Malware Analysis Report

2024-09-11 07:30

Sample ID 240606-hjqbvsag6x
Target https://github.com/pankoza2-pl/malwaredatabase-old/raw/main/HorrorTrojan5.zip
Tags
bootkit discovery evasion exploit persistence ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/pankoza2-pl/malwaredatabase-old/raw/main/HorrorTrojan5.zip was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery evasion exploit persistence ransomware

Possible privilege escalation attempt

Disables Task Manager via registry modification

Modifies file permissions

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Sets desktop wallpaper using registry

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Modifies registry key

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Creates scheduled task(s)

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Pre-OS Boot
T1542
Bootkit
T1542.003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Modify Registry
T1112
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Defacement
T1491
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-06 06:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 06:46

Reported

2024-06-06 06:48

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old/raw/main/HorrorTrojan5.zip

Signatures

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D409.tmp\CLWCP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D409.tmp\MBRKill.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D409.tmp\melter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D409.tmp\jeff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D409.tmp\Glitcher.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D409.tmp\MrsMjrGui.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D409.tmp\MouseDraw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D409.tmp\BitBlt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D409.tmp\melter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D409.tmp\BluescreenSimulator.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\D409.tmp\\MBRKill.exe" C:\Users\Admin\AppData\Local\Temp\D409.tmp\MBRKill.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\D409.tmp\MBRKill.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\clwcp.bmp" C:\Users\Admin\AppData\Local\Temp\D409.tmp\CLWCP.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\clwcp.bmp C:\Users\Admin\AppData\Local\Temp\D409.tmp\CLWCP.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WScript.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\HorrorTrojan5\HorrorTrojan 5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D409.tmp\jeff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D409.tmp\BluescreenSimulator.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 4892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4892 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 864 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 3736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 3736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old/raw/main/HorrorTrojan5.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb649446f8,0x7ffb64944708,0x7ffb64944718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5604 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\HorrorTrojan5\HorrorTrojan 5.exe

"C:\Users\Admin\Downloads\HorrorTrojan5\HorrorTrojan 5.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\D409.tmp\D40A.tmp\D40B.vbs //Nologo

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D409.tmp\s.cmd" "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K killer.cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K exespam.cmd

C:\Users\Admin\AppData\Local\Temp\D409.tmp\CLWCP.exe

clwcp.exe c:\bg.jpg

C:\Users\Admin\AppData\Local\Temp\D409.tmp\MBRKill.exe

MBRKill.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\D409.tmp\MBRKill.exe"

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\system32\taskmgr.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\taskmgr.exe /grant Admin:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\taskmgr.exe /grant "everyone":F

C:\Windows\system32\taskkill.exe

taskkill /f /im logonui.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\system32\logonui.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\logonui.exe /grant Admin:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\logonui.exe /grant "everyone":F

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\D409.tmp\sound.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\D409.tmp\msg1.vbs"

C:\Windows\system32\timeout.exe

timeout 5 /nobreak

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x490 0x338

C:\Users\Admin\AppData\Local\Temp\D409.tmp\melter.exe

melter.exe

C:\Windows\system32\timeout.exe

timeout 5 /nobreak

C:\Windows\system32\taskkill.exe

taskkill /f /im melter.exe

C:\Users\Admin\AppData\Local\Temp\D409.tmp\jeff.exe

jeff.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K major.cmd

C:\Users\Admin\AppData\Local\Temp\D409.tmp\Glitcher.exe

Glitcher.exe

C:\Windows\system32\timeout.exe

timeout 5 /nobreak

C:\Users\Admin\AppData\Local\Temp\D409.tmp\MrsMjrGui.exe

MrsMjrGui.exe

C:\Users\Admin\AppData\Local\Temp\D409.tmp\MouseDraw.exe

MouseDraw.exe

C:\Windows\system32\timeout.exe

timeout 5 /nobreak

C:\Users\Admin\AppData\Local\Temp\D409.tmp\BitBlt.exe

BitBlt.exe

C:\Windows\system32\timeout.exe

timeout 10 /nobreak

C:\Users\Admin\AppData\Local\Temp\D409.tmp\melter.exe

melter.exe

C:\Windows\system32\timeout.exe

timeout 30 /nobreak

C:\Windows\system32\taskkill.exe

taskkill /f /im glitcher.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im MouseDraw.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im BitBlt.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im melter.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\D409.tmp\msg2.vbs"

C:\Windows\system32\timeout.exe

timeout 5 /nobreak

C:\Users\Admin\AppData\Local\Temp\D409.tmp\BluescreenSimulator.exe

BluescreenSimulator.exe --win10 -sc "Stop code: YOUR_PC_IS_DEAD" -b "#FFA90909"

C:\Windows\system32\timeout.exe

timeout 60 /nobreak

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,9061879587328813888,649699102597537193,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 2.17.107.112:443 www.bing.com tcp
US 8.8.8.8:53 112.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 34.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_1512_RWZHTSSVASGHNHKM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7c046b94403b014a83c9ef6cb2a24f94
SHA1 69a60ea431f7d35b8c632ed09c7cafb268b0a164
SHA256 518df4556517c29aa253abcf770207ed4c88995f65d04c85aacce30603717e7c
SHA512 498c5b5e4f966d0c42cfe6d386db2016774778577b54c6e5ed479b468524e468221a7ac0b73697a68081ac6cd9065ef26f2a2cd57d46cca7e932a7de01a46cab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\Downloads\HorrorTrojan5.zip

MD5 2cf63070aa3fda50182bea7fa25680a0
SHA1 d6fc54786f08a8d32b8548d9c32193830d3a8996
SHA256 410973d76bd4c54167059ffeac29b7389a0e03339cbe647ad76736307ff78820
SHA512 2091d9495fb3f5fe36b90f529550808378478154596b429b07f937166a8c2c13c36b3d015f1d6c0e6d22bdd1c11418a7eb1fecd605c6a5617473e5e049285356

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5847397a39cef0fa44c6f2c6ddd7cf54
SHA1 d6ae4e9fbdd4958bec9b98073b5592f396b18b02
SHA256 006d60bb94935c3713a7c5568fa01d70b36a8d58769a41ea9008302ed5f02098
SHA512 c9fa41da3d0515af2251c17d3e7ed3943ea4e55520194e6b06af4c8dbe083a0dd382b6e4a50dbe9db2dfe2eed323895c5e2f8bf8709cc8c715520a6fabdc4364

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3947968152458d8680703368f84b157a
SHA1 347f83b42b4f41757af3f47a484f832436333bf5
SHA256 bd8a2a522afe6235d88862e8951343706458d833b8cd35d5cd040dd95756fa90
SHA512 9196050c346e4ffd15c4e25edfc582ebdeefbb58e622fab6d5a9e42bfaf654e93e382863c6735a92cdbc271dc045d25b595810ecc3583cabab275274a4dbb49e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2382b478d5111f7d1035d928e1b6ee6d
SHA1 c7715ce0c8904c3d20d2a20e517234516b8f30b9
SHA256 b7a8ebe30ea853ba24e819030ec063ecfee6679842ef2319dfcc4921553bb2b0
SHA512 53375e8828c9482100c0bdd6a8029b7be8b4761b37f972ce7eb7f0a7f9fdb5b119fdc448f6a56fdecb523b94b2825c210178c033c88d8563ad0a20672348043a

C:\Users\Admin\AppData\Local\Temp\D409.tmp\D40A.tmp\D40B.vbs

MD5 39392978a29c1fe421f83779607298c9
SHA1 55c875bb2e6e588dc3e95294f2fab3c6a5809a3a
SHA256 b4afa97d01b3c4f75ce3434b3d63690a4452d3921e33643841db1ffe705d1eb8
SHA512 14d0bc8cf48cf85901aa917ac79446cc7608e1d5cf5d97df94bd1636856095185709aac1b5594328010e7de685724df5e65e9802b1f00951a6a3de11c4eb74b6

C:\Users\Admin\AppData\Local\Temp\D409.tmp\s.cmd

MD5 5399c7b85f334c9562422e844a450328
SHA1 ff1934cd715e082dd3b100d91e92bbfd395ae973
SHA256 8cd26e8c1414d2cad62bf61bd477ed78d7b5b1ca05c1541c063a7f10571dcf42
SHA512 3709498cea31b14ae086ef33490aadd1b00b777ee48287cb4b1bf929b8d9f7219b7602ab0a4206476cb0ad2caf4a11046fd826017fd170e5aca7ece18bfd2fdc

C:\Users\Admin\AppData\Local\Temp\D409.tmp\bg.jpg

MD5 3b6b5b6ace64aaa00745f1a22e4e11a5
SHA1 967c54aac9d95656766c0004ff08c33ccca9faf8
SHA256 b808495c4fdf4c1abd50fc3436367d1ba3fb73e844eef639b0c3dc685dc2bc51
SHA512 ffe6c15da9b82805a373790a4c9b5f9b134fce75923b640e4cad811d70c66d0b98ef65a89287eb1d511e2c9537e28cb0c0f27456d243d449dadf1e670738f03d

C:\Users\Admin\AppData\Local\Temp\D409.tmp\CLWCP.exe

MD5 e62ee6f1efc85cb36d62ab779db6e4ec
SHA1 da07ec94cf2cb2b430e15bd0c5084996a47ee649
SHA256 13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a
SHA512 8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

C:\Users\Admin\AppData\Local\Temp\D409.tmp\killer.cmd

MD5 ef8f6b067e6858c819385ca3bf100bb7
SHA1 b2d6ee1bfe56899085ee6e3f8c8830dcc42ac1e3
SHA256 6e053971d80695b4989a545ce1aff49bcb8fee63d1aaf514219957bc49527b8f
SHA512 6ac27ce517c37188a3e246338d9c3bfe55ca22cdee7e73969df6ed84690c24cfadeff8eb6d3689674e8dfc3ab233f2f7334a4040d3c702b61fcf18fb23ca3f47

C:\Users\Admin\AppData\Local\Temp\D409.tmp\MBRKill.exe

MD5 be6671bf93ab86cefb841fe6e08875cd
SHA1 97ccc3d1c14c99872582fdbc0873ec462597e813
SHA256 e29b977d29fc12512eb33eaaacaa1ee8009d6023baa3bbc55f2d5c1847a97568
SHA512 7e16e1d857c2400ffbd6c518f8ceb789728ef1d53ed894528f001669a4640d631e3940200df99961f06d2dd7c4b6cc8db5055c3c8a259bdd86f042c6b89b7845

memory/5484-131-0x0000000000400000-0x0000000000423000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D409.tmp\exespam.cmd

MD5 6ad1695b8c7f1597d7acfbb11cafdd78
SHA1 898f25cceea6b1021732330062a3dab2364450a4
SHA256 423c32e47f091f1b441b3b0e6502acc023c9c4b4546af77db41ed4daac83d3bd
SHA512 b01b9f2a3a426291e5c344c75c0c0cac38a533ea199c580ccaea35020add3d3006ceedfab7bc10d10e43e1d99d387f58d2783fe76a92803657016291ff6df3ac

memory/5016-134-0x0000000000400000-0x0000000000484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D409.tmp\sound.vbs

MD5 8b703f9c48eb3724348af746e7610061
SHA1 599aa1820096e92546ea8d863d46cc49404e19e6
SHA256 e8cd555c43973e3b2e6fa0e80d602abc3d7c43a17bc51a6d0ba08e20ea3feadd
SHA512 d38e39e3f9ff71f68d3d851b635bcc27939656ec085369652a324d8b0c95042e722a07b0b06a0a25f0f2b51d5ad1addc3174c472bda3f86cbf28376ba4870208

C:\Users\Admin\AppData\Local\Temp\D409.tmp\msg1.vbs

MD5 4b62ee3413ba7e7785d4525867bcd59e
SHA1 2652c3a8a91cbfb12a493b1534f15d0079be3716
SHA256 b34c682b21c0dd9b822dc0fe7e1f475bda7dacb2fa3ecaee4ce05b6b03867d54
SHA512 0d6902921064b573c25d2d98d9afb2a621be4f2efbf54f2d7a5c2915e5631ccdf7a1257548539b6ff6af93067c7c3ceda11805e22ab0656db04dd32b928ce757

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Temp\D409.tmp\clingclang.wav

MD5 1c723b3b9420e04cb8845af8b62a37fa
SHA1 3331a0f04c851194405eb9a9ff49c76bfa3d4db0
SHA256 6831f471ee3363e981e6a1eb0d722f092b33c9b73c91f9f2a9aafa5cb4c56b29
SHA512 41f4005ec2a7e0ee8e0e5f52b9d97f25a64a25bb0f00c85c07c643e4e63ea361b4d86733a0cf719b30ea6af225c4fcaca494f22e8e2f73cda9db906c5a0f12ae

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 987a07b978cfe12e4ce45e513ef86619
SHA1 22eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256 f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA512 39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

C:\Users\Admin\AppData\Local\Temp\D409.tmp\melter.exe

MD5 d9baac374cc96e41c9f86c669e53f61c
SHA1 b0ba67bfac3d23e718b3bfdfe120e5446d0229e8
SHA256 a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412
SHA512 4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

C:\Users\Admin\AppData\Local\Temp\D409.tmp\jeff.exe

MD5 d82a6e30efd822de01cbcb0ee8483f17
SHA1 9641c7825cb3876b734c4b05b2c0a7b5a91a5e81
SHA256 d3d8383e91ec695d1419f0d1641efdd3f06df1703a67677df7ad8e6515749fe3
SHA512 11ce1ac5e7a57dacbbaf4a26a0599bb4627a0859664420d7ffa5f9a20b42412979524ad7c794d4632971303b286709e15d74bcd45b0dbdcf367bd56a2b89a01d

C:\Users\Admin\AppData\Local\Temp\D409.tmp\Glitcher.exe

MD5 64334bec19af5d2aac4bcc91ec587977
SHA1 885cd87d85247313bc48582c99ea1621a4017f39
SHA256 7362e6cd9570758e6b2efdc13424ae26e75e2d5fcc753b6ebcb314ac55fa1047
SHA512 15ab4a13af64236d5253db83dec4505ba671b26e79267c52ed608d55884ffc02fad814f66560c148fdaf028192d037b6fc5063532e8060f44827211b77ebdebe

C:\Users\Admin\AppData\Local\Temp\D409.tmp\major.cmd

MD5 74631a19383284b04446bbb631b8e748
SHA1 2957a0c628059cb77f983ab7fd4c3d7308b74c62
SHA256 8bc312d5644432b77b2dcc818fab9b62fe6d47a3764b8214e9d12acc914ca22d
SHA512 c7cc7e3cce628f05464b110de70e330abf59e4e6f543e935108edf23012b5cade39e3659723d28ff1ee72884f05d75337c3f14c2d8cd68898764c91110e9096c

C:\Users\Admin\AppData\Local\Temp\D409.tmp\MrsMjrGui.exe

MD5 450f49426b4519ecaac8cd04814c03a4
SHA1 063ee81f46d56544a5c217ffab69ee949eaa6f45
SHA256 087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d
SHA512 0cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc

memory/5316-189-0x0000000000D20000-0x0000000000D38000-memory.dmp

memory/5316-190-0x0000000005680000-0x000000000571C000-memory.dmp

memory/5316-191-0x0000000005CD0000-0x0000000006274000-memory.dmp

memory/5316-192-0x0000000005720000-0x00000000057B2000-memory.dmp

memory/5316-193-0x0000000005600000-0x000000000560A000-memory.dmp

memory/5316-194-0x00000000058B0000-0x0000000005906000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D409.tmp\MouseDraw.exe

MD5 be86c274800697354120d01c65f33258
SHA1 8154def1188ee33564f939f9d6d4c588ee30b004
SHA256 dfa46efcc267f7c4fa18c9a3f1f0204fe3266cceadff2a8fffb9d1a66312ea4d
SHA512 0e5470851b2793c48cc5c585e42eebafac094e9ad3bc52599aded633bac7e8ef9da48236ecabadc9ed367ba10fa4989ff4b7deb7b2a04723c3f615401a32619a

C:\Users\Admin\AppData\Local\Temp\D409.tmp\BitBlt.exe

MD5 8428347af1645d2b41e91e8520a03ea3
SHA1 bfd7a39482ca2234e6f0a41484ae135ff41f71a0
SHA256 3b72231c02d755e7aa5a9d79fa73ab2d8b70e49bb24f60f3d2e58ec1be3558e5
SHA512 e76610e16cfa20172249706f0889f3373678237f45f06edbf8c5f9e9591217196b66e352d9a249464c7f1fd054eac188b5fec9d618e8118166703e85c4bcb838

memory/1508-209-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/6104-210-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2c2e6472d05e3832905f0ad4a04d21c3
SHA1 007edbf35759af62a5b847ab09055e7d9b86ffcc
SHA256 283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03
SHA512 8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

memory/5100-236-0x0000000000400000-0x000000000041D000-memory.dmp

memory/6104-240-0x0000000000400000-0x000000000041D000-memory.dmp

memory/6104-243-0x0000000000400000-0x000000000041D000-memory.dmp

memory/6104-245-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D409.tmp\msg2.vbs

MD5 f1ac862ea244ead8c2880bf5c69df028
SHA1 eab637dfcbcf22aecafb7eaa955d5ded75b5d1bf
SHA256 284eef93f8f89521c21ffa6f4d081cd3fcca303a9dadf5debc8d4a38adc47f3a
SHA512 31a2e0d3a1c9e855065490f536d7e2723cb46ecc799c1b003c03da634be7f052d93b2334c1061f097977af545d4f4c7f43aff24be6d3758d7877831b66522810

C:\Users\Admin\AppData\Local\Temp\D409.tmp\BluescreenSimulator.exe

MD5 e021ad0649b6e06642965239a0f1dffb
SHA1 94da03a329d00a4efebff2cfb18471076326b207
SHA256 a872ab63fd3e70627d7bf28a74045a5fca407d79a950ac1fdbcecd6b7672469f
SHA512 e549f1371f5755b684a4a5369492400f61920edfd4b9e0187784b4533219ae77fa48248ad90c54b2f1d63da80821ad620455ed7fa7ac7f2850d5b574d8a5aa43

memory/2504-255-0x000002497F490000-0x000002497F4FE000-memory.dmp

memory/2504-257-0x000002497F840000-0x000002497F84E000-memory.dmp

memory/2504-256-0x000002497F8A0000-0x000002497F8D8000-memory.dmp