Malware Analysis Report

2025-08-05 12:51

Sample ID 240509-cdgjwacb6s
Target https://github.com/pankoza2-pl/malwaredatabase-old/blob/main/ß.zip
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

Threat Level: Shows suspicious behavior

The file https://github.com/pankoza2-pl/malwaredatabase-old/blob/main/ß.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

Executes dropped EXE

UPX packed file

Checks computer location settings

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 01:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 01:57

Reported

2024-05-09 01:59

Platform

win10v2004-20240426-en

Max time kernel

137s

Max time network

135s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old/blob/main/ß.zip

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1690.tmp\mbr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\SysWOW64\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\SysWOW64\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\SysWOW64\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\SysWOW64\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\SysWOW64\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\SysWOW64\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\SysWOW64\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\SysWOW64\mspaint.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A
N/A N/A C:\Windows\SysWOW64\mspaint.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5016 wrote to memory of 5052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 5052 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 4816 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5016 wrote to memory of 3272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old/blob/main/ß.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb324046f8,0x7ffb32404708,0x7ffb32404718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5484 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\ß\ß.exe

"C:\Users\Admin\Downloads\ß\ß.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1690.tmp\b.cmd""

C:\Users\Admin\AppData\Local\Temp\1690.tmp\mbr.exe

mbr.exe

C:\Users\Admin\AppData\Local\Temp\1690.tmp\gl1.exe

gl1.exe

C:\Users\Admin\AppData\Local\Temp\1690.tmp\snd.exe

snd.exe

C:\Users\Admin\AppData\Local\Temp\1690.tmp\ms.exe

ms.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x344 0x304

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K s.bat

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe

bomb.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe

bomb.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe

bomb.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe

bomb.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe

bomb.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe

bomb.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3016 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe

bomb.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe

bomb.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\mspaint.exe

mspaint.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe

bomb.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

C:\Windows\SysWOW64\notepad.exe

notepad.exe

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 2

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.112.22:443 collector.github.com tcp
US 140.82.112.22:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 22.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 137.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
BE 2.17.196.137:443 www.bing.com tcp
US 8.8.8.8:53 api.github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ea98e583ad99df195d29aa066204ab56
SHA1 f89398664af0179641aa0138b337097b617cb2db
SHA256 a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512 e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

\??\pipe\LOCAL\crashpad_5016_WXWIZIZJGORKBVQG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4f7152bc5a1a715ef481e37d1c791959
SHA1 c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256 704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA512 2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 aa9887896ba81ff38f252c6b6d117e8c
SHA1 8920e2dec90b2d5ed6fa2fbc8c2997b22fcf72d5
SHA256 b6111168d201f2f64d0e58b83afaba6e115d659d3801a1106f236bc1351fc52c
SHA512 daef41a855d88316573b6b3447228ecac7b3964136afafb869e3054fb59f422e5847552f484a1e115d0fb98c959e3052b4173263dc6fe56753799754e032aaf6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f4c70c9a01b6f2df2714ea1d1a378242
SHA1 78a0d2da324f192edfb7a678b4a06397cf8d5ca1
SHA256 0320054fbe868ba058d4d594f91bd3ac82b8fc73f0417a2c5e0b28264cc6754e
SHA512 3c1d384d44f58f246dd092e3b3e8f774abba3ac9e1fdc6f5e564affa90883b070ab71fc4759fb157f9651f0a2e512e7b0ac2942e167ae04823c1959548004e5e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 81a637aafc80b3ddd7cdc104dfebd9b8
SHA1 8e10a2a782566c441cde12f17114da370e1e8cf5
SHA256 fe0a5c99393725dd9b6dae49eb7e833499636a61f36f3b8f69cfe6a1e12f67fe
SHA512 9dec473599cc28e89d4abb48b3f40992e702db99d17e47404ec944b2d1cdf917ef146aefd2fc89c1cde794f1b292df8828d63ed2a38fad5f593279fd954d9254

C:\Users\Admin\Downloads\ß.zip

MD5 5c19f6795f6b88dec99c97a16521a314
SHA1 bb0b93dd41a9a4e8af31f7dff90752c620d227ec
SHA256 27e9d27d879bbc5b0e8def3bea868187914643bad76e1e7be6c2968f9ef69415
SHA512 98d70eb859015e6645f0b6d8c687c83b1abe35e1bbc0bd97b5814cacb8b202704c56e4bcbe14933dfa689f9399e17bb264e8e84a22ce94300fbd0ea10fbb8419

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 eea2ee504a303daf4faf1ce47d4ffc22
SHA1 09be72f60d1f1843847308a0ef2a2ea48afabe38
SHA256 d5ce6b76d1609095c7a6020cbdb1aaa47dfb146f5fcbc766b60c4c1695546756
SHA512 1dd4b983b835a479bf089f86a552d8e95071c0cb7dea676974445c2c4dbee4d68ffa37b56c5ad5edad0b7a5c922da3e207d5ea1917491695e145d02b3a3e4534

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a57dfbb093c1d37db6bed04ccc3e582c
SHA1 bb1df0126cac7b5211ead4c2e4ef1e2ecb3e1551
SHA256 c02256af18ededf9836e5c260a279d5b059987aa0da92dbe7ca28a6468f5b257
SHA512 ef391ca82c34f1b072d3bf38459bcb05f4f6ea39cc49bb1604fcca873518bbee190fd0aa5191b202ad19f97d670051be1182c6bf6ab81ae7831cb1ec34018651

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d2e0.TMP

MD5 9ebe75c8b2d87ef712fb132c9daa1540
SHA1 fb86ea5f612bb9c2b7dba8b21c60d1e5c0c52a42
SHA256 f8bba7d7ddca46d5f8cee8dbd40289d154e3066a4325a6ad44e58dfb2cce0e37
SHA512 e2615e4a383cc6a38cebaf7c63933b90b9fd6d2a72ad406da0f9d9faec038bae28201a3fa03df6503fa2cae64bc1f6fea4a5f286c93ea24f03f5141fd4fcc0e0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 64f26faa274d4d6df3ed44f758da19a8
SHA1 d4aa547ec096d77e83084f6ac581c16d1967b2de
SHA256 1ca2a27134d549b4f0c272152e16e721b24964ac0a7d599b7242b5be5dc33bdc
SHA512 47e4659109252e8560ce27483647b4443f063ba0da67041e7bba166466cd93f044671b31a52d5823a66e0bcfa1ee5196efa03794ac31d195c00ea21d2cef081a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3406b9192799145f7015e9f32593cc81
SHA1 a2b88a4484ca24ead67a089dd7868547229b173b
SHA256 ed342393b6d69a166de154be8b0204f977706203c787ee1d7223c94add327c30
SHA512 242ccfe2b358b5411c95cc166067703ab23101190889c034188e3a9ce4a5672b5d4d4651baa74e2b32b143f9ae035257c0a9bf0b162c80bd3cc66722ff8d4b44

memory/3396-206-0x0000000000400000-0x00000000006C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1690.tmp\b.cmd

MD5 7767b841856bb8e51080abd912f8c090
SHA1 79d401dd0b42aee9a13f517e98393f39019f36a7
SHA256 e369286a0f1d7e59c79bafb9a94b3adbf32aa10ba25ce76bc7645fea47a083d6
SHA512 55b872ef28df84db544567d4da09217d27467995af5f936d508c507c59ab5282fd35be171ea12282767548e1dcf988a991f9a5b9362752e303918ca4948efb4d

memory/3396-243-0x0000000000400000-0x00000000006C5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\21038447-2a7e-435f-883d-fdb2af1d1501.tmp

MD5 7a81f45d472251741b5bc6f76f32f43f
SHA1 253a7dbeb234b1445c2cc09c4db63d7107021cc2
SHA256 8e67b42a9bb606b4245679a28a064e210fe82cfd561fb7ceb3c6f9dbcfe114f4
SHA512 c5cd04bf14e03e599d60855ab7472b86c2988540c2c358794df1fc0c4fb6bc17b8de1550dd9977411e41cf74b11e45e3dff6959f7d856791894be95eab171119

C:\Users\Admin\AppData\Local\Temp\1690.tmp\mbr.exe

MD5 6b84af847832248cef36e03b4132453f
SHA1 2fbb12aba732147cc9381aa0979391632fb1401f
SHA256 d99a0361d5548a7dbd6ea3309783e4cb2df3c31c8d6ce361f6d4b48e918733f8
SHA512 d640e9b371c877b35214c9dc01cd77275415080fd1cf395c7be1e877d985372ef3a85b654606b0cbb559554bf196bf4991cd4fa9a1aee47abe2a13c8f070fd19

C:\Users\Admin\AppData\Local\Temp\1690.tmp\snd.exe

MD5 7baad7b6dcd387183540a1a771e1b8d5
SHA1 8fb4bc170b6e3050135e0c7b651441dbe963d7fc
SHA256 57e598fa7a93d50258afb6e563266521ae0bd35e6f80b247eb24a31a56a32461
SHA512 cfb85b10af70cc053a7c31a5d64741286b64eebd8ac9f3a97e6ed9989e81c629041808ce337d7b8c590f069da9a05e38e9b8dcf89b70e561362bff010732800b

memory/644-282-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1690.tmp\noise.wav

MD5 a99000b0aedace2b4841d4b01e6fe48b
SHA1 372c50410d5a4e472a75ec39b4d38ae0e4e151a9
SHA256 9d46682f2f64ba992c1e29d0806578c883e48f9135f03265b7115b06d028c3ce
SHA512 5c06f4e4a8cbf5dcade1ec0df3a6a0200f0cc6b44dfb74bce84026a56b399db15e6e21f486039a887ac74fcd08369e920c25a24d2226a529081e16ed13f8e167

C:\Users\Admin\AppData\Local\Temp\1690.tmp\gl1.exe

MD5 ac0cdb57f020158a4f356f0f819ac9a8
SHA1 2fa07803943314ff4ff9a6ece448caccf327db54
SHA256 a47b0210f10011d86c59f19f929a860eaa2bd363ec1e01927c4edad404656b4b
SHA512 a12a7441a107df43682bfe581d56891910bf8906b18a4049e822828c5d6d376e32ee69fc7f983afe98e9c1067e2962fa2895b643e4699568c4e053d89ca7b1eb

C:\Users\Admin\AppData\Local\Temp\1690.tmp\ms.exe

MD5 463105e9dfbd6ee7c77dc9f132cd2e18
SHA1 745c72dae5f2e6c87dcdd38494cc06a97f098fdc
SHA256 28062fa9ca886c24946e4065e584b692ee4867a06fce1d47902763b697283a2b
SHA512 f34bb490737a73ab4f1b5e4e02664dfd645d0e65049f0bebbbcda084514d8cd7dbe530978dea590110db1bf4c3dc9681b63d499866c2263f6091b801a44e8174

memory/3396-288-0x0000000000400000-0x00000000006C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1690.tmp\s.bat

MD5 ce20abe08536b3192e81357b30e038fa
SHA1 66a3eba276d5c5269036d8610ae3084a40023023
SHA256 b8474c600fd8b10214fb2c209b2e62c41fff572af34e74cd4c2a56cb719fbcc0
SHA512 fa796570adc57724671037e66d37aced6acef23322144307b5b1d673764cfc9064ffea1ef8b3d0a8a9ed08380fea281ac2f485dc596576ce5cb27ab6edc1857c

C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs

MD5 798884d2853d71b9f68f3070069b0f93
SHA1 bd2acdcbb4bf498e58c2e6916ab436f166b8c8f2
SHA256 e455d1b3f576e1c5652c53436ffe048aed426534d2077810e1724456687375ff
SHA512 47932f2b611e3acb8156b7f5e14c4532f11b9c57168eb8b4c77c4dfd37f4b73ec11542c207a92183b87061e3f915d4d2c3440f7430838e8d6ed4502007ee0214

C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe

MD5 05ad3f85b73e5ff86504f8dcc55b5d42
SHA1 927d4554328cc6d767a566c3c6cb54c16d58857a
SHA256 124cf5ca90e7aaede685fe0cda72b6a63b80583d2d5ec04d5baeb4a1851c48af
SHA512 6fda7808e0b96caf3a1ff35734fec63f1e78cca6ae0abaa54fd5dd7bca6299a587b8f2c455b9385d7cf9b9cd9b74edbab1e37d8f98e8777059b3c3e2964feb18

C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs

MD5 33f3ede0ae5cd4c85718fd504babfced
SHA1 4fc24ad6bec5962245437097046b5b53b639cbec
SHA256 2019bf184b4a97e0f6d53c67aeb44f794738e1d77b6d0b71a4d73525d6121f9d
SHA512 076e1a2e8b1326b43394653ad794c68a467bcf06c5da06aa7ec527c91eb97c674a0e5c682d1d4f99997fadcaca1221e2a406091f48d40c51d4dfc93f04716cd7

memory/676-306-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4036-305-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2080-304-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Windows\Debug\WIA\wiatrace.log

MD5 7c8c997f9370b74cb2eba7152cc850cf
SHA1 5a9f903c66817db24220156a33e60c5768daefb7
SHA256 a930c9a7d1ff451026a7a62c93280cdc313c57cff35166a13a4eeaa0c54ee979
SHA512 c88defd811bb21afc9c479e5a7f061cbcef7cb981a65d248230ba7a11e5e6c3d7b4359dc8908459527f98b203924e0bd8b8e5ac8b1f39ff73e4824b36046f085

memory/4552-308-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs

MD5 521b228f69b44b9e6ccdee7e2fd758ae
SHA1 57de35cdc32bc8ec3ccb6a8343eb21084d6bd19f
SHA256 5f0cbbae0d5b040c08d30792a949fe20e4b8104eac188fd55d9832b071129784
SHA512 e75a0aec27585e59b65457a9304a6e616981a7e5ddcd58c909cfaa5409675570fdbc7c35d4d945381d61cfeff637b9aadce00bc5e45b382b1e0c1a1e233f7966

memory/4872-315-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5464-316-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4552-317-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\Debug\WIA\wiatrace.log

MD5 9fc445551f4b69bcb5ef55e8a756a5b4
SHA1 62fb9472f4f94999cb8c5877b434b0abea9ac3b0
SHA256 f51d9f5cfe46cec2e1a56cd65ba6b1abf6deae294156e043ad94600a7201f702
SHA512 b92140b52bc865097361cdc70f2a6d60422f782549c9103ab252f8a01337e9e5d0c440957a4592f4a63c3d005754d334d81383f3b848564b10cc72d5e2f1a18a

C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs

MD5 5fc40e9ea2aed98ce72fd9a44197a386
SHA1 d06e3fd0b2a4a74b880a4fb1de6402f88805f46d
SHA256 ae50c80424eb58c46da52b5b83ea0186512d0dcf196346fb33168a772222beba
SHA512 f4be9ab72f004774b4e99971bc5392f916b6aab31295fa8a0dfc15465a18163930b2f242b2c09821482281b96d4fdfeed228e94b7cdbd0a2ef830a5dc6b08f07

C:\Windows\Debug\WIA\wiatrace.log

MD5 2367d9f5e9c0fc1ad728d7c8acd6f4f1
SHA1 c41a40811c2d899ec6b0854651b38f05a15f51e8
SHA256 38a6b436f60094d52cf9b25bdff8f2a03d4fff5263ba326c994e59bb192359ce
SHA512 503e28113ddb501a31f85c372438d191c1dc72e6f435eee326e5c5f04b2250719431ea3eccb2b85a4aa22aa24b7c689c7601b9ab1867f33da8d659372d68273b

C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs

MD5 c8d2c63ad39d23580e3b69faacc3d381
SHA1 8c1cf8ec23e7fa8301d77191c6b60844c4b041ed
SHA256 48fcdeff00c61ac2312dbbaaac22aafbfe3bddb798db835fe6e3015fab8c6208
SHA512 289a55442efdb9ad73b27560ebcde240654da316eae3993ecc59302e665bc9cca57902aa692412ad87a71d9e213693ffc151d58b3c4399219d58fe8aa7332df7

C:\Windows\Debug\WIA\wiatrace.log

MD5 0626788ac9710ce23d8f68f9744022f8
SHA1 036f1914824ddab076868c11d3fe69ae54c34173
SHA256 77bbdbfc83c1c0ac3de92aa67bc884e7711f8398ddaa57310c8bbf9d0ac57df6
SHA512 b560748c3886e13cafb7dc76ab6a4caf24255730d43ec808bc38173f64086baa79e17967a5e5052ac35c2197e6a92cccbb2c3630fb794928f80c7379cfcf8be7

memory/6056-339-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6064-344-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs

MD5 8f213aefb058fc938c9c2139041dfb50
SHA1 817924a2690cdd3a20ae87555bc447330382451c
SHA256 dbc95802af1724f921fbb0a82ffc2573acc75d99f191d78c7db5405d19f5f50a
SHA512 35853696dec2889bd34af7b1da1f1a6afcfc5435a8d80c6baab7eb6ed3e142f313841804266e515a797bda41a62682b30757b38271c5b4a660a8dee477ef612a

C:\Windows\Debug\WIA\wiatrace.log

MD5 f7b91fd20836acd7a729ce619d19f389
SHA1 3dccca8ea5285182f321e5a09a90ade464caded1
SHA256 a3ce1bf7e4ec25bb89739e624a60346e57ca7f83735f69335873036246ff78b5
SHA512 1ee3eddc0cff5f5b3c5003164aa90f9f93c95eb0058390aa92391d8e0b38789a1480c836ff00c4eb450eb55c9b65a470a8d9ccb637e2e1068f82162dfec9e305

C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs

MD5 a32b150dac9dfa10c57900e18661fc3e
SHA1 5953cb83c30af087ad60a7a3ab130db1987f2aa9
SHA256 ce4efe9997453c3d7fbca3778f87753d4396e256510d09a2e59b2ca2de9ba69a
SHA512 28df1eedf6d5d0bbfb2df7ac42d87d718f3e4b86425520d4e4e8d612b18850aac7a51aad46ff708b515ab4ff5403c59e8da1eb7476228874249f3ecfb4008eff

memory/5628-363-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\Debug\WIA\wiatrace.log

MD5 247d1b41727bd5af1ef7e3daa8692e8e
SHA1 39becc3aca8e0e68f2e937caec54468db3b10fd1
SHA256 9332c493803a6b1748f3a2b1e04b6e2d1292363382ca5f1b0e8b1cf741866b26
SHA512 fbe710e0f52efb12cb56b7a4118f2272ebf5d5a5e33ed5e10a26d13d43cc63f731441f4e7e40ca6755565c778acf9388c5de639387ab2dab7553eb960d65f358

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 863e4e54d492304a49ae159e9659bbf0
SHA1 1276ee7781608299bba99d1f194766137168cc5a
SHA256 154e4fa013442e111db3490c650ccd5473797e98ae67ea5b27ed930d02fbfa25
SHA512 a0b81c48ca366abcf65a598d02a134b21f91d983caa2df10654065fe9d0813ed9083f853ebb2ed6e6019e8accae458fcaf07f2a71d7839576d282630e1161a2e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9cee161665b00d8665d8f89296ba1e9b
SHA1 862966ad124846de47bfb63d81c289cc4c748b63
SHA256 3c611282d0b4314b22cb5b80d64be277a0ea2ffa55db82cd02a6f5e2e086e4a0
SHA512 dd03184c12d421eef084993bfdf680c05d8b6b70fbdb24951ea417fddd32f8d2d0213b5bcee6d51dc7fc301fea361ed371e57a5b84fd84f6751f68896ee2ccfb

C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs

MD5 b8da7c065c6cf60a8bb87ae2c08ecbde
SHA1 4cae9a4af4100700f2a27c0ae2277e4c723917c2
SHA256 dfe116c55437ce858201ca6bbe3270726ddfd98c567352d1ec6a55ee0ec58576
SHA512 e03673c7198a5255867c9ef03bad8a00079a40fa6994148e58f53c5c58f3687c2929f170ebcbf1bcda0e191a7ef9afaa4d316b4d5442ca8d789fcdd145cdba28

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c97747d19d7949149c06d7b05d4396ac
SHA1 3f6c0ff8e2b8367ebcd0c0fc2fc7b4af2f47a7e2
SHA256 4ee8d5b522de09115cd3f84220a1dc683a809a049c1f2b1c225d12b9df2af773
SHA512 01a6b897e1ca6dfc882b7247267149ef9f6ed4dd9bb41b676223c66c8697f374deb3021f1184fbec84bcbe0c68c381d0dbe8a8edcdc76745f788922f4a76d7bf

memory/4864-398-0x0000000000400000-0x000000000043E000-memory.dmp

memory/6056-402-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\Debug\WIA\wiatrace.log

MD5 691821e7fffb12e0f2764deb4560b8cc
SHA1 cef5f8d24de2cfea9fb86ec2ce8f4bc9f5f3702f
SHA256 a701365eda3d93383944d9de316f4d73c0b7753ccc10478d175067c958793b8c
SHA512 ce57406de9d6439545eae0d3a41102df887b28151cdf3286e9110822997cca157d949b8bd21b3312b470ed56f9d7792fb3cf4e17ea2d6b45f04c6855abb0f160

memory/6056-406-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs

MD5 e60e18316982f812bd11223845d78bd5
SHA1 5252460b412b17069a257246a47e8ea897611048
SHA256 607091b470d1d6d1efd00c38f1c8772a112c78b91a295293a48fc32d4211f317
SHA512 9c18fb27c2056d687dc8c702a1489888e9bbfe3fb01c80a3c91aea29bdecda33c71308e66b286b42dd2dcf6170810668d36802152f194c3218338987a5202352