Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
22-05-2024 21:09
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe
Resource
win11-20240426-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 8 IoCs
Processes:
winupdate.exewinupdate.exewinupdate.exewinupdate.exeBlackkomet.exewinupdate.exewinupdate.exewinupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Downloads MZ/PE file
-
Sets file to hidden 1 TTPs 16 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 4732 attrib.exe 2264 attrib.exe 2140 attrib.exe 2956 attrib.exe 2316 attrib.exe 4908 attrib.exe 4732 attrib.exe 2736 attrib.exe 4804 attrib.exe 2560 attrib.exe 4072 attrib.exe 1424 attrib.exe 4728 attrib.exe 2184 attrib.exe 3112 attrib.exe 2072 attrib.exe -
Executes dropped EXE 8 IoCs
Processes:
Blackkomet.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exepid process 2104 Blackkomet.exe 2300 winupdate.exe 1576 winupdate.exe 3684 winupdate.exe 4572 winupdate.exe 2424 winupdate.exe 1712 winupdate.exe 2808 winupdate.exe -
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
winupdate.exewinupdate.exewinupdate.exenotepad.exeBlackkomet.exenotepad.exewinupdate.exenotepad.exewinupdate.exewinupdate.exewinupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" Blackkomet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" notepad.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe" winupdate.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 2 raw.githubusercontent.com 12 raw.githubusercontent.com 29 raw.githubusercontent.com -
Drops file in System32 directory 43 IoCs
Processes:
winupdate.exenotepad.exewinupdate.exeattrib.exewinupdate.exewinupdate.exeattrib.exeattrib.exeattrib.exeBlackkomet.exeattrib.exeattrib.exewinupdate.exenotepad.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exewinupdate.exeattrib.exewinupdate.exenotepad.exeattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe:SmartScreen:$DATA Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ Blackkomet.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA Blackkomet.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\ winupdate.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe notepad.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe Blackkomet.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe attrib.exe File created C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe File opened for modification C:\Windows\SysWOW64\Windupdt\winupdate.exe winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 8 IoCs
Processes:
winupdate.exewinupdate.exewinupdate.exeBlackkomet.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Blackkomet.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winupdate.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 576499.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1824 msedge.exe 1824 msedge.exe 4984 msedge.exe 4984 msedge.exe 1272 msedge.exe 1272 msedge.exe 2484 identity_helper.exe 2484 identity_helper.exe 4796 msedge.exe 4796 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Blackkomet.exewinupdate.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 2104 Blackkomet.exe Token: SeSecurityPrivilege 2104 Blackkomet.exe Token: SeTakeOwnershipPrivilege 2104 Blackkomet.exe Token: SeLoadDriverPrivilege 2104 Blackkomet.exe Token: SeSystemProfilePrivilege 2104 Blackkomet.exe Token: SeSystemtimePrivilege 2104 Blackkomet.exe Token: SeProfSingleProcessPrivilege 2104 Blackkomet.exe Token: SeIncBasePriorityPrivilege 2104 Blackkomet.exe Token: SeCreatePagefilePrivilege 2104 Blackkomet.exe Token: SeBackupPrivilege 2104 Blackkomet.exe Token: SeRestorePrivilege 2104 Blackkomet.exe Token: SeShutdownPrivilege 2104 Blackkomet.exe Token: SeDebugPrivilege 2104 Blackkomet.exe Token: SeSystemEnvironmentPrivilege 2104 Blackkomet.exe Token: SeChangeNotifyPrivilege 2104 Blackkomet.exe Token: SeRemoteShutdownPrivilege 2104 Blackkomet.exe Token: SeUndockPrivilege 2104 Blackkomet.exe Token: SeManageVolumePrivilege 2104 Blackkomet.exe Token: SeImpersonatePrivilege 2104 Blackkomet.exe Token: SeCreateGlobalPrivilege 2104 Blackkomet.exe Token: 33 2104 Blackkomet.exe Token: 34 2104 Blackkomet.exe Token: 35 2104 Blackkomet.exe Token: 36 2104 Blackkomet.exe Token: SeIncreaseQuotaPrivilege 2300 winupdate.exe Token: SeSecurityPrivilege 2300 winupdate.exe Token: SeTakeOwnershipPrivilege 2300 winupdate.exe Token: SeLoadDriverPrivilege 2300 winupdate.exe Token: SeSystemProfilePrivilege 2300 winupdate.exe Token: SeSystemtimePrivilege 2300 winupdate.exe Token: SeProfSingleProcessPrivilege 2300 winupdate.exe Token: SeIncBasePriorityPrivilege 2300 winupdate.exe Token: SeCreatePagefilePrivilege 2300 winupdate.exe Token: SeBackupPrivilege 2300 winupdate.exe Token: SeRestorePrivilege 2300 winupdate.exe Token: SeShutdownPrivilege 2300 winupdate.exe Token: SeDebugPrivilege 2300 winupdate.exe Token: SeSystemEnvironmentPrivilege 2300 winupdate.exe Token: SeChangeNotifyPrivilege 2300 winupdate.exe Token: SeRemoteShutdownPrivilege 2300 winupdate.exe Token: SeUndockPrivilege 2300 winupdate.exe Token: SeManageVolumePrivilege 2300 winupdate.exe Token: SeImpersonatePrivilege 2300 winupdate.exe Token: SeCreateGlobalPrivilege 2300 winupdate.exe Token: 33 2300 winupdate.exe Token: 34 2300 winupdate.exe Token: 35 2300 winupdate.exe Token: 36 2300 winupdate.exe Token: SeIncreaseQuotaPrivilege 1576 winupdate.exe Token: SeSecurityPrivilege 1576 winupdate.exe Token: SeTakeOwnershipPrivilege 1576 winupdate.exe Token: SeLoadDriverPrivilege 1576 winupdate.exe Token: SeSystemProfilePrivilege 1576 winupdate.exe Token: SeSystemtimePrivilege 1576 winupdate.exe Token: SeProfSingleProcessPrivilege 1576 winupdate.exe Token: SeIncBasePriorityPrivilege 1576 winupdate.exe Token: SeCreatePagefilePrivilege 1576 winupdate.exe Token: SeBackupPrivilege 1576 winupdate.exe Token: SeRestorePrivilege 1576 winupdate.exe Token: SeShutdownPrivilege 1576 winupdate.exe Token: SeDebugPrivilege 1576 winupdate.exe Token: SeSystemEnvironmentPrivilege 1576 winupdate.exe Token: SeChangeNotifyPrivilege 1576 winupdate.exe Token: SeRemoteShutdownPrivilege 1576 winupdate.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exepid process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe 4984 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4984 wrote to memory of 3700 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3700 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 2632 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 1824 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe PID 4984 wrote to memory of 3812 4984 msedge.exe msedge.exe -
Views/modifies file attributes 1 TTPs 16 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 2264 attrib.exe 2316 attrib.exe 4072 attrib.exe 3112 attrib.exe 4732 attrib.exe 4728 attrib.exe 2140 attrib.exe 2184 attrib.exe 2072 attrib.exe 2736 attrib.exe 4908 attrib.exe 4732 attrib.exe 2956 attrib.exe 4804 attrib.exe 2560 attrib.exe 1424 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/CoronaVirus.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8b4ce3cb8,0x7ff8b4ce3cc8,0x7ff8b4ce3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5848 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Blackkomet.exe"C:\Users\Admin\Downloads\Blackkomet.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads\Blackkomet.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Downloads" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h9⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe"C:\Windows\system32\Windupdt\winupdate.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\SysWOW64\notepad.exenotepad10⤵
- Adds Run key to start application
- Drops file in System32 directory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\SysWOW64\Windupdt" +s +h10⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe7⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe6⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe5⤵
-
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9156758072805136766,13633523887241981131,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5de47c3995ae35661b0c60c1f1d30f0ab
SHA16634569b803dc681dc068de3a3794053fa68c0ca
SHA2564d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7
SHA512852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5704d4cabea796e63d81497ab24b05379
SHA1b4d01216a6985559bd4b6d193ed1ec0f93b15ff8
SHA2563db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26
SHA5120f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5043348c1acb71c0431399817001c553c
SHA16ade305fd9923e2b0c6ac4301f4dfe3c629fbc34
SHA256f6c506cf0fdebf7c73b73e3db374f53df66a690ae569a54e76e98e081057d475
SHA5128bbee05504d7394407908b2f122761e60c3455d51f8f9562b4cd564364fcb1f900b9fadd9504168e9707db9d1e7d8ca2d7650e6a68fb27833d19cfe8386420c5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e74e3d917f62d208bef485cae936471d
SHA1b4ad8c83256a78bdfcb01856d548ee47e9337ac9
SHA2563a1e4963ca2f17e30cef94221e1d29a79c6294c7d65d2ec42b48b9f6c3acf347
SHA51254af36d57d70f909b2122b14d60fb8bd5e1022e8f67f03cde9555f468f267f00deddc5aa447e72f0c8f9e71452777e741de80d0800367e76a95a45f82794b2d3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5dc0379be0de049b88507863d561314a6
SHA17bb59d013a59231479b8b5a2132589dbb23ca293
SHA25637a6dd7e7cd490d3fcce019b45e6ae25235bf63e0be445f3b57fd8f1f5d5bc09
SHA512920b797fce9eb0a2c5295273dc4530bfce07108109d3e9f8de90972070e210c9891272d419ae6216394344a46a254cb4e46c2a1b8a752cdeccc336a4cd7a48bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5cc3cfe63ed74de3f091ab7431b88089b
SHA1ab3820f6945794b041d930d18d3c18e3e93dca44
SHA256fb88d78b99add55ea31d14c0b707d356f8b0ef405037d52114ecf627cc0d6bdb
SHA512c4b347d80fc386cc9d271126ab3bcb36ef2f76d6020fa1c2b9378b55789926876337d3ff3603361e64e65ec0c2fe139b953b3445a512ce685231dd3da0c00b2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58199e.TMPFilesize
1KB
MD52c1f0b722d6cf65f51e4f71ad12b8a04
SHA14fb94b89ac6cedaf60cf5388f25460bc83ee8947
SHA2564a25b5eeade8112b646c0ab78fb70594e6193f94f9a2bee490bc6a7a3c425ee9
SHA512691a2130f63bcbbeefa91d95e5f6d7766bb489d3a765bfced6a8a37ed56fb14e75d6878bd0045400bb02aa1d72a898c3d95f251493467bfb990aae4ff98c9745
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f9c6d81b9963755e1f0e5f6235189975
SHA196d8b24451338882c3a67c9fc27345cd89a20a4f
SHA2566856e190d5cc2bda8fac687c550b3384ff76f0741a66cd174f3dd0fc95bac432
SHA5120e27d9c919c6c22d8f9dfe229db1d53366a6a8b0230f7d7221e2d12419dd0f621cdd327dcc43061f29f97e2ddabcd4624bfe11f4ec3073f5370b501550bde6b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD57935e916d32090477f0abc22a9c79d7d
SHA1d7ce9f6d1e1d27865536c65290c390881280270d
SHA2561ea46b91c1203f1190db35595d334ba01538f6b399ca1928faebb0ffc31323f3
SHA5125bca371cba7c3c8c441de13d5dd9733cc11ad97e7ca5a457a8c04af3ed59ec906da4709dd4364d2a5ee48210388f671d528761ea4c8594bd3efc11b1e2cecb04
-
C:\Users\Admin\Downloads\Blackkomet.exe:Zone.IdentifierFilesize
115B
MD5d2a7259c3c335d9a1f3f3f94330fb8ab
SHA14ecfc11525f5f12b7d7863ce12ebfce39ff89a78
SHA2566e9c9cc247799efcafaf3535ff39b7b6e79372b352780ce7b0dfcdc3ce57e84b
SHA5125c9440832612c20d403d47db06ff6f1f271536a8ca0bc54238daee2b29b3976452ac89b6aa1d0ff4231d9a07603f481cb2c234eb49f5c4a80576e1b9f00ebcff
-
C:\Users\Admin\Downloads\Unconfirmed 576499.crdownloadFilesize
756KB
MD5c7dcd585b7e8b046f209052bcd6dd84b
SHA1604dcfae9eed4f65c80a4a39454db409291e08fa
SHA2560e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48
SHA512c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2
-
C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.IdentifierFilesize
210B
MD58376e41e1fab81945d87906bec9412a5
SHA1e05df03d224602918c92b734ed1b734347b920e6
SHA2565fe95b006cc45e4209011767d8e5579a8880b9f4ecc9c75df3e74487913ed792
SHA51239806a088c8ef01ae1e6551091fb9e15184bcb6af2fc584eca44d73bd09caa051717e6a47c344852d53ab7f0c41e4d2e82a6f3d16fd11691c1b6d38dc8877218
-
\??\pipe\LOCAL\crashpad_4984_YIKAQBUJPRYNAFTEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1576-256-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/1712-270-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/2104-251-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/2180-258-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/2300-253-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/2424-265-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/3560-254-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/3684-259-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB
-
memory/4572-263-0x0000000013140000-0x000000001320F000-memory.dmpFilesize
828KB