Malware Analysis Report

2024-11-16 12:34

Sample ID 240304-r86vksda3y
Target sample
SHA256 9ee73fddcf442cc41bf8dfdfa6e283d335242e061bf643ec0c1a35130d219003
Tags
bootkit discovery evasion exploit persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ee73fddcf442cc41bf8dfdfa6e283d335242e061bf643ec0c1a35130d219003

Threat Level: Known bad

The file sample was found to be: Known bad.

Malicious Activity Summary

bootkit discovery evasion exploit persistence ransomware trojan

Modifies WinLogon for persistence

UAC bypass

Disables Task Manager via registry modification

Downloads MZ/PE file

Possible privilege escalation attempt

Executes dropped EXE

Checks computer location settings

Modifies file permissions

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

Sets desktop wallpaper using registry

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Enumerates system info in registry

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of SendNotifyMessage

Kills process with taskkill

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 14:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 14:52

Reported

2024-03-04 15:23

Platform

win10v2004-20240226-en

Max time kernel

375s

Max time network

330s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\windows\\winbase_base_procid_none\\secureloc0x65\\WinRapistI386.vbs\"" C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\takeown.exe N/A
N/A N/A C:\windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\windows\SysWOW64\takeown.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\mbr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" C:\Windows\system32\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Windows\system32\cmd.exe N/A
File created C:\windows\WinAttr.gci C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
File opened for modification \??\c:\windows\WinAttr.gci C:\Windows\SysWOW64\cmd.exe N/A
File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Windows\system32\cmd.exe N/A
File opened for modification \??\c:\windows\winbase_base_procid_none\secureloc0x65\gdifuncs.exe C:\Windows\system32\cmd.exe N/A
File created \??\c:\windows\winbase_base_procid_none\secureloc0x65\mainbgtheme.wav C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Cursors\Hand = "C:\\Windows\\winbase_base_procid_none\\secureloc0x65\\rcur.cur" C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\sln_auto_file\shell\open C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\sln_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.sln C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\sln_auto_file C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\.sln\ = "sln_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-566096764-1992588923-1249862864-1000\{6E342154-4724-486C-BBA9-CA3864992E77} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\sln_auto_file\shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\sln_auto_file\shell\open\command C:\Windows\system32\OpenWith.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 272924.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3972 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 3996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 1300 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 2668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3972 wrote to memory of 932 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff888f46f8,0x7fff888f4708,0x7fff888f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5444 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5416 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6064 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3512 /prefetch:8

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\YouAreAnIdiot.sln"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\YouAreAnIdiot.sln

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.0.492229633\533070058" -parentBuildID 20221007134813 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {024915b2-42e2-4eca-8fc6-297dd33bae0c} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 1992 1ec58e06858 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.1.770399110\1301145340" -parentBuildID 20221007134813 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13f20e15-a915-47cb-acd4-163e4877bf76} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 2428 1ec441e4a58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.2.1167360623\1085269295" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 3048 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91b5b99c-faf5-4fc8-bc1a-c1b7c11d4c5d} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 3256 1ec58062258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.3.2138859823\1135262041" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3556 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18e2bf9a-2532-44cc-99b7-1617196d0279} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 3572 1ec44162858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.4.137385359\1347526071" -childID 3 -isForBrowser -prefsHandle 4724 -prefMapHandle 4720 -prefsLen 26300 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56cb2abc-71c7-44b4-a70d-ce4d1898018d} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 4740 1ec5c46cd58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.5.533576441\156946551" -childID 4 -isForBrowser -prefsHandle 5044 -prefMapHandle 5048 -prefsLen 26300 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6523799f-1c7f-4358-b558-10aeafc9ede8} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 5032 1ec5e16fb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2276.6.1808660587\470899665" -childID 5 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26300 -prefMapSize 233444 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36baea4a-c366-4a43-98b4-6d5a98cad688} 2276 "\\.\pipe\gecko-crash-server-pipe.2276" 5236 1ec5e16e658 tab

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6428 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5992 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,1333168878240876001,4724461481561998626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2756 /prefetch:8

C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe

"C:\Users\Admin\Downloads\HorrorTrojan Ultimate Edition.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\A1A6.tmp\A1A7.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\mbr.exe

"C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\mbr.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\tools.cmd" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\jeffpopup.exe

"C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\jeffpopup.exe"

C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\bobcreep.exe

"C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\bobcreep.exe"

C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe

"C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f8 0x32c

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\YOUDIED 42.txt

C:\windows\SysWOW64\takeown.exe

"C:\windows\system32\takeown.exe" /f C:\windows\system32\LogonUI.exe

C:\windows\SysWOW64\icacls.exe

"C:\windows\system32\icacls.exe" C:\\windows\\system32\\LogonUI.exe /granted "Admin":F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c cd\&cd Windows\system32&takeown /f LogonUI.exe&icacls LogonUI.exe /granted "%username%":F&cd..&cd winbase_base_procid_none&cd secureloc0x65&copy "ui65.exe" "C:\windows\system32\LogonUI.exe" /Y&echo WinLTDRStartwinpos > "c:\windows\WinAttr.gci"&timeout 2&taskkill /f /im "tobi0a0c.exe"&exit

C:\Windows\SysWOW64\takeown.exe

takeown /f LogonUI.exe

C:\Windows\SysWOW64\icacls.exe

icacls LogonUI.exe /granted "Admin":F

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im "tobi0a0c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
GB 92.123.128.168:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 168.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 92.123.128.188:443 th.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.188:443 th.bing.com tcp
US 8.8.8.8:53 171.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 188.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.140:443 login.microsoftonline.com tcp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.clarity.ms udp
US 13.107.253.64:443 www.clarity.ms tcp
US 8.8.8.8:53 64.253.107.13.in-addr.arpa udp
US 8.8.8.8:53 c.clarity.ms udp
IE 68.219.88.97:443 c.clarity.ms tcp
US 8.8.8.8:53 r.clarity.ms udp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 c.bing.com udp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 97.88.219.68.in-addr.arpa udp
US 8.8.8.8:53 243.174.119.20.in-addr.arpa udp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.113.21:443 collector.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
DE 140.82.121.5:443 api.github.com tcp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 5.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 21.113.82.140.in-addr.arpa udp
US 20.119.174.243:443 r.clarity.ms tcp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 20.119.174.243:443 r.clarity.ms tcp
GB 92.123.128.188:443 th.bing.com tcp
DE 140.82.121.4:443 github.com tcp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 44.239.242.57:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 57.242.239.44.in-addr.arpa udp
N/A 127.0.0.1:53725 tcp
N/A 127.0.0.1:53731 tcp
US 8.8.8.8:53 r.clarity.ms udp
US 20.119.174.243:443 r.clarity.ms tcp
US 20.119.174.243:443 r.clarity.ms tcp
US 20.119.174.243:443 r.clarity.ms tcp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 92.123.128.191:443 th.bing.com tcp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 191.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.6:443 api.github.com tcp
US 8.8.8.8:53 6.121.82.140.in-addr.arpa udp
US 20.119.174.243:443 r.clarity.ms tcp
US 20.119.174.243:443 r.clarity.ms tcp
US 20.119.174.243:443 r.clarity.ms tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e1b45169ebca0dceadb0f45697799d62
SHA1 803604277318898e6f5c6fb92270ca83b5609cd5
SHA256 4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60
SHA512 357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

\??\pipe\LOCAL\crashpad_3972_KUZGDTRCXCFNTYYP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9ffb5f81e8eccd0963c46cbfea1abc20
SHA1 a02a610afd3543de215565bc488a4343bb5c1a59
SHA256 3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc
SHA512 2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d44349d4334235b24bbf5fa35d04a321
SHA1 152be05ef857f10a986b5f3c383d9004156547f9
SHA256 278e546b50eee8109ef195a02637385a51cf0ae1f588abc6ae89bba23c011b95
SHA512 eb31f5361fe6216b970a6695aa8cb32cf263c73e9c2fa95566f2a6239914eda6354144369dc536bc175764283eed9b921c3083d8cdce2efccd5fe83e3fcad34e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5872c7b1-4f31-4558-9756-8a4ca6d4e726.tmp

MD5 64bb2f4120013baf7a44d92a693a5db7
SHA1 f9e26c16404cc38811fa3b52220753c5723d7b8d
SHA256 d40c5544c35920676540db865f127c0d36e47d599da9dbf3e1187c3eadee9db6
SHA512 c1fc407c300a73a7417e3bded8cbfbdc8e6959a61dcd899429dfa98e75fded22c7b0c80b847340142fbbb77cb11f64135fd83c5f92949a867a460ac12d064a69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a6e60eef1cc0d78bfe43135564fcadb2
SHA1 6e00858eefcaa782f524a1c2c0d9322c80828e08
SHA256 9c47ff527aa59c3d6a1bcc32475d37e2b2f951770eb2ea77f9390609de73b76c
SHA512 df513c6dd1203d6378179f70c7fd8f4bd4ece3b85a0707ae8679a41d330fc709b09d7fe9384c00dce64e23118eeddf3da28b561797bc978f4ef89ab30f05c3e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e54f.TMP

MD5 efd99bba87a5257e95507bf87764cd37
SHA1 8cc1af8d13e4d4f351e86aa3329e1ce5b3be9852
SHA256 7e70c42608781d355d82db53567e20481d1c73bc51bcaa1fc6120f15d090939f
SHA512 65d0701e5bad9cb42a91ffac620292abc3b6892ded03a92a13b75c5c58b9656bebb5cce7dc040d6c1599b2ef41c345c4c75791b7a5aeef982f60b7face5a8c7a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\138e0a36-edbc-49ed-bd6f-40a3bec2df0e.tmp

MD5 a2f2feb5140818c4cff8c9fc4fb31bc0
SHA1 336800747668cf3effb30fd6b28a7339b740c34a
SHA256 107f6b16d5a03fe5050964987e956669df920595dffb5c4a3a1f358e8a7a4613
SHA512 eca693ec3b31a70f3283dda8d3dffd1a73c23fcd78c6d81ec01f4600fd097439bb9a565ae02a4a8a18509c4ab1332a716141454eaad8e91b97daa74dd71b24cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 be27b8dcc4c0c0fc5b20b98ddee15dbb
SHA1 59c61b3c1763e4642fa36a61f9381827e3b2820a
SHA256 1bafc38217302d07151988a7b3cb34479ac86bececc5e3fce818f25e0403f575
SHA512 dee42c0f7965b6febbc5b1803ec3fba06b5e71a931aced156cf9a9f4e71fa62dc455fccb5b6710e13b1527a2ec3767a916c42daa37c9346a1dd0babf766d64c5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7cd53a1ba870c1335e6aa75257236bb9
SHA1 6af16bb801880c29d8c52af7ce73c7aafcb807de
SHA256 ca0f7be33f2307008cb1b646c8810bb5891d8b6baba0a8b92d3f4c622cf681e8
SHA512 858da2aeae360f5a84c100275d9744bffe97f8273becd8e73737256b369c4c1c95f93ca8c013197958054e6c5f0ac53d46bc0737ceb9398fa331bf79e6237de5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0862fb33b4b06a7f44264277dbd47847
SHA1 4ff1782a85c8d84e69aafaccf8d2bb15e048b038
SHA256 102121d47fc900fa5b32e4077da4a76f58874e132acd3a73f476fd1694cc1233
SHA512 68c0c7185a0a9dc685b95e504706354bca1c958aed7659178f0793fd2c574f580f20a66a458afdadcd577bbe756a7c044cad9e3f9fcba15106260fdaaca85e9e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 a127a49f49671771565e01d883a5e4fa
SHA1 09ec098e238b34c09406628c6bee1b81472fc003
SHA256 3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6
SHA512 61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 c3c0eb5e044497577bec91b5970f6d30
SHA1 d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256 eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA512 83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 710d7637cc7e21b62fd3efe6aba1fd27
SHA1 8645d6b137064c7b38e10c736724e17787db6cf3
SHA256 c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA512 19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 2e86a72f4e82614cd4842950d2e0a716
SHA1 d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256 c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA512 7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 acd3f8bcdca044e4382c0bb6246b0234
SHA1 1c83d89a3c40835a82f06e6bea0af86f52901bc5
SHA256 cec8af8be960f3b13ad0f554c338ab88688ae5b4ddfcda5471fc8268ce66db25
SHA512 3cbf100cc72f4a63c7aebe0ec029fc3635b97addbb0a4e83febbd127e00ff1455fc0b4cb90839f3bec498a7cdb848d8fde4d6991cc6a1f479669e70ad220b5a1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 74e33b4b54f4d1f3da06ab47c5936a13
SHA1 6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256 535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA512 79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 ae6fba4a8a4923ae8fb23bbe54365bb4
SHA1 fb04d11d5f8433a5149dbbf05323cdbcbdfaf3c5
SHA256 d3effbeee1babe87697c39dab95237973aef8f4755a273b3a04b6585d927f7f3
SHA512 275b997c5819b5c360b1f5f1a8239e6f7e1631a0c75677a4d428c8a25e03400314e8eca58f54af524fb93c3b609b7c47e60ae05a7ba874651ed58b54281a2ed5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 46054de962eba3a13390db44fe3aa80f
SHA1 a9578a5983551487370c19f2d6580c735cc65696
SHA256 51b4c8d5dbea11ba92eef54e2d6348be724e4467fe2193466a39b3b262c86bec
SHA512 3520036013a0a9416bfe98e2cb94f4b51c740bb288a80909afd48369535ca96c3c2decc295993e9e8855e1f42d6863df017f8fd11154c0aa0388bffe613c678e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1b35abf20ec6a2b9a0e4e01bbcdca768
SHA1 a7b6a9a2364142fb9418349f8f60df5899bb113e
SHA256 002c97c0de0d86c6feb444f819489d9db1c4cdd58c1c67bcb868a63e5a696404
SHA512 4033b490bf969ea02d51c9ed9a5a2966e3bf26e578927d51913ce6150962fb7d2da6cfbc570f6729cb1cdae2d581d159ecd3656c355c2de727fdfef33741a7c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 7f6b30fda2d5c99fcde25aa2880fe97d
SHA1 4c0c9c582e1e646465a7741a8bc2535141222448
SHA256 6ad0b7402f9ae75b9b7e64fc2d58e0357121f73bbd238795b85163e52ed504c7
SHA512 074a5d0a677e19407631ea6887747038102e38b53b14ce2bb52ebf28fb41cacac1bf8aaeae99feeeb23f99e4377467426f3539c6154e4874a0078575610b524f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e11b6a096eadbedb36df5c2a4c306ae7
SHA1 03412ea92bc9c697a02417f609b5c8ad6033c698
SHA256 060a1aca5f1b3cd2aa34cf99f8c64170f285fbc57c4faa16ddbfa0a203530096
SHA512 7d8f89008f058b6e4acfbe079c3cb2828496671ec912753135246d017e1cf1f628e8eeb99e1fc403d98e748ef964b34e303044672c4cfd51fe43672cc6800701

C:\Users\Admin\Downloads\YouAreAnIdiot.sln

MD5 76b06b4f32c1a1d1cbd3767a11b9fdc1
SHA1 4da3da200a68c940c9f20edbbeaa159cbf910d90
SHA256 c23dcd400f98fc07f2f24411d681cc27cb3ddd4df4834d6456e0adbe9ad59697
SHA512 00974bb7139e60160175b209b4eb9ce73f93ea9e316adfe2d8595ada00b1f6d0bf7de6795aa6bdde5bca0a22a8395a368d69aba04265134fa2c06af7fdbf650d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 391a035a8eb5096f287d6387c8b361ff
SHA1 4a640635e11332c69f121cfafdb32deeb47fe43c
SHA256 ee477bd85620732df0ca9d64ad92aa96d9dbb399f633116923b945190061d4ae
SHA512 6150e5a9e27c75c0acb84868e57cf05b9019f81639e56df5ad2cc732ea029207f0802cab0833b7755d619e41733b307081a9a134c21739855f1e1bf89ccc5c9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 50bda4e4c2c37838e1b3061cedd85def
SHA1 74448ec8aa4abacbccd56b081397b2bc5fdda80d
SHA256 0e5da229a7e76db51ef98f49be5d1b102b342d2b4165ae5bbd4f16687f652b19
SHA512 3c989f8b4ea871c08b1ff4e082a79c568e52418307890067ffaf39563429726c8a78bdd2f73136c4854fe873a8ff37cb2585ee6c4709d2cf08572a983ddee00f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 61695f61137bbe68cff6cd0a1fb705c6
SHA1 1db399d4ea6bf776b6688ad7eb0a3e97ae7a473e
SHA256 64e08fb246251fb6c2812c84b59ad3496696ec8b85757db42f5fc917a4f474a6
SHA512 b1b5f5e003c88f08d4e694b8142c7935b1e12a74696594643c263ea0245fc31220f79a19706dde3a106d9c884d18163841d1bf5fd8705fef5673711b3281cb36

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\datareporting\glean\pending_pings\2b20705a-5f86-4ce1-a455-3d1cf8202a34

MD5 eab11c54725ad960901bce80b0e59886
SHA1 871ebbc1775d539f93782923867a9a432cba6a0a
SHA256 125056240c5cdc06283278e45b99dd7c232706f1b258c7d4d46f09841b8a93ff
SHA512 04e15ee85f7d579e58773d969822e5bddd092482626dc9ee90b817a5e3ff952d9c0d91220e5f310ef6c235788861a50938136700ebc8db09fe340de965fba13c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\datareporting\glean\pending_pings\61be411a-4b51-4490-80d7-36b772ead8cf

MD5 26f85b0c53226c77ffea75a620af9947
SHA1 f1152af02fe65d666941ea8e4378a662a496ad03
SHA256 096a94a5ded14fd1f9a5e67d1a8d791f9fcabd3eb76633377bba1a4dba30fe0a
SHA512 cbde78243c83a91a84a48ce04fffed0d35242ebd7ae8d011319f49dbfe715733b8daa4e605db304ac66d4c75391c6064f3654e5b4cf87f223d30b081f564bf3d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\datareporting\glean\db\data.safe.bin

MD5 ec60c203f452038c1f596e9d212f678d
SHA1 27b406b0783127237a2fa0f7193285703f21a112
SHA256 b30b4285510fdbd2747fef3182a57359aeecfbbd686002faf23024c482af512a
SHA512 04c9ecd3eeed860870ab7214b8097289582a6cb0db262a1d6a158fd45b84698045e016714c62fd280614bb245b779fd92cfcf8ee8f4c06b3375499af7d6a5ab9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 cfd8fefa203d469805bc877068fa18ff
SHA1 88abe1ac978221c7bd497696362656d7f27ea925
SHA256 d92749c161935fd52521a95b9408a9b6476d79def1e3dba627d5a5bebcebf98d
SHA512 6c616810143da9817b3696b63e17b46fb9f7f65566aeb78cc4f040681da4ae15cb9e68655a6c40266e520b09bd1c683cc69551c7e8031e0e32dd3b1b41b7d7a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs-1.js

MD5 f67f80b8bf6f132d8b69dc0a5885531a
SHA1 27834732d142dd5d9a2d192b92b6f13fc159ca1c
SHA256 dbd052089b80ca26ae47f50777f88f9eddcc67967f87c80dff6e0d6eaada42ac
SHA512 7938c98cf14e54cf6ad4370c1cae01e472e73b313a6953923964973144e0e0877e8f352364ce6d0520e25149fca3ebd5bc01c9ea2c7b47e281cc5565b57b6699

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\prefs.js

MD5 1c52338385f86b28bb16f91843e6e1b2
SHA1 b3f959c6edee446345f9905264a2cc0537fa6f07
SHA256 a0597cd50a82e19cc399327dd5a7013a9bd3a6c17b6981629242ac4a36f4d13a
SHA512 05f6f924938812b2460615952486775c69395e84eb2007a099782739315e48866ca760054bdca82127a078f1206d9335dee98f842de81e59cea8b128d1acbcbf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0etkwu5l.default-release\sessionstore.jsonlz4

MD5 854fb93e1c6f2979c5568f859ac419ee
SHA1 dcdcd2a0db7b66106aaa52740ae1b5b8d61cd570
SHA256 14b8d7d95ad3bb4517278d9e6c14b7b8b26a627b3fdeae3b6a0c952675dbad30
SHA512 f3f25839be366a2789a6b0527d9845cc7089f20df9d1069190d27ffd14d66b4cef7d0365cd010bcf07b7d885d15cf2ffbcde7a2ecb88ad2613a75d2e5681e2ba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d515a1b79da956e7d6586738b8d5b004
SHA1 edffe60f285a1aa1fd58a7f11b720cbb537e5637
SHA256 181ec284425fdb3cd84fdbea7b792ca66cee92c733d7c18d0cf142efbf9c3da5
SHA512 844a1f79da1bc74f19f4774c6ce492ed018ff670df60dfd2b4586c5cd53b30eb1cf3b659ec85ab6a41bb517231ff4d148fd3c61352b346faf982e088110e6db1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 bbc7e5859c0d0757b3b1b15e1b11929d
SHA1 59df2c56b3c79ac1de9b400ddf3c5a693fa76c2d
SHA256 851c67fbabfda5b3151a6f73f283f7f0634cd1163719135a8de25c0518234fc2
SHA512 f1fecb77f4cdfe7165cc1f2da042048fd94033ca4e648e50ebc4171c806c3c174666bb321c6dda53f2f175dc310ad2459e8f01778acaee6e7c7606497c0a1dea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 bc9faa8bb6aae687766b2db2e055a494
SHA1 34b2395d1b6908afcd60f92cdd8e7153939191e4
SHA256 4a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed
SHA512 621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

MD5 8b2813296f6e3577e9ac2eb518ac437e
SHA1 6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86
SHA256 befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d
SHA512 a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 e562aa584409a79d9174919c1065f2e3
SHA1 d9dd1d50ab52b6b475baaf995eddbdb37545c2a7
SHA256 786d1ba73e48a4e2d26cff209e77a859c0f71e7cabff025db82f6e6fd7013507
SHA512 834825915c3f6273fd34ca174f3000d308fd2b7c3a081d4ebe9ea390e49e39e64e329ba369d6402cefe2595ad5a3718f99525c69b7a2e48eacde965ef6b2906f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 24ab2f3a8c26685b6be9d07b5ef7df00
SHA1 cd316ec3208392f5b2846e668337938511998388
SHA256 54364a48157dd6f58c16da41f7cf4e0ea32c2ccf432e5b0623b87223c8c3696b
SHA512 efab865d8590020d7069146b82d66a3e35d586a8672eaa4de3d3cd158680fd20aa7cc4520cae3a59ff10569e1ac9c295c171e27d3f364cf1ef3642cc696b9c89

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 ed8322298d06f491f494f5e8c388e69c
SHA1 dd1c8c0595ce620796e61b7c832127d657b5099e
SHA256 1d64b5180af2d9f5091394e9438cb25adf84ab3073a0d1e6ceb2376a94e77275
SHA512 f79c93c22fb38a2d2a00995b1d0e3944e037c23f11362b8f2468b4d9808c8377b2484831a34e84f2f3d86934d3ae369a635f1459776d4d9b353fb6dc757134d0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

MD5 063fe934b18300c766e7279114db4b67
SHA1 d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd
SHA256 8745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e
SHA512 9d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 93ab4cf70b3aa1641a4b258c3fe03f24
SHA1 cba2ddecb8e019e6e5a91dcf867c6d6094f39b63
SHA256 d6c2f9f2bb35841cdb53abb660544e6e6f44e39d6542323992cc1c63e998fa16
SHA512 70fa907afd9b52ed54a3cf755e394c40a3ff7a83041540b435cba47d889c1c9401afc9fb23a5e879d85bed42fd5df40cd7540d428b3ee7a9cdc278a314770884

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

MD5 e3c321ef088d2b913659c2c1d004be2d
SHA1 b3c22a8b4e51c97ea9a0ea82f898adc88fc74499
SHA256 8d0c890ef816f03ebd62e0389e50def14b6362812bd0d5cb75cc9feaa67e08cd
SHA512 abeec3d8df3e3c12e4d5a737b66677088abd3a0466f8c3c3848e662e2623fcff90108d6f50ce77968dadf457ea2f97809cd1f44b2efab0cff3b65e3ab388b1eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

MD5 ce9fe310a8b8ed92ae2c8472ff3b59ca
SHA1 59b1ef50b9181ea7b2ff15c6b3aee5b5b9d1e637
SHA256 886630a4fffcd5467a13460abee5fe70b262befa51b6353ea902a02e8ce112a1
SHA512 31c68e2fd65c6bad73ec409e6ddd9b1593bd3ad92ed5af979752ab4cd41bcc2f896a9be992c6ceeb232db9687c57c0abd3e35185c1e84199e6e87aeae84d099b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

MD5 77a781823d1c1a1f70513ffeda9e996d
SHA1 60776ceeb79ed41e7cd49b1ee07b1e09ff846f25
SHA256 b093599957b103def2cc82ffd2d42d57a98292ace5a6596e3e4439a6cce063b2
SHA512 9aa66273ad419e1fc4ee825ec9e9fea4297139eca060572d3f59ed9bccbf2e1dbd03a006a0a35c6d37196e8297ec9a49fb787f0a31c3772b17911603eca62aac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 233bac65b1e572d177982c004427b11a
SHA1 ff3e3b78ebe6738929314282b6539c254cacdd41
SHA256 1083412d99a19f9037474da7547c0c3b708dfcfba94f8130f194dccc18bf929a
SHA512 8e39f2e028dfa55caedd2b19ceb0f0193a60afefc1e7025c6a2b61d23329c537df8ed35370ecf89d175cbf31a503e1d0acebaa0b68b98b4eaef40ba228f826d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c6a596358000e9e1488b3bb70dcaad6d
SHA1 d4d8a4c6c6a1dde5cbae389ab6469feada7773f3
SHA256 d85832bcc765ae764d7e9c6d39897c9a161283ce1e80ad0a01f4a55f3da7cb66
SHA512 91064e8b777e2b1b404960831c2ebbdce9757f70a5e35064707b8d274abe5a50d1727ceae3fcbdf539afc84839147ed4a854894a9aacfee2bb84d63e3b1bbcff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8d68a574e7e46a012c2afa6d4284988c
SHA1 917f42f3ffd46bd2748ca0cc48a600a40d726925
SHA256 f0a419278cd5a7baf18f9320280e28dee0611535a119273eec3dc53c66643b8b
SHA512 64d1914e2ffe6f46c82a810c708b7a5afe595d0280214ced91d5fcd6cf56268e9f3e2e5a96e66e63379e1f3bc81243d7bc45f64c1dd3b26ef43d31331e297829

C:\Users\Admin\Downloads\Unconfirmed 272924.crdownload

MD5 8f5a2b3154aba26acf5440fd3034326c
SHA1 b4d508ee783dc1f1a2cf9147cc1e5729470e773b
SHA256 fc7e799742a1c64361a8a9c3fecdf44f9db85f0bf57f4fb5712519d12ba4c5ac
SHA512 01c052c71a2f97daf76c91765e3ee6ec46ca7cb67b162c2fc668ef5ee35399622496c95568dedffbaf72524f70f6afcfe90f567fbb653a93d800664b046cd5f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8dc6fe69c5ff032b466ff05c72e53731
SHA1 506f39fd000a406f6ad50c2252fcba9d62c9475b
SHA256 7d88705b0bff1b436d908ce3371478d68bda943efaf87a5a3f03b8df988d2637
SHA512 fd438642b33f1932a9029555a2ddac58c59f3d0372b8c27e6d542fbd94b2ca632e79de0ec0677f770ce2f5e6066ecd5a78d8bb5959cdf10ec6fff2309ef92876

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 950fb38b16067834efbc141a902b101a
SHA1 b87ea1686f62823012338bfe7c69b78527c1b9d5
SHA256 952cd752e82703664494c53eaff28a3547eb3269b0c2c7abe8a80d0d2ebbb664
SHA512 38dcb0505378f61a764f5d2bac54e40331372fedd65826e984185b7337671be25d87bf2faafe0f354bf411804852d35f5f977e2f9ff17a5aa7ac3d6b36cb589b

C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\A1A6.tmp\A1A7.vbs

MD5 a0679dce64fcf875f4208b823d4b85c0
SHA1 85abe3673db82bfe5b2c207dc98648e32afffea0
SHA256 85a07013575a6a890c7b1d26adaa52f17616c4cca673617aa1fc0992aa29dda1
SHA512 1e2740a09acc5b0d679acfd740feb3556638f1b6029078668bbb7e067b356fcecf23c5b317b02888822cc180c0eb5cb7e2caf63d92a74515ebc5a1031d80f3a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 671d712a7790d38dcdfb86a051109e3f
SHA1 ec1d2a22a3c2843b7747f10787c6d68e24b1a8de
SHA256 fb260190cfb53a58a256ddef1427cfc7f5d06c300666bde479582937e82af19f
SHA512 f5a6763194b8fad6b7681ddd3a349692bd9c699146c8e7d594b43d96ba4dc8f5eb1bb65c7ff91a006f275a0bd92a7561658f8e566d85dae7f31674eb1c019b24

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f6b7111452f936886802bcb01779f25f
SHA1 a7b7cdea9ebe9d3566893ec9c62f6825ab0f653f
SHA256 cac3c146a6082cbbea32b52b54ea46aa816b7cc928f950d45c9ab11b7816374b
SHA512 3795625fe48c423269145b8ad8b02b9f5cf813c0f1efd935cb5c3e0773a4f637a227cb8f49b5cfda310073c6f81c374118f635c71681264dca2821d5b367ae1b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 77ef48ada8e4c019ecbb967cf1410060
SHA1 d6ebcf1ef31e2d215ba56964096c9c3e7091e561
SHA256 bcdbaa818cc48da400a13cf68073dd491a4e96c528d91f867eb1aac958204ed7
SHA512 5e07de4ae122f5a3d548f066d4b3b41ad11a28d16b111133705c87488edf8826cc892180673658739cdbc7f7b5e087cf29b1155c82fa0357414fc65b4fc08c7d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 7cd246cae83131e927ed260f1697c1c6
SHA1 b48e7601d0a83a6bef1537c8b1ee9857a5b17e76
SHA256 6173b39e6f903a422912d705c4586ae39b03198de53fcb98030e83746424d6fa
SHA512 4e41fba623d17f2577a59f714d11a2ddc45dd971b51570295e19929aad65d99bde7364d3342ae579f73df83a033dccab100547f816d698b8e9c8ebf18a94a9ae

C:\Users\Admin\Desktop\YOUDIED 5.txt

MD5 05d30a59150a996af1258cdc6f388684
SHA1 c773b24888976c889284365dd0b584f003141f38
SHA256 c5e98b515636d1d7b2cd13326b70968b322469dbbe8c76fc7a84e236c1b579c9
SHA512 2144cd74536bc663d6031d7c718db64fd246346750304a8ceef5b58cd135d6ea061c43c9150334ee292c7367ff4991b118080152b8ebc9c5630b6c5186872a3a

C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\mbr.exe

MD5 74be3afd732dc010c8266326cc32127b
SHA1 a91802c200f10c09ff9a0679c274bbe55ecb7b41
SHA256 03fe34795ad0f91fc8eb8c9ebe8094541e4fb4d7095095f8b48f345c2a6d0f0c
SHA512 68fa03d640680e37614feccb56f4d41180724cb7c08ba25f9bea3830a44c03d635664d8e0255ab2d05d3613498f4a4dd4398b7971a2cb1c9ae3be93f944946e5

C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\tools.cmd

MD5 288bebe9f904e6fabe4de67bd7897445
SHA1 0587ce2d936600a9eb142c6197fe12a0c3e8472f
SHA256 cf965fcc5a7ca4d9245c706c88b4d5013fb84be27b0ec262facccfadf14bdca2
SHA512 7db8e7c1318bcab7cef2c02484a82f347a630443a644b546a5cc339a5a848d1a3e915255f9c357de6ee26817a55d1091d80e2a8e97f66afa5686b3d11ee56c3c

memory/3056-1735-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\bg.bmp

MD5 a605dbeda4f89c1569dd46221c5e85b5
SHA1 5f28ce1e1788a083552b9ac760e57d278467a1f9
SHA256 77897f44096311ddb6d569c2a595eca3967c645f24c274318a51e5346816eb8e
SHA512 e4afa652f0133d51480f1d249c828600d02f024aa2cccfb58a0830a9d0c6ee56906736e6d87554ed25c4e69252536cb7379b60b2867b647966269c965b538610

C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\gdifuncs.exe

MD5 c47c6a5111193af2c9337634b773d2d3
SHA1 036604921b67bbad60c7823482e5e6cb268ded14
SHA256 7c4f20624dd062a6c71d845d05c6328d5a903ca96398e2902506591b231ed585
SHA512 56698b7b2edc0f94d0f7172c853cbe67ac682d132df768659ebca0c169091acb36ffd0a6874c26e2fb35117061c91c9eca4312532ba778312e3d63cc77ce1262

C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\mainbgtheme.wav

MD5 1b185a156cfc1ddeff939bf62672516b
SHA1 fd8b803400036f42c8d20ae491e2f1f040a1aed5
SHA256 e147a3c7a333cbc90e1bf9c08955d191ce83f33542297121635c1d79ecfdfa36
SHA512 41b33930e3efe628dae39083ef616baaf6ceb46056a94ab21b4b67eec490b0442a4211eaab79fce1f75f40ecdc853d269c82b5c5389081102f11e0f2f6503ae7

C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\jeffpopup.exe

MD5 4151b988c9d5c550ccb6c3b49bf551d4
SHA1 10ff979be4a5bbacaf208bdbb8236b940208eed1
SHA256 5ec45cc1a109f556d0cd44ba48d3bf11af556ee66dd8b78c94d3ef0e93735e8e
SHA512 c73947b534741c29340550066cd1a6b7cbb4387f3be8303f2d1d0cb21c6f430e0415c27daabc82d32570f421934db78dc840403de18aef09d5a4f0cbe4350e4d

C:\Users\Admin\AppData\Local\Temp\A1A5.tmp\bobcreep.exe

MD5 219cd85d93a4ed65a481f353a3de5376
SHA1 a38ab77caf5417765d5595b2fcd859c6354bf079
SHA256 00c9fdc8b877c7fb8365709155ab28cb3dac282ae7ec9fc9d47a78b408e0d13f
SHA512 367644e3bc3310207b5863b09688269c38a55540b8c87e71d66771c954d37d561ed09f3ee11b36c4c8f4a48b618b2e8debae3d93ff684d15305f93a3ade6b3d9

memory/2104-1755-0x0000000073570000-0x0000000073D20000-memory.dmp

memory/2104-1754-0x0000000000E90000-0x0000000001392000-memory.dmp

memory/2104-1756-0x0000000006240000-0x00000000067E4000-memory.dmp

memory/2104-1757-0x0000000005D70000-0x0000000005E02000-memory.dmp

memory/2104-1758-0x0000000006000000-0x0000000006010000-memory.dmp

memory/2104-1759-0x0000000006230000-0x000000000623A000-memory.dmp

memory/2104-1760-0x0000000006000000-0x0000000006010000-memory.dmp

memory/2104-1762-0x0000000006000000-0x0000000006010000-memory.dmp

memory/2104-1763-0x0000000006000000-0x0000000006010000-memory.dmp

memory/2104-1764-0x0000000073570000-0x0000000073D20000-memory.dmp

memory/2104-1765-0x0000000006000000-0x0000000006010000-memory.dmp

memory/2104-1767-0x0000000006000000-0x0000000006010000-memory.dmp

memory/2104-1768-0x0000000006000000-0x0000000006010000-memory.dmp

memory/2104-1769-0x0000000006000000-0x0000000006010000-memory.dmp

memory/2104-1771-0x0000000006000000-0x0000000006010000-memory.dmp