Malware Analysis Report

2024-10-19 07:14

Sample ID 240314-l2whdabe69
Target b28242123ed2cf6000f0aa036844bd29
SHA256 fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
Tags
chaos bootkit evasion motw persistence phishing ransomware spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786

Threat Level: Known bad

The file b28242123ed2cf6000f0aa036844bd29 was found to be: Known bad.

Malicious Activity Summary

chaos bootkit evasion motw persistence phishing ransomware spyware stealer trojan upx

UAC bypass

Chaos

Chaos Ransomware

Deletes shadow copies

Modifies boot configuration data using bcdedit

Disables Task Manager via registry modification

Deletes backup catalog

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Mark of the Web detected: This indicates that the page was originally saved or cloned.

Drops desktop.ini file(s)

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Program crash

Interacts with shadow copies

Opens file in notepad (likely ransom note)

Uses Volume Shadow Copy service COM API

Modifies registry class

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Checks processor information in registry

Kills process with taskkill

Modifies registry key

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 10:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 10:02

Reported

2024-03-14 10:11

Platform

win11-20240221-en

Max time kernel

543s

Max time network

491s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4280069375-290121026-380765049-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Mark of the Web detected: This indicates that the page was originally saved or cloned.

phishing motw
Description Indicator Process Target
N/A https://whyisyoung.github.io/BODMAS/ N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\mbr.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64acnic5v.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\regsvr32.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \Registry\User\S-1-5-21-4280069375-290121026-380765049-1000_Classes\NotificationData C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\system32\NOTEPAD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000001eb78b63c764da01d8a07b65c764da0157fb7f86c764da0114000000 C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4280069375-290121026-380765049-1000\{EE0C4311-D53E-4623-9887-A67BF5C9ADE8} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\system32\NOTEPAD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Windows\system32\NOTEPAD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\NOTEPAD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" C:\Windows\system32\NOTEPAD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\system32\NOTEPAD.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Windows\system32\NOTEPAD.EXE N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\bodmas_malware_category.csv:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\3e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07.txt:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Covid29 Ransomware.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\shutdown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 3720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1972 wrote to memory of 3720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1972 wrote to memory of 3720 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5092 wrote to memory of 3940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3940 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 4476 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5092 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3720 -ip 3720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ce533cb8,0x7ff9ce533cc8,0x7ff9ce533cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5192 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5268 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6048 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\bodmas_malware_category.csv"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1280 /prefetch:8

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\3e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\3e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\3e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07.bat" "

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe

"C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\TrojanRansomCovid29.bat" "

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\fakeerror.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\mbr.exe

mbr.exe

C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe

Cov29Cry.exe

C:\Windows\SysWOW64\shutdown.exe

shutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 9

C:\Windows\System32\PickerHost.exe

C:\Windows\System32\PickerHost.exe -Embedding

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29LockScreen.exe

Cov29LockScreen.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 92.123.128.170:443 www.bing.com tcp
GB 92.123.128.170:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 r.bing.com udp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.174:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.174:443 r.bing.com tcp
GB 92.123.128.174:443 r.bing.com tcp
GB 92.123.128.174:443 r.bing.com tcp
GB 92.123.128.174:443 r.bing.com tcp
GB 92.123.128.174:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
US 8.8.8.8:53 171.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 174.128.123.92.in-addr.arpa udp
FR 20.190.177.148:443 login.microsoftonline.com tcp
US 13.107.5.80:443 services.bingapis.com tcp
US 204.79.197.200:443 www2.bing.com tcp
US 185.199.108.153:443 malwaredb.net tcp
US 185.199.108.153:443 malwaredb.net tcp
US 185.199.108.153:443 malwaredb.net tcp
US 8.8.8.8:53 153.108.199.185.in-addr.arpa udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.109.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
DE 140.82.121.6:443 api.github.com tcp
DE 140.82.121.6:443 api.github.com tcp
US 140.82.114.22:443 collector.github.com tcp
US 140.82.114.22:443 collector.github.com tcp
US 140.82.114.22:443 collector.github.com tcp
US 140.82.114.22:443 collector.github.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 88.221.135.105:443 aefd.nelreports.net tcp
GB 88.221.135.105:443 aefd.nelreports.net tcp
GB 88.221.135.105:443 aefd.nelreports.net udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
GB 2.16.27.218:443 www.bing.com tcp
DE 140.82.121.6:443 api.github.com tcp
GB 92.123.128.147:443 th.bing.com tcp
GB 92.123.128.153:443 th.bing.com tcp
US 185.199.108.153:443 whyisyoung.github.io tcp
US 185.199.108.153:443 whyisyoung.github.io tcp
NL 142.250.179.142:443 drive.google.com tcp
NL 142.250.179.142:443 drive.google.com tcp
NL 142.250.179.142:443 drive.google.com tcp
NL 142.250.179.142:443 drive.google.com udp
NL 216.58.214.14:443 apis.google.com tcp
NL 216.58.214.14:443 apis.google.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
NL 216.58.214.14:443 contacts.google.com udp
NL 172.217.168.193:443 drive-thirdparty.googleusercontent.com tcp
NL 172.217.168.193:443 drive-thirdparty.googleusercontent.com tcp
NL 142.251.39.110:443 clients6.google.com tcp
NL 172.217.168.193:443 drive-thirdparty.googleusercontent.com tcp
NL 142.251.36.1:443 drive.fife.usercontent.google.com tcp
NL 142.250.179.138:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 193.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 138.179.250.142.in-addr.arpa udp
NL 172.217.23.202:443 ogads-pa.googleapis.com tcp
NL 172.217.168.193:443 drive-thirdparty.googleusercontent.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.251.39.110:443 play.google.com udp
NL 142.250.179.196:443 www.google.com udp
NL 142.251.39.110:443 play.google.com udp
NL 216.58.214.14:443 contacts.google.com tcp
NL 142.251.36.33:443 drive.usercontent.google.com tcp
NL 142.251.36.33:443 drive.usercontent.google.com udp
NL 216.58.214.14:443 contacts.google.com udp
NL 142.250.179.142:443 drive.google.com udp
NL 142.251.39.110:443 play.google.com udp
DE 140.82.121.4:443 github.com tcp
US 140.82.114.21:443 collector.github.com tcp
DE 140.82.121.5:443 api.github.com tcp
US 8.8.8.8:53 5.121.82.140.in-addr.arpa udp
GB 92.123.128.154:443 r.bing.com tcp
GB 92.123.128.154:443 r.bing.com tcp
GB 92.123.128.154:443 r.bing.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.5:443 api.github.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.5:443 api.github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 api.github.com udp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.5:443 api.github.com tcp
GB 92.123.128.165:443 www.bing.com tcp
NL 142.251.39.110:443 play.google.com udp
US 8.8.8.8:53 165.128.123.92.in-addr.arpa udp

Files

memory/3720-0-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ded21ddc295846e2b00e1fd766c807db
SHA1 497eb7c9c09cb2a247b4a3663ce808869872b410
SHA256 26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305
SHA512 ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

\??\pipe\LOCAL\crashpad_5092_ECOADXZUFQJSBODY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a0407c5de270b9ae0ceee6cb9b61bbf1
SHA1 fb2bb8184c1b8e680bf873e5537e1260f057751e
SHA256 a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd
SHA512 65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6f9138385bef7453efd0d7822db3a1b6
SHA1 5f67d0aef96f38b2b454c8a3a8ed1824df94916d
SHA256 b72f1362307568639cbb8e4da6ed03ad575f1c38586ac4a12daa9dc11f342b0d
SHA512 7d8e366851578a7f2295d5dc42a3dff01386fd04f04f6074a8f5b2b78e49635c9225c30ff1e620108b78042de3b0eb65c418b9d006e36beac80af9cd1205e242

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0b1659c4941fd16c1cbd3dd90ec603c0
SHA1 e8792e34e4ba41783c58905eae6a0b780e79c2eb
SHA256 504779c188dc85d9c0a3371143311d8e6827bddf204f96419c4f2d9004c2142c
SHA512 777c781e7a4ccfa8163c00a48fab8f46038d875735b010022e71ce948a3cd4dd3f00c53b91a56022a567a13c0fbe070024094b8c306674b4dfe4142c3da39104

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e9238872ffc3998766b4f649cd7ba595
SHA1 00ae8e81165b9e625d35852fc5bf3d3af9c9f067
SHA256 be12c43b88f16c86c73830323fc4a421c722cb16a7516a557b50f4259ed679cd
SHA512 c5872b19759507a54bc894860c3b1861711a4b3811c09e8101bd83b78f22c0733414fc1bb249849b3e5f37223ec625ae33ea156e961a0670f6a1682167414a7a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 220235a7f8d851ac5e122e2ea66cfdb9
SHA1 f3f8502851e77899ec90fac23e57ecdfd2deed2f
SHA256 04f5a60920481aadf50b84ba604d2ee53c696dc9d3a331269590ed681ccbef21
SHA512 2aff27ee0dffa1eec95a2a1e352df313c0cc34cdafadeabed28b04e7214e5508cfaecf414f5648e109e78d54c233fbd8f77bcb43191977d4ea87cb637012f775

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9a178a2fcb2b11411b458b94784144fc
SHA1 0e851b8bdbfe20a5dee1c054173ea9f0021ba602
SHA256 a936ace828a5e75bdbcd3df45947bacd7b44c19786470d66902399c3428802cd
SHA512 02090bf18cbf08364456dec81c45e277b24e0bfcd6b5804935619dd03cb6b6db965c08bbdbcd3d98297fbaa41382c7bed2ac27fefdfebffb761fcb06b207c29d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 64664e3024e011212b9541ea78229f41
SHA1 1977477a695243d17ee58ba5b0d9e628ebbcd79e
SHA256 9bad2f980d339b9134c0ab2c720b142764efcd77988057494836152b3d6bb4cb
SHA512 b81f179659a5547b1dfe3151deb1bac01df9fdce6a7799c052ac913095ff4e4b69603426c81da843c7516576a982f68500f86ff4003ab54d097e1a292e56b8cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584253.TMP

MD5 1c2020956c89fbd786545bbe1ae23564
SHA1 4f58e75be3ba1585b29ff372642122779d70d21b
SHA256 2f93b8913d9d0c3b6e1b2c13907af7b44aa0eed29125e9b0459d189d288aeac9
SHA512 cae588f247768c8a0617d5f04312aec4d1af9be3afcf1921f04114a9af4307d5994c2bc4d60a81fbbfd133cb21177fd6dec64465fa6e55b523004bee46743651

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6f9fbc1b54116409a4b07380ea3dceb4
SHA1 725fe3841dc378565d0d683231a56601152574b4
SHA256 b01c0971075d9eef5882cef50dda179919c9e6ae4199136c708c13e6b3ee5740
SHA512 015b45a1fcb2cad06e1fb2864dc5d1cee1c4449da1886ca23ef5678f3d42ed9f830a8c3501138ebd5f66df41cc8c063715216011a435d87cce07cedf3dbbbd7b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 06f333285ee98e921d1263952d7158e1
SHA1 28232d649073a4975c5c330b26c2cbdaf2db1929
SHA256 70c30d6410ebc41b0196c4bbaa0aab03c555e6e02a87d8cad036fbb0b9ad209e
SHA512 908e6699da3cf97a6a611853d242a94cb38b027e05d4c6db20d4d848004b3a90bdda97a7e513653431bd738ee35ccded4f5291f2d540e764bf83c376df5390a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e7f0875927543a5cd2ed537c8bbd2899
SHA1 5f586ecd7de5c49419c96915a6e70c8627f66665
SHA256 1bdfadc344b9f9a4b32636d535d4b27762cac3666ec4a48228cd6e0d9f529c64
SHA512 425f95896f06ea2ad8832290d23861cffbaa7148dfa55a31cb89da8e4bd52a81ba977be6c763b797e1cc9ebb735ccafa214e638fd49345e4f18e9a54ad9deaac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 73034b60b53bde3865e6441af13580e4
SHA1 f079df27501421a3cbc86e886c6bfea810b79a6c
SHA256 5971c4061397d3b2091c851999fb086e9e1301dd90871e03de33f84b730aeef5
SHA512 471a01e819c9b0067e4bfb81caab16570d467db81e7acaa1a65faaa5f0a6964ec86e209b3d7815b49be8792ebf107a518c95f18100e294f3ea901fea2c688c4c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 197667cf0073f5e78fcd4fbd89fe6512
SHA1 26e454e049ee04f6f7a786925254cccb842ae142
SHA256 1f9808262ce1885c53cb0e01dd5d8758436c2acab097dba3082ee65508b4e272
SHA512 8bda533b1111d5267fa6b2e9ddee7e06e37e962572c32fae2d77127e28cb489ceeb63e2dca6e9af0360a2af561c927338c802887f0ba3cf5268487ffc6a385e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 afdbd8d4c2da9b305751460234fe64be
SHA1 c5d77a8d583f2af16dedc6d6c0cc853c98f7ced3
SHA256 5fcc8c0b526e9e40d453bd1f9d2a107167c2bef5479dd59405cea46f077bc2c7
SHA512 79763578439f1cf8f84137a9b8bfd366b90dc6b0b2d9bc7f25ab664dfa89b946a6f68c0258ab5370da46903338b57dbcee98dbe4f456f9db18884733f163ca7f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a3f44d465209953d70e3a6481e66d276
SHA1 fd4b26246915955d0e315080123d4951da540111
SHA256 ab9df4a80115966fd451b6658374c057d13d134ca2d32e9b4c495b049544514f
SHA512 b93bb863c6cc7efd377d5fcaae64c8c02d6ab5f37daa76fcca06d108396c5f4357082c74ea7bb0db5ffccd47febf729b17548f31adecdad5f8d13103c8a30774

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 29036d3c1ecb0c8f319d837f99608ddd
SHA1 f2927667876a7daaaddc69abbb8d5e97a4f57a5d
SHA256 aefd8d572db62663f0015e0c6cfbb47d20f7b283e0064af5d7bc696bb2888414
SHA512 c0240b1080d570d4333a9791e91c7861168fe996cee9f7dfb31d5f626230d21b74497e774e88553642137f61a5bc4499f7828c3860a0a0f4dc7bfe73c9a07954

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 05144d974465ec9258c8c583f8fb58dd
SHA1 70b8fb7936b739dddc6c17fc9086c434b4c8c349
SHA256 75ffe5776824b7d84bf44557ffe4dcfcbb9efaf64a0a3b34e7d9be99d78cf7ab
SHA512 68a7bdeb2df1e264926a365c61dbb5675cb33922f6637f0ff1b64c12a62e582b423888b98bb040d41fa2de895d82b9faacb11951666e058824f038a98cd1b6d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 31552377f72c84ef0bcd9721cb897880
SHA1 bc6d58f3937063d573dad3fcdf6c31e37e4d3d13
SHA256 35934dc6fd2cb0772534c0dabec10deea4d464b2cc4e7cafc53167898b3d1b88
SHA512 66c6d54dc8fd6ee0e5b3da5864c8cfbf8525a65f98a18bbe115ba98c372d43731d8c671d1fa7113e2a96cbdf37162bff7522353dd547b3d33a685e74be8024b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 01231712f3a011fd1aec089e9279a1ae
SHA1 c9943927361971a1e9f651080e07ee7c2d44d242
SHA256 10c1c87270a99c93699ef390ac85bdd0bb8ecde1ecddd978ea29c90f7ecf5f96
SHA512 e005a48f1f1e4f17c1800ae2ae64bedc9862a00a97bb8520fe2e56739cf82e797088010ee223d3e91803745cf1662b6acd886ee9b837002de339e42b9a58957c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4868b53b4efc074b6772c46ee9d3e90e
SHA1 f0052a8914e1d59337047906886b56ee7a66eff8
SHA256 45d7b7581f622b33f602f6341055d5d4a1998daaebc5dec895047fdee6291fa7
SHA512 b5356b88d98a2f46f785322bcb4a7c4e737713bca98bfa70d952b28b21de87275a8f403887fa8d701d48a8f6354b6b63cb77099343177b7d0c123989a95d407a

C:\Users\Admin\Downloads\Unconfirmed 528615.crdownload

MD5 33b2402ddff10aaaff199cb29ebe144c
SHA1 8fb676f8deb631ee6519706cd6829d2b8cfde154
SHA256 617fda69347ec907a79f198add431c8bb39102781de41cc03b7cd1718cff2198
SHA512 53724d87f226b37bd853353e68a136d035eb179545dc3dfdd7f4f6089f6cfddf6ae8078b0da0fdf1d5fb4dfd5a53651a3f88ad652ed6ab2e39cbe671b96b906a

C:\Users\Admin\Downloads\bodmas_malware_category.csv:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 766f021826b9ca49646424ffe502cfc5
SHA1 03620e566c4a44ef0187483387d9fcc1a1bbe310
SHA256 f1c75f163e6023ce706cee32c3b4da032a0ad96a541ce554fb6a33afbdecd409
SHA512 8a1b0a2fe668ef53ac0dc83cf985fb2f36a4cf1fba0825affc84c5f3a21cf65977fca7da402e8e2369a6426140851755a1b6427cbbd3c9b6775edff2cc37d8db

memory/3680-684-0x00007FF99D6B0000-0x00007FF99D6C0000-memory.dmp

memory/3680-687-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

memory/3680-686-0x00007FF99D6B0000-0x00007FF99D6C0000-memory.dmp

memory/3680-685-0x00007FF99D6B0000-0x00007FF99D6C0000-memory.dmp

memory/3680-688-0x00007FF99D6B0000-0x00007FF99D6C0000-memory.dmp

memory/3680-689-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

memory/3680-691-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

memory/3680-690-0x00007FF99D6B0000-0x00007FF99D6C0000-memory.dmp

memory/3680-692-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

memory/3680-694-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

memory/3680-693-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

memory/3680-695-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

memory/3680-697-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

memory/3680-696-0x00007FF99B370000-0x00007FF99B380000-memory.dmp

memory/3680-698-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

memory/3680-699-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

memory/3680-700-0x00007FF99B370000-0x00007FF99B380000-memory.dmp

memory/3680-701-0x00007FF9DC6D0000-0x00007FF9DC78D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 c6f2ca6680bd739e6f0bf66bc71d71a5
SHA1 c9542da9488bcb3e353a534f691c0569aea4377c
SHA256 f5ee06ced61a67430525f44273e21239aa52f210b36b4f47867c58bf4cc441ec
SHA512 4d29c73d3759d3879d9aaa40ff96f235a6590b20387b7bf5c7ae2bd413c13a8f912186a7b359b43c6b18f1220cf6eef2db42eca808db60a14aeb2a16386e601e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 78728ff4ca59f6e8e733cfa9b00cd87b
SHA1 dcdd5a63c48c12ebd5ad79d6a7d8cce12dd5fabc
SHA256 4932cafff66fbdc882585ed8793855fb16d6c1f0d48e310fae33184a5d013027
SHA512 d94152b17fc6ea10aee42136bffbee3d7d392c4905e050ed5c276889efeda0c34d6a4f5d4619f5810f579743a33700f8d2aa3903c08e5b9967510846eda9e84a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 acaa257c350297e1ffe32dbc8d18d84c
SHA1 8315c9939273e9f6a6c7b4ef303fc716e8a59abd
SHA256 e55c7e68728c960273df0ea9faf0f1506aa63e05e4bf3e323a6c3214de1f8533
SHA512 8bd86154e12da3ec902e16a8d7210fb2339b7096076523f2b18f8eb797fadc463bb8ad0e65c9f2bc3d0d2a22e6fe930e89761238da3bc0ce37649be405432a3b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 4fcb2a3ee025e4a10d21e1b154873fe2
SHA1 57658e2fa594b7d0b99d02e041d0f3418e58856b
SHA256 90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA512 4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 758b8a767461df074c5145d247ba488e
SHA1 bd13d8a3bb2add4b957379ef2eafb21929383dd8
SHA256 d823e6317a9491c462ee304a1c9e539ff16ba75bdf118191cf5fe3d33db654df
SHA512 48398e3ffc761f38569256bcf08b9a5adfda9ca3f1ffee9c29a409b4d58145482fcdfed5e366175e9147531c156b5e3ac37536362be276d57843686d41b47070

memory/3680-754-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

memory/3680-756-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

MD5 ce0b8d11a00256be872539d386e3f8e5
SHA1 64658a28b3b3a52c5332c9e1fdb8875411a4f9d2
SHA256 3a009c2e78435c0b5f5454d3a39090a76111f8dcdb35ae665332afacb6f2d83e
SHA512 06fd4d8b19f485e8fafabaebef5f48217d86ff8d59a1889e3a47bc28eaafb23892fe0f85d4e2165cdfbe70761fc006c0650e7304b2534960ee8962fdcef8cb4a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 20d218a86a8ef658cf5488a7b34ba62f
SHA1 d7aed71f2ff91b16aeb00580b58854958afbb686
SHA256 e248ad9e507250c64713043d9e311ff406b057eb314737ac7362b203f62966f6
SHA512 bcbbb1fda3d6876e11251a0b9c33c5e506d0c23f3134635f08f438fc0ed730d097edcbc11d9a24ec32a80fef4f69819da1e8bd889fcdb70a96b951a9c6c9439f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 271eb932ea5cad3a8e8eb671e1488b5d
SHA1 12873cacdb94b964ccee7fa1f3199e9eba212f14
SHA256 643a2c8308051d0ebea9429bc07d0c3ac05c3ed8ab43a174a4eef33322ba00ff
SHA512 c9b7fef71466f1d8027df6e661cca196d8a5636054a86beb3ce7e30aaa9c348813981f501547cd2777eb579a3e6e048e6d83b5a22f08a8a79b58e89e888c49d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 67d309b9f26a8f87a99d76597aaf0828
SHA1 9d50a34643ecdc626f20f61a34c5f72378e3e61f
SHA256 05008720dd583f052edc9fcaa199b85b87a9d1bc32664a3260b47b971352e5a8
SHA512 5cb6104c9c7688778c574ba245611a997caf73a954cbe7ecb9566960ad4adfc0afe6a9e9f3b92990ef90899f82e8ee18710a108dcb9edb8c08537eea269d4299

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

MD5 8b2813296f6e3577e9ac2eb518ac437e
SHA1 6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86
SHA256 befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d
SHA512 a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7cd627413e5292baf2467d48b4c55dc6
SHA1 8c98b8b1c898aac21f68f7d20febd966b3dbcffe
SHA256 7042af1b63c2291f58fa9aca026f6cb74adec3d8bb9578e3ab257e6112f26afe
SHA512 1b3c54d78f3798297ba06ed34bf360dc6ffc894bf557082096a44810b7fbdfc3397af47cc66912c84e75ef72981c8b36d2d0f0e7164d7933bac8df304949ed6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 459674898334e9c57b5abfdde4c78a37
SHA1 f7549523ee257fc57b8a2e3ec9cfd8912565bf8a
SHA256 3f7bc7991fb7123f974b6deaa78f60329b0c85bc3f742618372be83d5dd75932
SHA512 86ceddb1eae9dd540ecd621584a501223279c147fb7c0355362e0d40c74cc6040f1ca306c9032518694923c613ba0470aa6726c0e485dd0e8c5cf81b6c2d71fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 97088b3450c9decf52d6ad6022a56114
SHA1 6d4fbed310481d5c6edfd7b8918ed52c0e9c616f
SHA256 8aa9dbf093e33c32268e7be2bed1bdb27d20ea4ef94cde1dc4bf2204e176c3e1
SHA512 c9861a6d096459e06be45e1df79590e7b29c3b80016b49b8d445a4ceae113e4f567f2e2ecc2cc13227382e93af4635fee16f65648f3602c37b79759f8090aa5a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 43dac252d21bddd2477439e023621c6c
SHA1 a7a81cd955811fd15dad91f443e0880d7aa08d79
SHA256 fedd9610bd4c2237de2d9eebba3143424967690767ba25ca7ab369f7aab3bb4a
SHA512 cc5aac6a7e47a0548ebc9a606eff04d175e1c76844160069bf4787349be6fe897cffd1444f9c00dddc214502ebd5a8ab97a1527d219679af894a28858de40fc3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

MD5 a22bba8496b44ce03e78393762962309
SHA1 e40a5c761e2752898bff478212e73423720e62e4
SHA256 cc755756eafdc0478fd311c22224aacdd9422bb756c75e134bf7ecc12340db42
SHA512 283dbb5b1091232602b9ef06e0c1246c9928407bde42d6d3d88bd95a5416aa8e49036674e401f76d8d7c074ffbdc30b1c52f6417415b54e4c07d8b314d98ad77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 6c0d7b869b0581b57bfa61f385c2ea91
SHA1 c26d2c58a8b6cd2843ab8db8cd48ff8960bb9daf
SHA256 5c9fa7df7f446408d1aa91e9ab4d445b0be2ba4adc316c0bfa5a19cb0376b1dc
SHA512 11f7883bf9d439c48343639fd610fb7b1015179ea434c0aa5e3282f9eab24dbd3e5aee3f4fa8d65e130bf8938c10bf790f29b4c9f4f476f2fa7cb176fc4e191d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

MD5 4b36af377345ba07e1b4e00028a59119
SHA1 5b92e3b727172e455570822b194e4b6e833fd6bf
SHA256 581a19ecaeac7df979ff1023c17e0825e87afd897f077f0dbeba804f5d2d91cf
SHA512 7abc3b8ebbb50683fbb18d54a61f52d2faa9ea2201c3f730a9dd49e2b00ab1fe2ca984fbe1ed918de879d04c72ad12b33f77991c7ce117578335205a09da0d24

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

MD5 78ac8f2b69aa06a62c0396eec2465414
SHA1 7c6c2c9465955c34e62f2802896afae2053591c0
SHA256 6c86d8c0c6067e4eb4055d4201159df4e5772c88d0784adbe1f9d0419243e9c5
SHA512 b5e8fa423a003e6259293b5a37302894be43efe93161d2bd3c4f89296630662ee32bb3639dd4856431ec597d31c83f280f594180d925469e31665450802db0ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

MD5 063fe934b18300c766e7279114db4b67
SHA1 d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd
SHA256 8745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e
SHA512 9d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 93ab4cf70b3aa1641a4b258c3fe03f24
SHA1 cba2ddecb8e019e6e5a91dcf867c6d6094f39b63
SHA256 d6c2f9f2bb35841cdb53abb660544e6e6f44e39d6542323992cc1c63e998fa16
SHA512 70fa907afd9b52ed54a3cf755e394c40a3ff7a83041540b435cba47d889c1c9401afc9fb23a5e879d85bed42fd5df40cd7540d428b3ee7a9cdc278a314770884

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 d1a5de56e99839dbab128260f0d6929d
SHA1 598e110db0d43581f3d7f0892d1ed6140a570739
SHA256 41e5f6aff0dbd029c60a0b64e0760fafc592084e48e21ca48277a4e2b68e3cef
SHA512 645c31db374ca378e773392b09d2ba698eefa5879ba8e14e3b31cb661e34dd00c16c8005b8857a2951797d0fd38344899b3914da8828fa0b72d7565d6f5899f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

MD5 aa6ffba997d9e6535da1a2c26a004749
SHA1 9ed525230c4bccae34454a71adf723fb7479b53b
SHA256 db0eecba023386f47ac57fef8a8cdab5f12e04637da91c13b81b8b60b43025d0
SHA512 ba7e79b263af9d9939059a28d7c73683f9cdb2c9a986adc54d8ad54d28e237c2b0f88010a4829392addb3be5a8d08923cd5931a71ff7558eee9e4b6007273d2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

MD5 e0595142a80771d317d27440fd29b8e6
SHA1 db3710d0d8d60dcb64430c342c6fd921d6792fcd
SHA256 3ba245011d9a8ade367074a3774a786f50ca51d71a83956dbb0ad2647a14d7ed
SHA512 6d298295955fce4166720ee7cc42bf4562ff311b6820025a7ea710a19dd8553d8677fe194876db5e2e6440d9d21aeb603a6b3fcd73f656405428d4ec00dba288

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

MD5 77a781823d1c1a1f70513ffeda9e996d
SHA1 60776ceeb79ed41e7cd49b1ee07b1e09ff846f25
SHA256 b093599957b103def2cc82ffd2d42d57a98292ace5a6596e3e4439a6cce063b2
SHA512 9aa66273ad419e1fc4ee825ec9e9fea4297139eca060572d3f59ed9bccbf2e1dbd03a006a0a35c6d37196e8297ec9a49fb787f0a31c3772b17911603eca62aac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2c472bcb9c7082c179f4f7581332f617
SHA1 0428d6cf65aea648b7469465a5452c6f7c99abb8
SHA256 235bc9564b0c531a6cea9cf5526a54265d826b5fe6ce929110fd360aabe530c8
SHA512 ff5c3a9d8d5c0831f90bb48c15029c4151f510405955a71312cba5b52f178b31c5b53eac638e903ec08e1da5b8cf053cb0701e105e91ec41468992562e6e07ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d8e42fe19769b8c397bcb14dd34f3777
SHA1 9bb72b77d04ed5e5c7dabcc6caf9efc0a46b44f4
SHA256 a3f98aef9bccfa407673e1a6a548e30fc02f28abb4f8968ea3e93048c4996e56
SHA512 61327c148907bebd77026dce097991ed1e34b0419b20f6a233b4d1f25101b91befaa5c807baff4a3487d8ce353ca15a3724b3ac73a0e58072a8efcd65085c8c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 79161945d4e5d8537386b34def2b6eef
SHA1 f7ae03a3b31e671eac943e4bf8e2fb642567eeb2
SHA256 5fcaf84c9a59d56fbb5d811d491542a4bb81fb0de99e1704aadd5f2614d9d61f
SHA512 c6a17d92770cd3365598f3128e14346a3a80607001e562a844b55f82272528dc77f4fc5f7baf8c33176ee8b4522de2d28a8ca67256dd3ab43ca4ce3bcab07658

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 153654fbb6ac02027aaa9d736d5285cd
SHA1 28a610e5dc4a54280f2780de6925e5b1d13b0979
SHA256 cf427b1c41a97ba3a0526f6452b3de660eb8535f35f08a4112ead35bd0d1c743
SHA512 b933da25e1a31cc0bbc021f70e2084215ba0cc9570dc7192a1ad480e9cfdc1807d8be586097d0ee6daa3c1dc5a4c6e22d175fc189f9a72f700849f4f4de8237a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 3e89491acc925b731dc355c9922699d7
SHA1 6d8c871157f703f36d29c123675942bb763c22c8
SHA256 1280e8cc658030c990c2313b9aa5d68946c730dae388de7ecea604c9db86aa76
SHA512 408b9e0e623731ae021bf70eb1b7d4eb71e326edc237c98ac02944babe73c257186dc052150ad724b9071a697f81734565b644baa75c367a8566c293f4a2bf63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a9d434a9f8b977a4_0

MD5 2216add26a4a6b9ec7972a958d25d5db
SHA1 53abdd20e25e0aabb473431e84470f7f88e53801
SHA256 62c51a443593a01dfc001d11a990bb5b86fa3da82a1df988d0089749d9d3a17d
SHA512 fe4bab34366ff4f8935c10969a5bd88f9572fbb869d404a8cc5fdb41aec2074a31784f9fa613fad7f27ea9cbe07b087b2c1e2a7ae8ce1c16247d1db51ba54370

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cac4e8717dff6a70ce6d8e3a066ee2e8
SHA1 31c5e72c0fd49189f5c5c9b6a44568275ff23c3d
SHA256 887c710da42b7e5007144b37f22e931a4971a328c61ed83dcd5ca9e79ef18849
SHA512 fcecab095003778efd14108028b648f7d36437ef215cf58827722e6297daa671f730a1f605491096e5e1060bcf2ac9d756819dfb5a6087c30df78b014b4ea158

C:\Users\Admin\Downloads\3e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07.txt:Zone.Identifier

MD5 0f98a5550abe0fb880568b1480c96a1c
SHA1 d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA256 2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512 dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

C:\Users\Admin\Downloads\3e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07.txt

MD5 9f8d59f3d76e4c2ddd0ffaac45b38f65
SHA1 5de908723c985286e419daabb9477681a42b5063
SHA256 3e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07
SHA512 db07ad401dc28833bcda99486d981e01ea5cd53bf305e0402b8b209848838f881851afeadf04db53996c9ef334c6d4009cde0b46c7a9caecf4d285134a9ba121

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1ba4cd58a76511f58b943d69a9a75a5e
SHA1 8f32fc5d40603af38d439c5c8378342ef954062f
SHA256 ccab7005fa60dddae1094158c7215f49b0439bb8b3dbe978f1285bb14c2f2f0c
SHA512 e77e3e86a372afa51f4b30d5626dbec8223440bc90b609f0781222ed965479e5f4ca2bfa86c61b44a7a4122bd6d28350ee631b041f88c99ff87c3b7b027a1719

memory/3680-1269-0x00007FF99D6B0000-0x00007FF99D6C0000-memory.dmp

memory/3680-1270-0x00007FF99D6B0000-0x00007FF99D6C0000-memory.dmp

memory/3680-1271-0x00007FF99D6B0000-0x00007FF99D6C0000-memory.dmp

memory/3680-1272-0x00007FF99D6B0000-0x00007FF99D6C0000-memory.dmp

memory/3680-1273-0x00007FF9DD620000-0x00007FF9DD829000-memory.dmp

memory/3680-1274-0x00007FF9DC6D0000-0x00007FF9DC78D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a49d2c51e9e715480fb418ea944ecd45
SHA1 a01f9953e3443ba4f9b312d5a3d7601b2cb3fe50
SHA256 ed0c78cb1dade616b4a679d697b28138d21a3523fc9fa7b4c61b26d737364b8e
SHA512 bccc579f7e6f9fa567c5b4104fea6828aa908cc9dda39e61b50a03681dec236313c1df50a1b1ef6f14b3c59f9dd13f8511f9f6bcf797412f8ba6c249db9679ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 69c559f25cc341fa36e2b18381b12091
SHA1 03ad56a5f0ee5de667436cb84664c59e4bec7e32
SHA256 01f4673c8f1d1a78060da149f5f1c1e0c5654c4f17903ac82282a2d7b7ecbd55
SHA512 43c563eca83d08519e39a3caf80fc00a3bbb0a6cacd708341bfe908e74e52c4c8ee63fbb748f0a2336ba7ad6f797692c4574654b425ddc3254f8bc0006de34e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8fc0f40396dbc93065bbfe5d1746ad9d
SHA1 9fca4168dfb30a2e03a38b0f92ccdd5d655e9b22
SHA256 7f59ed5a2014cb395a805ff3c3bf10a54637321570334fc735f3682cbb8b8965
SHA512 8707a1c14194011f27824d8e1d287f2dfde9ba51cd4bc501e8bc9a977347f76d98a6966dfc2c6e442eb1ae4c0e0b9c7b491497fd4f21e54850b5dfe2053ef1dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

MD5 0806b6e9447e69980d8dd1e5bc9bd923
SHA1 b621a55dd41a093b7066c7347d4fc7d33e6ae3c0
SHA256 7f78d2882870c48a3611e13c0f64b81313ae7d1a22d7e50dea2ca6b79ca4d4ad
SHA512 2deb48e2f088a9a162eb8992fe8457fba2e4bdc255869d01a2eafc143a2217d824070ec75d78959646fcc84df81636653f28688c05759b353d2d17dd84d34926

C:\Users\Admin\Downloads\Covid29 Ransomware.zip

MD5 272d3e458250acd2ea839eb24b427ce5
SHA1 fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256 bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512 d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c

C:\Users\Admin\Downloads\Covid29 Ransomware.zip:Zone.Identifier

MD5 cc5daa5e579a9052ed7eb1b6f3d65779
SHA1 adf793f0bc9a645e6793d4838524f59c4ff27074
SHA256 def828abad22f799785354f6af5c2396103d734bb7c20f96b3e62cd0d55d8398
SHA512 af7418c56e2f66f74f1a25fed7f9bc3e2a19fbbdc6cc97d6b52f6bb058deace600ace6a349249dc138398c186e4f23ea93df7bfa6f46f4907ca416b46ea87f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 63c5c743a1ab4ba5cdb2e82789b6936e
SHA1 91666b88ca368bb323a24056be21f33a77ad28d7
SHA256 1cb3cc4efa9f7d10c5bd4eb5887ea70c9fc50ce4905666f4e28ea23b2b5e8576
SHA512 787556c30344b27c4a2944b34f83ca2638ab8b3875589d2212a46d3400f9de282bc0a53e32fdeaabc95495fd2be1cf49490a32824223944c7121dc8186266f1b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e3d27be089c8638e2a8418209d9988c6
SHA1 dab2405a7c446c8e1bd34962d4932cf2c535b288
SHA256 ad722427221935371e110b78666922a04990896509783dad9c3b32d940ac08c2
SHA512 8a3639ab765bb8c0babb2af06cae7e02419bc456aef79611364144870d123bd70aac647fc4c730686895150b13f6d1bc35b56633383f7c4f6788d1e5ee1d871f

memory/2756-1385-0x0000000000400000-0x00000000005D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\TrojanRansomCovid29.bat

MD5 57f0432c8e31d4ff4da7962db27ef4e8
SHA1 d5023b3123c0b7fae683588ac0480cd2731a0c5e
SHA256 b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc
SHA512 bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf

C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\fakeerror.vbs

MD5 c0437fe3a53e181c5e904f2d13431718
SHA1 44f9547e7259a7fb4fe718e42e499371aa188ab6
SHA256 f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22
SHA512 a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b9dc637f7773f06c1f9e6a49a08f9ba6
SHA1 c976a2a167b88b593c27309aeaf0fabcfc239218
SHA256 852b625106d14dfb7c233ee8f6d919dd50a5c22b156ed94f19122bf6f1cccb35
SHA512 08008be3791260fb558b8fd7bbab19c3ff9ce11a441d516fc33766bd689b76bedc5193a07d2595258b554213e50f7abd82dea4343c7a5825c6858e9741287a94

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7ae8ac53-5c35-494b-bb98-6a3713725a9d.tmp

MD5 f5beb8af7b1cb59e58dc17ebfd08621f
SHA1 cde3f81b331a981b19b73e13845c4367d3ba5196
SHA256 d21431305f71f477aac25f88346c23426c9af101a30ecd6817890324cf724470
SHA512 879ef56d4281787c4d2d3df67dd3ef1cc0a8af373003201a72808f9d98d56d2f484996cdf6a2a1c5b2e566afaf0ec22d6d2e86637253ed9421ee95c9b7f72a02

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9d7184344b7cb53cb7440f3da75354ab
SHA1 f0f956bfa5c36f24d091efde5c4ef1a9a2cb3180
SHA256 2a8e815704243fd2053417a753c56aea11243fc9f8c08716cf4a41bc8a0a0a4d
SHA512 4bc104164c31f1113e70e997672f8fc35166356d4d2e9c3151a0249a90de9dd24297dd77f6042d1ab63e88f60efe6db0b50f302fcbddbb4da2904de07abdf4db

C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\mbr.exe.danger

MD5 c8b8463a5e7fcf02a24357e0d02b2356
SHA1 d03134eebda3ada20f0e3675b7b1d52b52c228eb
SHA256 6e6da81048a8dbc81d40980a3886671f8c2e9976ef2adfed290e2e05fc4dc806
SHA512 ab57a5d87f86ef4dffcd85cf197961912f4ee127b61ff8bb19eba86cbd5c04ffcb8d59a2d72e2602cdc0ddee63b8765e5527b8880a9623e8a0b766fa49cd3f36

C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\mbr.exe

MD5 eb1db124a4630fcee1d9d8a4f46bdf73
SHA1 ace8981732f47384cae871b53648dd8db004a081
SHA256 46ba350d72fd36afcb550dc1a20d9f269d2d654674275cb8b4f20f0a64ca2eb0
SHA512 00a1019922015a9082084053b730bad87ea52e7d2dbc603f55f2b14b813c72456352c5fa069cc96d5c144f589c2904fd95459b6e356aa05d087c10e493cbe3f5

C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe.death

MD5 8bcd083e16af6c15e14520d5a0bd7e6a
SHA1 c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256 b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA512 35999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a

C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\mbr.exe

MD5 6ce2edb96e8d4702690ba88ba6f1d3e4
SHA1 75373644d9944e0005a52a44759bcbd1820c85bd
SHA256 58faae4aed2450e464fa193484e41d5a3d6b4ab15b22b0f4836cda45160aef84
SHA512 46852da00be9b3b7ebc001453d73fc7e76a551939cdf3de5e4e4d3549380b9faa8fdfe11efdf4668685be7d0462c1120055ed1f6504423024647db0f83e59166

C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\mbr.exe

MD5 47ab73389c507df1a98129f33ac5ce24
SHA1 e77e35c1df4e40ed43d66defd4e75415606c3686
SHA256 fd464d15c2ef67a6cdc083cf2bcab8aaefd79682056f3b7d06c45ee21acf00f7
SHA512 9ff782a04066aca518d3e8e50f19ecc12a74f52d85a00d532c67e80588742e570bbd9dbb0e2f240879f800af45b27c960704bba25daf0fb6c0ab73c472d76614

memory/4556-1549-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4284-1558-0x0000000000610000-0x0000000000630000-memory.dmp

memory/4284-1559-0x00007FF9BA1C0000-0x00007FF9BAC82000-memory.dmp

memory/2756-1562-0x0000000000400000-0x00000000005D5000-memory.dmp

memory/4284-1575-0x00007FF9BA1C0000-0x00007FF9BAC82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29LockScreen.exe

MD5 f724c6da46dc54e6737db821f9b62d77
SHA1 e35d5587326c61f4d7abd75f2f0fc1251b961977
SHA256 6cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
SHA512 6f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc

memory/240-1579-0x00007FF9BA1C0000-0x00007FF9BAC82000-memory.dmp

memory/2756-1580-0x0000000000400000-0x00000000005D5000-memory.dmp

C:\Users\Admin\Desktop\covid29-is-here.txt

MD5 c53dee51c26d1d759667c25918d3ed10
SHA1 da194c2de15b232811ba9d43a46194d9729507f0
SHA256 dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512 da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\bodmas_malware_category.csv.LNK

MD5 bf9b6582b2fba958a70934a20ded62d9
SHA1 5ac3d1665173e7aaec154730a443e4078dae5ca2
SHA256 8087000c4eb30d3fc94f9dd3a2c51ce6db98056aaeb5412a240e35777772cbea
SHA512 2327575ec2925d9621ee62473f73cb94608dc9a724061a27546ea0557f46dea3c81b12444fb75504077733b8c083a52b9f66cf89c88034dc62deb790489b3135

memory/240-1642-0x00007FF9BA1C0000-0x00007FF9BAC82000-memory.dmp