Malware Analysis Report

2024-09-11 07:24

Sample ID 240531-kszb8sch3z
Target https://github.com/Da2dalus/The-MALWARE-Repo
Tags
discovery evasion exploit persistence upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/Da2dalus/The-MALWARE-Repo was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion exploit persistence upx

Possible privilege escalation attempt

Downloads MZ/PE file

Modifies Windows Firewall

UPX packed file

Drops startup file

Modifies file permissions

Executes dropped EXE

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Checks SCSI registry key(s)

NTFS ADS

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify System Firewall
T1562.004
File and Directory Permissions Modification
T1222
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-31 08:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 08:52

Reported

2024-05-31 09:21

Platform

win11-20240508-en

Max time kernel

1675s

Max time network

1662s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo

Signatures

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat C:\Windows\system32\xcopy.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat C:\Windows\system32\xcopy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Sevgi.a.exe N/A
N/A N/A C:\Users\Admin\Downloads\BlueScreen.exe N/A
N/A N/A C:\Users\Admin\Downloads\PCToaster.exe N/A
N/A N/A C:\Users\Admin\Downloads\PCToaster.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\SYSTEM32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Netagent = "c:\\windows\\system\\sysfile.exe" C:\Users\Admin\Downloads\Sevgi.a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\SYSTEM32\takeown.exe N/A
File opened (read-only) \??\V: C:\Windows\SYSTEM32\takeown.exe N/A
File opened (read-only) \??\J: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\R: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\T: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\A: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\E: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\Q: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\U: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\Y: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\W: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\G: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\K: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\L: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\O: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\S: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\P: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\X: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\Z: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\B: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\H: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\I: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\M: C:\Windows\SYSTEM32\mountvol.exe N/A
File opened (read-only) \??\N: C:\Windows\SYSTEM32\mountvol.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setupact.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\System32\oobe\UserOOBEBroker.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Sevgi.a.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 808890.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 374717.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\PCToaster.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\L0Lz.bat:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 811600.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 230210.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 872862.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 121574.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\DudleyTrojan.bat:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\BlueScreen.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Sevgi.a.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SYSTEM32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Program Files\Java\jre-1.8\bin\javaw.exe N/A
N/A N/A C:\Windows\System32\PickerHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3912 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 4496 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 1384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3912 wrote to memory of 2876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff848d33cb8,0x7ff848d33cc8,0x7ff848d33cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5356 /prefetch:2

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\System32\oobe\UserOOBEBroker.exe

C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6204 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6548 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6416 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\L0Lz.bat" "

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\system32\net.exe

net stop "SDRSVC"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "SDRSVC"

C:\Windows\system32\net.exe

net stop "WinDefend"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "WinDefend"

C:\Windows\system32\taskkill.exe

taskkill /f /t /im "MSASCui.exe"

C:\Windows\system32\net.exe

net stop "security center"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "security center"

C:\Windows\system32\net.exe

net stop sharedaccess

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop sharedaccess

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode-disable

C:\Windows\system32\net.exe

net stop "wuauserv"

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "wuauserv"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo tasklist "

C:\Windows\system32\find.exe

find /I "L0Lz"

C:\Windows\system32\xcopy.exe

XCOPY "BitcoinMiner.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

C:\Windows\system32\xcopy.exe

XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"

C:\Windows\system32\xcopy.exe

XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"

C:\Windows\system32\xcopy.exe

XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"

C:\Windows\system32\xcopy.exe

XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"

C:\Windows\system32\xcopy.exe

XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"

C:\Windows\system32\xcopy.exe

XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"

C:\Windows\system32\xcopy.exe

XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"

C:\Windows\system32\xcopy.exe

XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"

C:\Windows\system32\xcopy.exe

XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"

C:\Users\Admin\Downloads\Sevgi.a.exe

"C:\Users\Admin\Downloads\Sevgi.a.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\DudleyTrojan.bat" "

C:\Users\Admin\Downloads\BlueScreen.exe

"C:\Users\Admin\Downloads\BlueScreen.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6844 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6744 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6992 /prefetch:8

C:\Users\Admin\Downloads\PCToaster.exe

"C:\Users\Admin\Downloads\PCToaster.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\PCToaster.exe"

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

C:\Windows\SYSTEM32\attrib.exe

attrib +h C:\Users\Admin\Downloads\scr.txt

C:\Windows\SYSTEM32\diskpart.exe

diskpart /s C:\Users\Admin\Downloads\scr.txt

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SYSTEM32\takeown.exe

takeown /f V:\Boot /r

C:\Windows\SYSTEM32\takeown.exe

takeown /f V:\Recovery /r

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,8663466515880649286,5016356578645508209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1

C:\Users\Admin\Downloads\PCToaster.exe

"C:\Users\Admin\Downloads\PCToaster.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\PCToaster.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /im lsass.exe /f

C:\Windows\System32\PickerHost.exe

C:\Windows\System32\PickerHost.exe -Embedding

C:\Windows\SYSTEM32\mountvol.exe

mountvol A: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol B: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol D: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol E: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol F: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol G: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol H: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol I: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol J: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol K: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol L: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol M: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol N: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol O: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol P: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol Q: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol R: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol S: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol T: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol U: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol V: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol W: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol X: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol Y: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol Z: /d

C:\Windows\SYSTEM32\mountvol.exe

mountvol C: /d

Network

Country Destination Domain Proto
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 140.82.114.22:443 collector.github.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
GB 20.26.156.210:443 api.github.com tcp
N/A 224.0.0.251:5353 udp
US 140.82.114.22:443 collector.github.com tcp
GB 2.18.66.49:443 tcp
GB 51.132.193.105:443 browser.pipe.aria.microsoft.com tcp
NL 23.62.61.99:443 www.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
NL 23.62.61.72:443 www.bing.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 185.199.110.154:443 github.githubassets.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c1c7e2f451eb3836d23007799bc21d5f
SHA1 11a25f6055210aa7f99d77346b0d4f1dc123ce79
SHA256 429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800
SHA512 2ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34

\??\pipe\LOCAL\crashpad_3912_MEZNUWIUEOTGLURZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6876cbd342d4d6b236f44f52c50f780f
SHA1 a215cf6a499bfb67a3266d211844ec4c82128d83
SHA256 ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e
SHA512 dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 458393dfe4b4da5663c68296b125e4ce
SHA1 41e1e2e5c01460d5c1be05786570cb0f7fe00553
SHA256 7d984f9a08c5d80b8f98aaa238ee7dfbd6249d93b90f28012c361e6be56bbaf8
SHA512 ed7843cfac4a7dbfec6750fb0c19fb7959479b7bb19a0156bcd0b6f94f6fde601c47dd00a08053341463df065bc64752a2849e073ab23b7f6a16913f16094072

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f9a32935e264b9b181e39bdd4dd78e31
SHA1 48a3fb65660bb10982b2173d2323cdd45843d035
SHA256 62ef8df95b0ecef1aaada539b679255feb4ffe864db93cd1417b308a9b39f424
SHA512 c824580cf8230f9223b204663e1f05282d020e5ed9f67f93709159c047cb0e2067e9b13d027635d4f5bc44478d63888ea7606811a3dedbe2340801ea5a11492a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 db8193787d9c6cde0f115071ef335a08
SHA1 ab9e0fac1617a28a92a37dd7dcc7d25acea10d15
SHA256 7c81b540154a3346e8715034484ed48247ab8c5816498c06265b265996552b9b
SHA512 f345104a31ec9ee41acf74ad2e955dcf95e0d6fb588f59876ff1cfa31c99fe36fc94c2778bdbb330c0f5e5dfd257e749c68604483e07220a73570211dbe479c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 83f57838895fc5fdceaccad6e958290c
SHA1 78d3b0788889cdd3ca3addb3b7dac8418d0aacb8
SHA256 eecc8c9ca8cc6e0afc63b6eb6082b027cf7bc177691a82987e07f15323486c5e
SHA512 ed22c425ce4f4cf1707c1119414ff2483d2d372633107ab12e2e7c8ab917117de48412ca789a72458b25fb848fdf226253196393a992d9bb273944e4e08482c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 406d40f57c41b87d19b999ebfe5296fc
SHA1 7d6ce47afbb25a87565cebdaf0a1a2f4af4bfc10
SHA256 0d179bd1f38ad65839441984c85dac651e393eb75c561885911cb8cce8be6974
SHA512 a763d98c4e196a8f81244761848a52ab25cf2b4dcc91ff8a977828a7f3639f05248463828221b575942a4c99dc5b720703339e4cb59e11a301fefa6236e660fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cbf12abe48fb2ab10d049c25e9e5b029
SHA1 47a0d7c37170e711aad74c367a1496718786e33a
SHA256 0ac782a04daa459707f56479a6d27630432cf8a9eba7bdac1924c295e3cdcb7e
SHA512 e84b830d5be45e2e51743708ce4d5218cfb458614f11a6c6f03b2d5b07d71d5604cce97f34659ef53d9f4e5ef840a2693d2c11bc91ca340cddbdaf1f2f0ea4e0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe6c27f4.TMP

MD5 0cca791915e0a80dfac1dfe65ae70ee3
SHA1 5f623a32a232cc6199f9b18f62a74572e9767cb1
SHA256 a419ed6a3162c7e512d1b62409547fd90973d4e91519f68e4f59b51656689007
SHA512 369edb2fc4b92949caefca17874616aae77c08dc89366b1d3f45eed2f4e5f67d288fd930e1e726ff4d18abef38b749046a135d2db6fd16db932c698ab28a590f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 09f07595483b82c1d8e6fb6b9262c59c
SHA1 59fbe6fa1cdfcef9b2e5843d3a5f4ecb0017da64
SHA256 1b91ab8fe80d8dd7b5f7a6384c19824c5337ee73dbdc5a9adfa7dfae93cbcfc6
SHA512 12435f1e985d4a3145bf98b51b73fe8f283a16c346a70e96726e34f054c058d07371b25cde68be50e0854e9047a5882c1612891e82b01156340c9bb1e327ee13

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 036566844b928ac1f80511f2250f7c5a
SHA1 6a4b8439e31ea4555ff7e3b8bd2cbf6c662a3cac
SHA256 26e5e4463604136f1c13531228f79118aef2a0b5044702f4ae5060544405fd01
SHA512 5c7209d86ada7cd664e4bbfc0c6b9db04698ad6d2d1c92efd152a1cdad025c61631c3b9a89c78556e372f510e8a8c739391ec493155391e24afa89b65067fdfd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1d4ee7a6c39eccd786b327552b7072cd
SHA1 52a357ccf6719135f8c3f3992dfb5d0c38f88523
SHA256 be74d3d782fe302024d892817c397d41251ceba872b323120615990d9d31b2cf
SHA512 0a0daf9b29ad0d107b8a55aa8995f9ef02618782c763d84b2218d08fd57adf833873048cddc59c3135848c356caaada14dad6b5a4ec5692e89dc94e2c9712429

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 143a86e07d21dbd759f13e19188d0192
SHA1 dd15e312a9574a79a326f72e0d986bb16d03024a
SHA256 d4dd0c997a57ebcd61db5812a428c6f70d60e2818f87a0f6e31f5762ab66d5ab
SHA512 c4b4b4dbc8ef829194003e6c7e7cb5a4f01258a093dfbb130d262756c637dab5d25f465f0daddab484cb267183a81476909ba6e6ac465e5d71bbf19b1bfe0495

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 673b956dd6824a4bfcec6bbf1ca69008
SHA1 e21dd6a1752fe3f3b5115a126ffa4a412b9b1f27
SHA256 5fa2ffc22f19877798b51a78caf9aecab817e843a2157142818b171424f60354
SHA512 ddafcc4d769e0be75d769bbfc9f52ec2b839c652b911d906c2656efee23383999237db5dcadae0b4376e3513004656ffd0344a2a0bd84c9dfe1b79e6fa5d9dd0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 30d528b04e110b92ac1c120a091b9da3
SHA1 232d452385e1eb9a55fb0e95bfc2d614d5717ae4
SHA256 0320321edb0190d102c0c541e89b9481bb888219815ec955f552fb37fb5347c8
SHA512 c560156b447fac0907d6fa77e809775869089a27367ef8e2e71c113b84ca77d4e7352074fd89f96cb3436c7ed4706165e8cfd00e5567ed41adb5a248e900023a

C:\Users\Admin\Downloads\Unconfirmed 872862.crdownload

MD5 6784f47701e85ab826f147c900c3e3d8
SHA1 43ae74c14624384dd42fcb4a66a8b2645b3b4922
SHA256 39a075e440082d8614dbf845f36e7a656d87ba2eb66e225b75c259832d2766bc
SHA512 9b1430a426bf9a516a6c0f94d3d20036a306fae5a5a537990d3bcf29ebf09a4b59043bbe7ef800513ea4ac7fe99af3cac176caa73cd319f97980e8f9480c0306

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 47cc36b3b5049b930ca8e996b4b3f42e
SHA1 cdefa3532fc39d3d487c88727190288685a12f9c
SHA256 ad70a96afb765bb9fca56268cad007c88afc8738606f9e3f3d811901a3b37e03
SHA512 6215afe7dfcf23901e41367e0c73791c057551cfbe9f82270a2ad670c4c9a6ff90e3852d4a7909886ec5a0811f8a2a9b5e25f6d623a0681d1df01dcaff70bade

C:\Users\Admin\Downloads\Unconfirmed 121574.crdownload

MD5 74f8a282848b8a26ceafe1f438e358e0
SHA1 007b350c49b71b47dfc8dff003980d5f8da32b3a
SHA256 fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae
SHA512 3f73c734432b7999116452e673d734aa3f5fe9005efa7285c76d28a98b4c5d2620e772f421e030401ad223abbb07c6d0e79b91aa97b7464cb21e3dc0b49c5a81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 dd66885240e5cf1a253e791742e0a8df
SHA1 3707aea2b50312ec498e6ffd0879bc913e7946e1
SHA256 8d4f48601b6b0cb4876feb2198bd23e8d294839c7f69483b7343b8ffcd0a3ff5
SHA512 4d401f8effb4aff374afa2ac1bf712d1704740b87569c519233ceada04a92291079484e90908e9c333559de1baa363bde20fa2bcb68b92573409390e1cecbb16

C:\Users\Admin\Downloads\DudleyTrojan.bat:Zone.Identifier

MD5 0f98a5550abe0fb880568b1480c96a1c
SHA1 d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA256 2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512 dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

C:\Users\Admin\Downloads\BlueScreen.exe

MD5 b01ee228c4a61a5c06b01160790f9f7c
SHA1 e7cc238b6767401f6e3018d3f0acfe6d207450f8
SHA256 14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160
SHA512 c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 676f16c5fe59225630b0b597ce7605bd
SHA1 9953ee97293dec173538420243f15ed946ae36f5
SHA256 dfdc38c7f1177ae7b4146054b3b8076ae346ad41f8ac3b823c8f8e4d036cac0e
SHA512 6ab399d7e4d208f5f232835a21da850268941c9f9bb543b738bef7c557f2ebafdd14960763bd3f2b8cbe02272bfd7012942782e4882741eb521e1891e05137d7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 84cf37ef07acdc0c461a192bc3cfbefd
SHA1 ce0a40ee82566d3963a935d309be60a7f22c3e6c
SHA256 1715d232be86fe1408e377bb334eade07340fb07bb8246fba343b6c2d6a74ce5
SHA512 14cc8417b934eaef2a549127fa68dbc9169250c5b9caa1c8d5325f43747669b51becb51fabbd4a551e9d3c492a9ad13b357b97a050b5a239ce0ce0bdebf273b4

C:\Users\Admin\Downloads\Unconfirmed 811600.crdownload

MD5 b28505a8050446af4638319060e006e9
SHA1 d3ddca0f06af4df29a9f9fadb6bad8504add5525
SHA256 750e37d1fdd64e9ea015272a0db6720ac9a8d803dc0caad29d0653756a8e5b17
SHA512 889dc35054f5adc5b5445fc90dae5e19fe95ee04432f5230994124b73f9a1fc4bb050aac789f4934c84ed42d8c063b8219563e33a48b92f10294b7d8e426b9f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d6efeec8d88bad83f8284f4cc245ad7b
SHA1 6d821f0af37ec4edcb184bd049a9c9d98e967eb8
SHA256 938826dcba790c84f35a1306d4717349ae97690f1758fb12c437e9039fcb1604
SHA512 6dcf8cd1af76ec55603bff6c989e7b3d7dbf049a02dda9cf7b183746e12b266c3af62c38abb7c7dfa8fee0c6371dedd67786e17fa4ae34ca6e5f889369f684ac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 dea8bfa573181a709154180e25cd79d9
SHA1 dd7b5b3ee2cb88948ba3a01e424a7913dc8ae5e1
SHA256 d20f272f64ff6df61605da773202e007bcb921ddbd7c9806ec8745205aec454d
SHA512 439b7a52977aeee284faf7380a412c3e3fa1d7a425763decf6fba737c348d9d56eb39b52fe31afb936583f4294ea7a2ceb83d8f9d199217553b4b5ef50637683

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2ebbd61422b78463e73114c90d111185
SHA1 96a2a4824b034c487ccfcc08f3d7defa75601565
SHA256 164f96175f640e1c88954414f0d6bd4b866e8bc4004221585211df95aaeacaab
SHA512 a707e87fa44ddc0f804778e849698b4b9b1a110342a9eb8abcc1a9178019d6424077d6293940adf1b3db80872e42fb70347fb927e7a6cadb2490381fb2f1b926

C:\Users\Admin\Downloads\BitcoinMiner.bat

MD5 1b95e04dbd98deeabacd15b8cd17d161
SHA1 223280d1efaa506d6910fa8f0e954bf362b2c705
SHA256 76a32e2efb8b97a8c226bcb8bc5b113b4b6fce1077de6513405955bc6d74b169
SHA512 e2be3706491c1cdb9654d0720805dd96536c66f48bd7d8a4d781b5daeebfd22655cdb2d84ea1a1ec5c0d963b0f3982735975f032373c9083986cd1c01d379e70

memory/640-691-0x0000000000400000-0x000000000046D000-memory.dmp

memory/640-696-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f92185246b19b4ee8510ffea675d86b9
SHA1 90190cc718a9a9e01126111947949b6d7eb3964c
SHA256 3b4381a963abc569c97b9677fee321339fb8a945386f3bc2e9b676273ec8839f
SHA512 4c8b933176eb5c0bae2cfcd8b0df5b4888e417e4694d74464a9264459964ae5395929fc4dce06d234e62d2abde5487b0c797e636f603e7e9345df3bd54c6eed2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 72b1d196d1c6673f19560647db8fdb5d
SHA1 5c86e0efa38af3dcc15d8341ee772ad605942714
SHA256 45e86d687c9b60697fb17a3f2e435b95cb7de190da3a21f613cd147828866722
SHA512 088391ee3310333271cd7b791d6df9a182a326b83c0155afcafab12479c6611d300ba22b40f39fb1444f82c316baf60cdf82c93a61b1eb38de880e897b6c9b32

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d245b93cff159da5d33148dcb6d39a71
SHA1 c653c260493c39bd1df4a56b41dbba9188c8b44f
SHA256 51474a79f6c4fb46a305ab1f96692987d1f35b3c715c19172f42277ba05a3885
SHA512 98e77dfaa408c6c05dfb4e04973fac46019e3936e5ec358235e1e4db5e96762c74fd8852bcd0fcee1fa2ac42cbfb175f1d0fed993ea8664c2042dedbe3b57093

memory/640-724-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\Downloads\AUTOEXEC.BAT

MD5 8a2347ffaea834a0e03fb6859446023d
SHA1 e5d6c556132de5812f955ac07560575d1d01e2bd
SHA256 ef086b62177e5f7aed0ad951d1f64d68071d7c5fb639a3c56ae283773594bb7b
SHA512 bef95b5f46d2d0c2cc00e0120edabf116784f1b6737f63953e51f4f34d9d29a78d711781c9dcca9a105b7812bdb65938126a5202bc2c383740e5472ec63b134a

memory/640-730-0x0000000000400000-0x000000000046D000-memory.dmp

memory/5036-732-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5036-734-0x0000000000400000-0x0000000000409000-memory.dmp

memory/640-735-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 798befeaf44356d965c4bd7f67e189ef
SHA1 e332717c9eb02539774178ef6a8633af31387afa
SHA256 daf02148c7892e69d4490b696fa14138371828b257bff6eedbf03c38908f9525
SHA512 efafbc87d9dad411e617e929cf61966d24781a3cc1a4adfe0ef165357458194e30c65bdab6b6cb8cd52cd5c391ba95d4ebf9a1eab1c48c7e119b8f8743231eaf

memory/640-747-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d62b02ff5221b5ceaa987a04c409a2a3
SHA1 d83b418a001361ca85bc044dcdd3e3f48731bc5d
SHA256 5a9af481e686696a9d2e4d3d81fb6c1cba1d13bfd13a9350fe1db80d60bfcdf8
SHA512 ce88604a5f2abf0848927890ab8ceccc1282c99b16b9857bb929d8f8892e3734a66165c321b0d02f0db092669d1da6569aa6147a2db289d2bedc6542a4322b47

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

MD5 04251a49a240dbf60975ac262fc6aeb7
SHA1 e211ca63af2ab85ffab1e5fbbdf28a4ef8f77de0
SHA256 85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3
SHA512 3422a231e1dadb68d3567a99d46791392ecf5883fd3bbc2cae19a595364dac46e4b2712db70b61b488937d906413d39411554034ffd3058389700a93c17568d2

memory/640-775-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\Downloads\Unconfirmed 808890.crdownload:SmartScreen

MD5 4047530ecbc0170039e76fe1657bdb01
SHA1 32db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA256 82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA512 8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 75c8a5bc420b2b26554ad5151790f0a3
SHA1 83f15e9fe5c81b24a6b07ac9433281ba3818ff69
SHA256 db1eb1bf37ccff3dcb93bd6e631c7fd55f0b354a215495f8bcd310907bcee63a
SHA512 5f081577c3e54dfa77533346bd652b91cc59757a5e9023b2881f957baf30909d01ce599633ebf82eddf0182703619c0457bc1938cbcad3067f848bf1cb37d4df

memory/2248-811-0x0000000000400000-0x000000000046E000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 58155d010b0e97834cee72531b79921f
SHA1 495c4708b9ba99b2f72120eb0aec5d619f317cbf
SHA256 be77284e5d32f503ed861ba2f0f1847eefe1293a008f97f445709662ce9f3e91
SHA512 d2c1e27195364b04da25ac87a2a41a8152ee68decb72ad7334785b5ad7328751d92a7f35844d2d698c58552b872bde9630975ec1df6ba9728e51f33f8a0f322a

C:\Users\Admin\Downloads\scr.txt

MD5 ad1869d6f0b2b809394605d3e73eeb74
SHA1 4bdedd14bfea9f891b98c4cc82c5f82a58df67f6
SHA256 7e9cde40095f2a877375cb30fecd4f64cf328e3ab11baed5242f73cbb94bd394
SHA512 8fe0f269daf94feaa246a644dbeeda52916855f1d2bfd2c6c876c7c9c80b0ceb7e42caf0b64a70bda9a64d4529b885aaa38998a515d6abbe88ad367e72324136

memory/2060-834-0x000001C04FE40000-0x000001C04FE41000-memory.dmp

memory/640-841-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2060-842-0x000001C04FE40000-0x000001C04FE41000-memory.dmp

memory/2060-853-0x000001C04FE40000-0x000001C04FE41000-memory.dmp

memory/640-857-0x0000000000400000-0x000000000046D000-memory.dmp

memory/640-877-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2060-895-0x000001C04FE40000-0x000001C04FE41000-memory.dmp

memory/640-896-0x0000000000400000-0x000000000046D000-memory.dmp

memory/1512-907-0x0000000000400000-0x000000000046E000-memory.dmp

memory/1952-925-0x0000017C78690000-0x0000017C78691000-memory.dmp

memory/1952-929-0x0000017C78690000-0x0000017C78691000-memory.dmp

memory/640-932-0x0000000000400000-0x000000000046D000-memory.dmp

memory/640-944-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2060-973-0x000001C04FE40000-0x000001C04FE41000-memory.dmp

memory/2060-985-0x000001C04FE40000-0x000001C04FE41000-memory.dmp

memory/640-987-0x0000000000400000-0x000000000046D000-memory.dmp

memory/640-991-0x0000000000400000-0x000000000046D000-memory.dmp

memory/640-993-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2060-999-0x000001C04FE40000-0x000001C04FE41000-memory.dmp

memory/2060-1039-0x000001C04FE40000-0x000001C04FE41000-memory.dmp

memory/2060-1014-0x000001C04FE40000-0x000001C04FE41000-memory.dmp

memory/2060-1011-0x000001C04FE40000-0x000001C04FE41000-memory.dmp

memory/2060-1002-0x000001C04FE40000-0x000001C04FE41000-memory.dmp

memory/2060-1000-0x000001C04FE40000-0x000001C04FE41000-memory.dmp

memory/1952-1047-0x0000017C78690000-0x0000017C78691000-memory.dmp

memory/2060-1050-0x000001C04FE40000-0x000001C04FE41000-memory.dmp