9b0d8ae10e6519ec4b80b95ce3fddfbfd6cd65639384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
c9d222634618c4904e2c459b80649b88

SHA1
e4b580e85c94589f46ba2f095b57167bf62baaf3

SHA256
d3f88d3d1af44fa0a0d460cf959a588a49c2f508479db31a7425eb0041cf0250

SHA512
01382bdb0e23aa892b0568bb53749dbdf470c9da2ecf012239a4c739a2c48c04e054f56eac52a903b440bcc33479b8235bee67c066a76f9943eeb22c57fbc76b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
344480db4998efc75ea6d9c90362c8a5

SHA1
d1078b5da2d321663f6d039655db2f1c7bbf2ab7

SHA256
be16dfb3029824a8f83118e3cfb5c1ce6b02e63529a0de69a27f0b8f9bf8e1e3

SHA512
1368a6489464c6949257ba8480ecd78ebfb40d3ad9f8149501d19e68313dd7d40351f34f7b25c97ba242f217e84cec96c6feb7d2246efd4a2b97f8fdadb0554e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
62284e71b0f42e574f589b16db9c2809

SHA1
ad667f69728412b1d18f411daf87f497d7e3df91

SHA256
435fb0aff2455e5548dc328681bdc01ea456e162371142b9bc83d85fc2c02a84

SHA512
aa426d818ab085467cd8120eec355e4962f952292f5c16abeaf4c0b06c0632d67d16e3f6b13cb6cd7311b79f7ee8f08da21adc2c08a811ffb43d8439e3d82f9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
4a3a6c69525519e1f9cf0ee98754a5d8

SHA1
7e1fb4d95094f67f0fd463bacf0e4287978c9433

SHA256
747b848d4c8823013c66a5f9e68f4844962de4ae311f13b7fb6160473572fae0

SHA512
17d69d4ea3635622ce7651662241d3c1043b319c4a8e3725a882531acfbc4448e97d5d2a3add63160a304be15f520cb11ee2fa0078d9b66a48f7207c8b260748

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
be4969ec98f26e498228066f4ba2263c

SHA1
30c0ff6c3f356f3b82cc12ad0767ca5d07124306

SHA256
ec1cac10f3a5d6f52234727dd43598be0e25136ac0b6c55599cd4f38f6f1176d

SHA512
5dc7b61af691af235f6d9e875cb714afa014b4cbf04e677fd8403f2bcf798ce0837e8287a8f3a684c0426e06408272b945ffc991ac095fa9535fa8b49bb96f4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
3d9966806866c2743c456918d956b8e2

SHA1
5488f767292df9a7e52e297637ab529195a93c18

SHA256
3fd42850f06ce895bf7f21bf25100656cb7412d06db0cd882d5dc044d8197b0f

SHA512
850f713ae82d18c49db5e12696f0a56088019419a2835365dc4ef0ca546c5a2f34aada03b9c648f84a9d1714d7abc4e8ef9735944fbb53eef1535a9af8a95a8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
199fda3705b6c440e36e3fb4f72f529b

SHA1
0e6f6039dbcc994a499fbeaed22ca3c7304d284c

SHA256
dedb0ba78967477539ae18ee066b470af832c1cfca932f12196f84d2081a2fdc

SHA512
6e46228d43dc39702b4b4d03f25fd367cadf515713fd21a1e6e7e717e8259d619b18ae6a0b9815d30e602262424d51408bc3026db883989da366dc453c70d82f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
623f23ebe5a45b26699b787b69c0d3c6

SHA1
90646901b85cf17182670e61375a83e065f32178

SHA256
f0b09dade8a3d57d48468c239bc7a67c16a58f5bd7ed58219051315a2b4a9a13

SHA512
0e19a07434f3afa3b66d4e838da28c008b2ae5a37c72214c6ba75c6c8b591306f2a6db09a9d6a14c9a341ee590ec402a63e0c46f3f1da54c3008faa2c12cb6b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
889e8817359f01cf45b94070056b3aaf

SHA1
db73309c3a037085b7c61f1bf628d2b513fef0b7

SHA256
c62a574e0e1bbdb7ac44b89243542c14d744d9a85766b7841b94337cb9750c27

SHA512
6f86d14047992cffab08e395da5af58dd9a1addae3eef6f69434547e2f02db3155ef1d6fcada24da734634883ad8f113ec51bd123877b6b7227c8cfc1b3e58c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
f9ffb1a6534c7eb5752919ae9443e837

SHA1
3155f4d237db0db3ba00a6fcc1386a3790da16ae

SHA256
9ebb06a15a44493812c3c437812ce65f8b1d1cb5850d85a427d0e259e96bcf75

SHA512
21bdbb2df3916c4a4710580091bd0a0ea35ed125500a9489a6cfea72ad2ea109dd684bb0f8bc0e301ba013fdfa383ab5403ec1a8549e0f3cb42fbeddc5adc51f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
eff755799020078719aa2b336517ecae

SHA1
21683ee469ceb1fb9074f1b164f3367722edc2a4

SHA256
3f114f69a62417315ab51609b3ba0a510c1dd9daae66917ee54d561eb8ed8f37

SHA512
e16016697b1fc9556d798086190ac2d452357ee735a42506c6d1112c078ef6bdc4779a13bb2be8b4f4672917331497d83a9993510553be3beb8653c294fbdc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
7ababd7514a20e86d35321569dfbad06

SHA1
cd110f77cc409738b9c00fdc7c4174cde14c5d7c

SHA256
20bf18244a9af5120271b78528fb799020aedeb4bed9dfc63740a854606dc70c

SHA512
99782fb00bf4442d7b98a0b62f03c2e3fbbdab2f99afd4dc3f88fb0a98b790bb94f6aa5aae117214cb097002c15bec7ef8dd5b5507eeb6d17cab58694fd4cab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cec9.TMP
Filesize
372B

MD5
7353d0afa812eb4012ed107ab09e5587

SHA1
2411d4516967eff498feb52fe8c5dac30dbc7199

SHA256
418addb8401644b7421c7f7dbf854ad3bc4fa33c2ec866c66d4c12c5cce23b26

SHA512
2e646e3e5081c9c37da1adf71b4b56b8494b04417aa19a868176e910d938ba6c6ea5447bbb33f6fbfe81db909f643b2b291f6c79565cc95a1a7b791886befd74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\db27cd77-97a0-44b0-891a-c42c8f36c0b1\0
Filesize
18.0MB

MD5
d263542d62c61b922253b99e6c55c743

SHA1
6dc8d4f219358334be3b85577752a13ca0321be0

SHA256
11bf83db0b15c7626b9afca804039d3b4ed7cd26c48be1632038d5fd50d6d6fe

SHA512
3149a33f24d5c4bb122fe13593271b5cf6f5064046ac68d46e1cd00a1f77d198322069fc0ab3e8fc08774d288e78f0b90ec34ba99902fee563fe9eef20e1a042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\db27cd77-97a0-44b0-891a-c42c8f36c0b1\3
Filesize
10.0MB

MD5
f5ab85ea7eb77f497d765e8df3c968da

SHA1
d088d8a8029d7ffb2f942a1872ff8582b74c8469

SHA256
7a0f8bbd0d34af175dc5806378b62f17567131c45b46be75535a4282718c6d8a

SHA512
82c1c9d8f0e39904671274bcd9fb14e15477649cef6a1aba623669d83b84ea454009d997444802aafa1a732bc6d3dba2b6cd0f82c70547c3bdd733421030c216

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
7e61b4f8c2ea77a1646a23f80518a4e9

SHA1
0e3294bdf9063614e00b3f01fe435e1b79561987

SHA256
1be235533f4ff43b0428d5ad2a8f80efbac799e94e4892ffed52e77a9e512bb3

SHA512
7279ae6e377d91c99b49f0c1ff320e580781b179bb1eb58b9617bd1ad9ebea26477663332103d3412431291d12d4c9809e44dadea2d63516dc30c2e9cfe7f144

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
63f66284ee3ee9887b32100812205df8

SHA1
9c585923bd5a164d314a0104825a2c65b7236c4f

SHA256
ef8012b2dbcb2b8332afafd32dd4e9cd2c57dd4446e159cdc3e7a188c17096d3

SHA512
0a80a6e3cf4b36ded1c3057a08ab2308ca646fc5d9369247c8b3aebf88c61fa0a7e27244300e11657fcf3ada2b5cbc5e6ae74860cbf8af7e83bde808fe6e34a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f6667f562c35ee841fd126febbaa536f

SHA1
69ff7ca152b024ee5a5a1453770cc07929b1456d

SHA256
e1a8b01e8168fc600fff2d5ec9c2681889a0054a4ef7021c762f9e737f4d45b7

SHA512
3a1544705a1666994ccc6e9af470427922254182efb283046a2a6f5fc100f405ab81756ef3c8a3790e4f5262e209999f0a99c4962c72e63c236ee2c1f3507b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d9b1e96bed83a032336f4c46da6239af

SHA1
0afa6f0154601629a4a438fbb7dee776f491bf88

SHA256
2f7051fcc12e58868a88bb7bb32bc3605ee65d5a2bdc496934eb4235315df6da

SHA512
13ce404a7f9d7a6bf52db2c334e67741b5f4162b660887f681fe91fedc2224d2efb4618f33dcd4d9a5c3c8ebaa0c674dacf3e03952a7eccd3ce543b1c8ffc622

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
7e70a441ddbb6b2646859659ad73bc65

SHA1
717fd4ddd445bcb0d9cbb6ba4cd9fb93785b83ed

SHA256
2a82d510ff57655c6078e0a26cbe7df39d7074468b8fa05eb87f98f3043692eb

SHA512
0b19c6c10d3f723c40aae80100d451c482dfa773360c0be30af6a22f3cdbf26158c3cf0c06a36c2809ec757e5b210f72d1a0b280e3f87d235c8eabd19b35c25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b839e1fe27cc7ac722a2cff6fa244cc0

SHA1
d90b093802f41c1854e7ceac4d23ea4ac046e3ba

SHA256
83014bd1a021a6e7af0290ea37c3d72da2a3329c7028ca9e5210009760b0b1ce

SHA512
901124e4826cab81c1804e553584b4730130e0ab5ef7774732ca5aff0e5e103730601fc0d6198a2302afd5e1bfe46ce843750616153b65f28ddd0a06084875b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
bfc525fe76d79f379ac9e4d668975678

SHA1
b52d28394fceb500f9572447f0875b6c6a719f30

SHA256
b21794f044e0071b911c23b3844c1d19778c112b8f0492ec9256ae63c4b86ac0

SHA512
1b1d619260ae983489ea00aab165db2e6480aeb0a5994e834819f2236193c4a282153835ef7665f0e03b16342520b749211beb3c237ea9ce43136b3bf95e434c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2497809ed0ea1b1ac1c842fe900cd4d8

SHA1
584b90afa6bf27b75e436f83995851572126958e

SHA256
82d97294ed3f9a85cfcb5077ebb49ba441ca07d2c5a14e0d5931967320fc8dba

SHA512
8053ac682aa7daf204669fb16c413c51f843cbb2b0f2ce8e95b0bd1f5f0125075a73075547357ab533c6cc3b62082e5f263fb0fa31835ce6d4f1bdeea3bbf9f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8D62F9BE-454D-45C5-8E2B-0727C757139B
Filesize
168KB

MD5
3b452c65f147c036dcf54c8824247ace

SHA1
00e0057f3d4bdf9e68a83eedd9aa3e1ca95f29f1

SHA256
242309d9e4ace4e122fd695014717dad15ef3d951a091d086494f6ac58af6005

SHA512
1ffd0b0138a647e6b44b7ca8931ba4b6c7ed4ef12047a716445c338cef6eb7b9add761e1d53e3b5bc025c20ce8e7ac656ced99dc14f218c976fe6050f06b6d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AF28CEED.emf
Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD4EA4.tmp\sist02.xsl
Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf
Filesize
816KB

MD5
1fa31ca64328a8787a861ebf2606147c

SHA1
0ee54ce015a7026a0c407c3aa23f0a0c177c0e9c

SHA256
31deb9438ca1ba85581caf03001d7d5515f9aab2e035526cdbbf36c2f1453941

SHA512
d5a0108bfbf0ee248f8f7bd31df9500262b036491ddf202fd20b2114469a100dddf66709f11d8f0425fd515d5886dbd654b3e19bad7d56b1907788261ec9f55b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
249B

MD5
74635f6e5554ebd726fdca0c002dbee2

SHA1
278e66625144f9d89050b0bedb482a68855b97d4

SHA256
483e814b8f7ff4423f67f93987147b151908e1eef88479b67d4c7c69e5444424

SHA512
bb5dfc5a78b97bd7a5bc0bfe1083b1f03b5592543abf9ce00a7a36c84fb540ddfb1c8ec8994f7e6eabc30b6de896414d171d7eb3c0735ee9708093162fd17f34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
10KB

MD5
5f089cdb9c620d33934a0d17cc1d8337

SHA1
e5daea364c969f9e58d87c9d772280e748301b7b

SHA256
60858f8a219ca216251ecf0e91850696bcd9fd152f3267570703484562b8e90c

SHA512
ba5148d1e6b276b57008e0f64654d31614eae91a92c5bcc8014e554016e8b94f8ae3c459f73cf27ca5116f813c0775ce91296848c22c13be45c365172125c25c

Download Submit
C:\Users\Admin\Desktop\YOUDIED 5.txt
Filesize
74B

MD5
05d30a59150a996af1258cdc6f388684

SHA1
c773b24888976c889284365dd0b584f003141f38

SHA256
c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9

SHA512
2144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a

Download Submit
C:\Users\Admin\Downloads\FlashKiller.exe
Filesize
4KB

MD5
331973644859575a72f7b08ba0447f2a

SHA1
869a4f0c48ed46b8fe107c0368d5206bc8b2efb5

SHA256
353df4f186c06a626373b0978d15ec6357510fd0d4ac54b63217b37142ab52d3

SHA512
402662eb4d47af234b3e5fbba10c6d77bdfdb9ff8ecfdd9d204f0264b64ea97fc3b5c54469f537173a26c72b3733550854749649d649bc0153c8fe3faacc50a1

Download Submit
C:\Users\Admin\Downloads\Gas.exe:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Grave.apk
Filesize
560KB

MD5
61b29201190909e848107d93063726ca

SHA1
f6505a3b56fdbbc54e1624793581afe45010c890

SHA256
64c874d0a67387d174fbf18811ef23e9d9b0f532ed7f805e542dacdf3c9d42f9

SHA512
a2e8fa752d62e77e20e6fd86b7c6de3e683e41932eef448164944bd5f5dbb91ccf4380b3c13943e5c0264b9127b7f5e471ece68753af541d408caefae1065930

Download Submit
C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition Sources.zip
Filesize
23.0MB

MD5
024187c3f6d944f699f4b4dd5a201d8e

SHA1
1c30cd4976aa303dd3be9bb577744fd694d10833

SHA256
7429aa031069da80e88d528310c8e1379745b1a5b3589bf3b11987cf85bb3600

SHA512
86e2e22525704a4ba10989cf9fa926fe73cf003171f0fd13a8e2393184e48e4a96baaed9ce50edffe497d12dda671c689daeb26de0c01d6d8e7b2d312d07ae4a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 15603.crdownload
Filesize
18KB

MD5
e7af185503236e623705368a443a17d9

SHA1
863084d6e7f3ed1ba6cc43f0746445b9ad218474

SHA256
da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a

SHA512
8db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 457490.crdownload
Filesize
22KB

MD5
31420227141ade98a5a5228bf8e6a97d

SHA1
19329845635ebbc5c4026e111650d3ef42ab05ac

SHA256
1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71

SHA512
cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 538907.crdownload
Filesize
9KB

MD5
b01ee228c4a61a5c06b01160790f9f7c

SHA1
e7cc238b6767401f6e3018d3f0acfe6d207450f8

SHA256
14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160

SHA512
c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 538907.crdownload:SmartScreen
Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\metrofax.doc
Filesize
221KB

MD5
28e855032f83adbd2d8499af6d2d0e22

SHA1
6b590325e2e465d9762fa5d1877846667268558a

SHA256
b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

SHA512
e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34

Download Submit
C:\Windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav
Filesize
19.0MB

MD5
1b185a156cfc1ddeff939bf62672516b

SHA1
fd8b803400036f42c8d20ae491e2f1f040a1aed5

SHA256
e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36

SHA512
41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

Download Submit
C:\bg.bmp
Filesize
6.6MB

MD5
a605dbeda4f89c1569dd46221c5e85b5

SHA1
5f28ce1e1788a083552b9ac760e57d278467a1f9

SHA256
77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e

SHA512
e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

Download Submit
\??\pipe\LOCAL\crashpad_920_JKFPNGTELSAFCQOD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1972-2785-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2284-2476-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3284-1305-0x00007FF811A70000-0x00007FF811A80000-memory.dmp

Filesize
64KB

Download
memory/3284-1154-0x00007FF80EF50000-0x00007FF80EF60000-memory.dmp

Filesize
64KB

Download
memory/3284-1164-0x00007FF80EF50000-0x00007FF80EF60000-memory.dmp

Filesize
64KB

Download
memory/3284-1303-0x00007FF811A70000-0x00007FF811A80000-memory.dmp

Filesize
64KB

Download
memory/3284-1149-0x00007FF811A70000-0x00007FF811A80000-memory.dmp

Filesize
64KB

Download
memory/3284-1306-0x00007FF811A70000-0x00007FF811A80000-memory.dmp

Filesize
64KB

Download
memory/3284-1151-0x00007FF811A70000-0x00007FF811A80000-memory.dmp

Filesize
64KB

Download
memory/3284-1152-0x00007FF811A70000-0x00007FF811A80000-memory.dmp

Filesize
64KB

Download
memory/3284-1153-0x00007FF811A70000-0x00007FF811A80000-memory.dmp

Filesize
64KB

Download
memory/3284-1150-0x00007FF811A70000-0x00007FF811A80000-memory.dmp

Filesize
64KB

Download
memory/3284-1304-0x00007FF811A70000-0x00007FF811A80000-memory.dmp

Filesize
64KB

Download
memory/4192-1126-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4192-1115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4460-1104-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4460-1102-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4960-1048-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/6032-2835-0x0000000000720000-0x0000000000C22000-memory.dmp

Filesize
5.0MB

Download
memory/6032-2836-0x0000000005C70000-0x0000000006216000-memory.dmp

Filesize
5.6MB

Download
memory/6032-2837-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/6032-2838-0x0000000005B90000-0x0000000005B9A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads