Analysis

  • max time kernel
    61s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2024 22:50

General

  • Target

    https://github.com/acastillorobles77/MalwareDatabase/tree/master/Windows

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
  • Blocklisted process makes network request 8 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Possible privilege escalation attempt 8 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
  • Modifies file permissions 1 TTPs 8 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 8 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Control Panel 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 44 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/acastillorobles77/MalwareDatabase/tree/master/Windows
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1600
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb150c46f8,0x7ffb150c4708,0x7ffb150c4718
      2⤵
        PID:1856
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
        2⤵
          PID:3804
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3700
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
          2⤵
            PID:2640
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
            2⤵
              PID:2944
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
              2⤵
                PID:1468
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
                2⤵
                  PID:528
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2472
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5712 /prefetch:8
                  2⤵
                    PID:4860
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
                    2⤵
                      PID:1532
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,2386700299134905375,18117888631325779601,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1236
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:1252
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:1808
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:116
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Trojan.VBS.Bolbi\Bolbi.vbs"
                          1⤵
                          • Checks computer location settings
                          PID:3052
                          • C:\Windows\System32\wscript.exe
                            "C:\Windows\System32\wscript.exe" "C:\Users\Admin\Downloads\Trojan.VBS.Bolbi\Bolbi.vbs" /elevated
                            2⤵
                            • UAC bypass
                            • Blocklisted process makes network request
                            • Checks computer location settings
                            • Adds Run key to start application
                            • Checks whether UAC is enabled
                            • Sets desktop wallpaper using registry
                            • Drops file in Windows directory
                            • Modifies Control Panel
                            • System policy modification
                            PID:3432
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat
                              3⤵
                              • Modifies registry class
                              PID:4472
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters
                                4⤵
                                  PID:3436
                                • C:\Windows\system32\reg.exe
                                  reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f
                                  4⤵
                                    PID:3144
                                  • C:\Windows\system32\reg.exe
                                    reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f
                                    4⤵
                                      PID:2980
                                    • C:\Windows\system32\taskkill.exe
                                      taskkill /f /im explorer.exe
                                      4⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2444
                                    • C:\Windows\explorer.exe
                                      explorer.exe
                                      4⤵
                                      • Boot or Logon Autostart Execution: Active Setup
                                      • Enumerates connected drives
                                      • Checks SCSI registry key(s)
                                      • Modifies registry class
                                      • Suspicious behavior: GetForegroundWindowSpam
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      PID:4924
                                    • C:\Windows\system32\takeown.exe
                                      takeown /f C:\Windows\System32\
                                      4⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      PID:984
                                    • C:\Windows\system32\icacls.exe
                                      icacls C:\Windows\System32 /Grant Users:F
                                      4⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      PID:1620
                                    • C:\Windows\system32\takeown.exe
                                      takeown /f C:\Windows\
                                      4⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4232
                                    • C:\Windows\system32\icacls.exe
                                      icacls C:\Windows\ /Grant Users:F
                                      4⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      PID:3572
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Trojan.VBS.Bolbi\Bolbi.vbs"
                                1⤵
                                • Checks computer location settings
                                PID:1508
                                • C:\Windows\System32\wscript.exe
                                  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\Downloads\Trojan.VBS.Bolbi\Bolbi.vbs" /elevated
                                  2⤵
                                  • UAC bypass
                                  • Blocklisted process makes network request
                                  • Checks computer location settings
                                  • Adds Run key to start application
                                  • Checks whether UAC is enabled
                                  • Sets desktop wallpaper using registry
                                  • Drops file in Windows directory
                                  • Modifies Control Panel
                                  • System policy modification
                                  PID:3312
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c C:\Users\Public\Ghostroot\KillDora.bat
                                    3⤵
                                    • Modifies registry class
                                    PID:4320
                                    • C:\Windows\System32\rundll32.exe
                                      C:\Windows\System32\RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters
                                      4⤵
                                        PID:756
                                      • C:\Windows\system32\reg.exe
                                        reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal" /f
                                        4⤵
                                        • Impair Defenses: Safe Mode Boot
                                        PID:2612
                                      • C:\Windows\system32\reg.exe
                                        reg delete "HKLM\System\CurrentControlSet\Control\SafeBoot\Network" /f
                                        4⤵
                                          PID:1336
                                        • C:\Windows\system32\taskkill.exe
                                          taskkill /f /im explorer.exe
                                          4⤵
                                          • Kills process with taskkill
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5088
                                        • C:\Windows\explorer.exe
                                          explorer.exe
                                          4⤵
                                          • Boot or Logon Autostart Execution: Active Setup
                                          • Enumerates connected drives
                                          • Checks SCSI registry key(s)
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          PID:1292
                                        • C:\Windows\system32\takeown.exe
                                          takeown /f C:\Windows\System32\
                                          4⤵
                                          • Possible privilege escalation attempt
                                          • Modifies file permissions
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2164
                                        • C:\Windows\system32\icacls.exe
                                          icacls C:\Windows\System32 /Grant Users:F
                                          4⤵
                                          • Possible privilege escalation attempt
                                          • Modifies file permissions
                                          PID:4812
                                        • C:\Windows\system32\takeown.exe
                                          takeown /f C:\Windows\
                                          4⤵
                                          • Possible privilege escalation attempt
                                          • Modifies file permissions
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4700
                                        • C:\Windows\system32\icacls.exe
                                          icacls C:\Windows\ /Grant Users:F
                                          4⤵
                                          • Possible privilege escalation attempt
                                          • Modifies file permissions
                                          PID:1760
                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                    1⤵
                                    • Suspicious use of SetWindowsHookEx
                                    PID:4940
                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                    1⤵
                                    • Modifies registry class
                                    • Suspicious use of SetWindowsHookEx
                                    PID:3488
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                    • Boot or Logon Autostart Execution: Active Setup
                                    • Enumerates connected drives
                                    • Checks SCSI registry key(s)
                                    • Modifies registry class
                                    • Suspicious behavior: GetForegroundWindowSpam
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SendNotifyMessage
                                    PID:1680
                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                    1⤵
                                    • Modifies registry class
                                    • Suspicious use of SetWindowsHookEx
                                    PID:3400
                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                    • Modifies Internet Explorer settings
                                    • Modifies registry class
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2388
                                  • C:\Windows\explorer.exe
                                    explorer.exe
                                    1⤵
                                    • Boot or Logon Autostart Execution: Active Setup
                                    • Enumerates connected drives
                                    • Modifies registry class
                                    PID:3832
                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                    1⤵
                                      PID:3928
                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                      1⤵
                                        PID:4800
                                      • C:\Windows\system32\BackgroundTransferHost.exe
                                        "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                        1⤵
                                          PID:3436
                                        • C:\Windows\explorer.exe
                                          explorer.exe
                                          1⤵
                                            PID:2184
                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                            1⤵
                                              PID:4964
                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                              1⤵
                                                PID:4036
                                              • C:\Windows\explorer.exe
                                                explorer.exe
                                                1⤵
                                                  PID:4900
                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                  1⤵
                                                    PID:208
                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                    1⤵
                                                      PID:3612
                                                    • C:\Windows\system32\wscript.exe
                                                      wscript.exe C:\Users\Public\ghostroot\Message.vbs explorer.exe
                                                      1⤵
                                                        PID:3912

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

                                                        Filesize

                                                        471B

                                                        MD5

                                                        00cd62d1c71f7cebc93821164f916e82

                                                        SHA1

                                                        c6ef1580c902900947355be0fc19d24a1d9647da

                                                        SHA256

                                                        b320f01682d14a9614da0691aee664c132abedf6e666189b3e53ca58e2247afb

                                                        SHA512

                                                        80a0135269b76328d95257502b2524867a0f302e961560b164d8cacab397af248d772508050f80de4c99787abf4fa4838015e0d486adbfbe8171aae4d37b61bd

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

                                                        Filesize

                                                        420B

                                                        MD5

                                                        81b367accc8c5ed128132d4147c6a0c8

                                                        SHA1

                                                        affc93d7d401e097740faf79dbd614a615fa0d3c

                                                        SHA256

                                                        3d91eeee86ee95c772af9fc8199436b34fe0b5a207df2c66839555159b18f2a4

                                                        SHA512

                                                        bba198b8b0a690a5da2f0d0eca3c524d2fbed158c84e7a793b910c468e8f833899cdf4b01e6840790427ba9c7c814c65e9560d7ca87a51d6b39855855982b2bc

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        ff63763eedb406987ced076e36ec9acf

                                                        SHA1

                                                        16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

                                                        SHA256

                                                        8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

                                                        SHA512

                                                        ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                        Filesize

                                                        152B

                                                        MD5

                                                        2783c40400a8912a79cfd383da731086

                                                        SHA1

                                                        001a131fe399c30973089e18358818090ca81789

                                                        SHA256

                                                        331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

                                                        SHA512

                                                        b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0060f07d-b90e-4b8d-b4c6-60e12219d538.tmp

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        7a4338e803c2e7c2f815a0bd44eb2b59

                                                        SHA1

                                                        5ca7c2bc5fc14c6e4f5d4db0e08c74ef6c7c4710

                                                        SHA256

                                                        c2b06f685c726bc3ffd725d1f4679006fd6ed5dba710a0fe98cedb08ada777aa

                                                        SHA512

                                                        83b7e4aa9f2303ea72971d7aba7f4360b64e1e236b3d0bea83b0638c339d8230bd644effd49a1d561e16965200ef9e5d3a5a9112b8469561d870539a825a6572

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        b03e2e0b060f87e98607f8e4c6616f7a

                                                        SHA1

                                                        e50f1180acf93a9501fde9bc03fe2a47309fb7a7

                                                        SHA256

                                                        f85d2567055d1fca59c00c6cb42c14a497b2f61821a1121ae595d38c66cee29a

                                                        SHA512

                                                        d02c6d7c07a3d02acb98405d525367595d70861140379e077ad13b4984f8ee78402e8267b8701e48ee41de10e835d32029106ba121b4bfc46caec9fecac19ba5

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                        Filesize

                                                        579B

                                                        MD5

                                                        ed5f4213c17629776cd75510648fc019

                                                        SHA1

                                                        ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

                                                        SHA256

                                                        e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

                                                        SHA512

                                                        71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        5KB

                                                        MD5

                                                        7ce4d344c103254f65cd2ab26984f848

                                                        SHA1

                                                        3cb88af0f891195903b3b7d2f273b219494b0599

                                                        SHA256

                                                        2f6be1dcfad18ca392213aa719fad7d6419190946f21b133d613b8a0f9a6012b

                                                        SHA512

                                                        fd423ab708c2e8974d05f708231f2fff783e4bb13c93d57e764792fe6863eda77ca39bcc7a30408d0460a0eadac28db96ebedf221e90f6654fd1ba40a637a59f

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        56865692170bc3be6e372779042f9ea0

                                                        SHA1

                                                        453c10d2545aa9d2f899fefce5bf7c0a8e2ba527

                                                        SHA256

                                                        59d0ba38dcd371adafcc115e7896a34aa58b66a20ce1f898e6d3d58838be5219

                                                        SHA512

                                                        7af7dd844e4f247fd1e1d93a46634c696a3df542b63ff79ebab381c56e56f55edd04d300ab0c4754c23e34d79bd57a02de8ceebbb5bc06b73278651611e0d9d4

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        b31bd7369c63b819d0aacf13832a5cfc

                                                        SHA1

                                                        4844480bea7b6331e200e1f01f51d1449a584c96

                                                        SHA256

                                                        5e71c9a892541a3594d4b50da7b5c3efe1085439d107a5aba16ae0d2a46bd53e

                                                        SHA512

                                                        f0a7525ad4bea95f9179f24dbece1a6ccc94716ef94211a60b276731c470ac7adc915a758b269b48c306a5465459b5dd1848258097b9b35862be206365dc63ba

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d9a7.TMP

                                                        Filesize

                                                        874B

                                                        MD5

                                                        c97d64142973348aca0af8c5d14fd87c

                                                        SHA1

                                                        9fcc0617774a007f2cba29833de6e1f312fa9a5e

                                                        SHA256

                                                        c471dd77bc0fa0645c5468de16d6420efbcf00b6d1f01bb14c437ccaa6f9ee4d

                                                        SHA512

                                                        be67187b8bafff08061ea628e2cb84a712f6a984c70682eccc419747be36c56965fd9efa51e79103ae5ad436fb47a1656d50a184e6d997ffd5f1061799de1097

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                        Filesize

                                                        16B

                                                        MD5

                                                        6752a1d65b201c13b62ea44016eb221f

                                                        SHA1

                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                        SHA256

                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                        SHA512

                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        10KB

                                                        MD5

                                                        58b2c4288323e60ef5502b9e27a2f719

                                                        SHA1

                                                        dcf71352e249be57b5d230513466856707c86ad7

                                                        SHA256

                                                        f282e87ebca8faa4bb691f04cd674646ce910275084061c3f5833e240950b005

                                                        SHA512

                                                        8cf1487166380180b11e9fa7a43bebce8e794735c5538a8ff1b2982aca0f29db586d144a5065ecb33d7d1cec0018e1931ca55a8c57baf9415f02b80214cd7fda

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                        Filesize

                                                        10KB

                                                        MD5

                                                        f9204b9d8e7ab34c7d117c6ce7f6fff3

                                                        SHA1

                                                        ce0a15ffe41a63bc1da222bf631a5ffbb5585e51

                                                        SHA256

                                                        edf331dcf7c622664553d5d167c93e12e5f22c7523ecfdd1b39b9c0e743c09fd

                                                        SHA512

                                                        8daf1b81ebdf3cedc409775190205cf646262a549c82b61b2318409f716b55b723227ba321fca2c8e8e31635c02e209613fc66703bf0d14ff385973c6519d9ec

                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CFIOOOZS\8ydfdsE[1].jpg

                                                        Filesize

                                                        59KB

                                                        MD5

                                                        1e8cd861c7919b862a9c47abae3dcce3

                                                        SHA1

                                                        4d44512ae2da33a9355463231184bbbfdc4396f2

                                                        SHA256

                                                        cba3db7504d0b98a3bc5bebc7d4479360f4535378a9ee113c2269811d0a8d6d9

                                                        SHA512

                                                        ee06887355aeff3fe2865bcde6050d8d139668e78bb352a6a0f32b36446887dab78e50a88c0762e3b3d36dd3288546a6283e2f19a7873f01733666046be60e48

                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        d3b4e81a8be26565b0b54bc6b0d5689d

                                                        SHA1

                                                        f0eb4ad6b62efc1bd61fb10c918b1a559b2e534b

                                                        SHA256

                                                        c27cc2a2315ab6a0bb80acd660e7b1a91ff4551b4c5c2ec4dd3031e259af2c18

                                                        SHA512

                                                        035f06851fcd4a7c6c6728f17b573519bf2f54c75900e75d54e48e89cf8e89d55aa3efeaa59d9127293876972b4b37ffd5ccdd6cb09d147a51a747c4128dc91b

                                                      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\IHOCIHIW\microsoft.windows[1].xml

                                                        Filesize

                                                        96B

                                                        MD5

                                                        10447c28373b986c3dce4e7f2156814c

                                                        SHA1

                                                        03a482fa42dea8871c350394101b11f341ef6762

                                                        SHA256

                                                        376615a0b4dac87295162c3d924e67e4bf0dd77e02af1264c1520f22ec5378d8

                                                        SHA512

                                                        4fab536505b12b462254a2cfad102fabf29161a25f824de2b0201265c406f6a14b13049767bb2a6afff5ffe5e7703be0b7906a1740fea3d0dc2d6d8c13459abd

                                                      • C:\Users\Admin\Desktop\Bolbi.txt

                                                        Filesize

                                                        29B

                                                        MD5

                                                        b37ed35ef479e43f406429bc36e68ec4

                                                        SHA1

                                                        5e3ec88d9d13d136af28dea0d3c2529f5b6e3b82

                                                        SHA256

                                                        cc2b26f9e750e05cd680ef5721d9269fe4c8d23cabf500a2ff9065b6b4f7e08c

                                                        SHA512

                                                        d1c1ea6292d8113ce8f02a9ad3921e2d8632f036bdfa243bd6600a173ac0b1fc659f91b43c8d9ec0beaabb87d9654f5f231e98fde27e4d9bdfd5862ca5cb13b7

                                                      • C:\Users\Admin\Music\Slap1.vbs

                                                        Filesize

                                                        46KB

                                                        MD5

                                                        99ec3237394257cb0b5c24affe458f48

                                                        SHA1

                                                        5300e68423da9712280e601b51622c4b567a23a4

                                                        SHA256

                                                        ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51

                                                        SHA512

                                                        af2394d18f672def6d5d7081def759093759205aac0390ca03591c58c15a02e463a68b583b6fc28ef1368922b4bd5f9072d570ee97a955250a478cdb093500cb

                                                      • C:\Users\Public\Ghostroot\KillDora.bat

                                                        Filesize

                                                        482B

                                                        MD5

                                                        4f08159f1d70d41bf975e23230033a0f

                                                        SHA1

                                                        ea88d6fbdcf218e0e04a650d947250d8a3dfad40

                                                        SHA256

                                                        d6e7530e3879225bc21fc17859e5b5c71414375baac27bb361fd9162f4b49e0e

                                                        SHA512

                                                        958ac467e54d35c4ca5459853d661e49ea81efaa1ce3044114d577fcb757343a40ddb30b9f540cf9c100f05958a843bf312fa879c43bda7513643c824b318d6a

                                                      • C:\Users\Public\ghostroot\Bolbi.vbs

                                                        Filesize

                                                        462B

                                                        MD5

                                                        de41c9172365499ef98449023dd75699

                                                        SHA1

                                                        f2a94f1ac182d9ecb0a3b3fc8e45540a9a46fb3e

                                                        SHA256

                                                        67a66e2e73c7543b0ccc82a4f6892fb4669aa476cb654d3c597609ec16d1943e

                                                        SHA512

                                                        335804bdbe623244b97eb687906808ad508ca6358457cfee89bb5b8cdbbee5399e38d71ed7c808b89f070671c52fa403c33adbd20871e6dd2e9ff079bd54076f

                                                      • C:\Users\Public\ghostroot\Message.vbs

                                                        Filesize

                                                        55B

                                                        MD5

                                                        302e08c86880a39ca55f21cabfa7c5de

                                                        SHA1

                                                        58d56c0eb14fc0401cda7c48d6df9d23f6e9b7e3

                                                        SHA256

                                                        65cfb12baaa6f5891bcd7fda727933a4a12f6dbfa9a6717549eacc6dee9436c7

                                                        SHA512

                                                        9aac68a57cea3d00b956ff82ce443600a969dbc3e4eb2b7b12902f70e318c7dbbf7378b375dd28c0d3be0a0515c5c69d4dd5610d5778f22c4e33765d704f8ff7

                                                      • C:\Users\Public\ghostroot\rpdbfk.exe

                                                        Filesize

                                                        19KB

                                                        MD5

                                                        58f48ec723d2b7e8d23ccdc9861250d7

                                                        SHA1

                                                        d1e892ad5053506a1afdf24f5ab74eaf1c820e90

                                                        SHA256

                                                        fc70c3dd4eee7bdda51f4a9af9e28292a1647e37d7d012aba5b01171d30077d4

                                                        SHA512

                                                        64a05b98b50b99d03d84339465dfa830c396c77e42e2b3ba34592bc3efcdc258c5fcfd999ef4796d16657d2fd249a60a8b6e08ea4e246b51c17350f8f2ff9404

                                                      • \??\pipe\LOCAL\crashpad_1600_EMWIUQZFAUCIWKHT

                                                        MD5

                                                        d41d8cd98f00b204e9800998ecf8427e

                                                        SHA1

                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                        SHA256

                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                        SHA512

                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                      • memory/1680-332-0x0000000004D90000-0x0000000004D91000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/2184-638-0x00000000040C0000-0x00000000040C1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/2388-348-0x000001FF4E7D0000-0x000001FF4E7F0000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/2388-334-0x000001FF4D700000-0x000001FF4D800000-memory.dmp

                                                        Filesize

                                                        1024KB

                                                      • memory/2388-333-0x000001FF4D700000-0x000001FF4D800000-memory.dmp

                                                        Filesize

                                                        1024KB

                                                      • memory/2388-368-0x000001FF4EBE0000-0x000001FF4EC00000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/2388-338-0x000001FF4E810000-0x000001FF4E830000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/3612-830-0x0000028E906F0000-0x0000028E90710000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/3612-808-0x0000028E8FFE0000-0x0000028E90000000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/3612-799-0x0000028E90320000-0x0000028E90340000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/3832-486-0x0000000004850000-0x0000000004851000-memory.dmp

                                                        Filesize

                                                        4KB

                                                      • memory/4036-667-0x000002C6D87C0000-0x000002C6D87E0000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/4036-641-0x000002C6D7300000-0x000002C6D7400000-memory.dmp

                                                        Filesize

                                                        1024KB

                                                      • memory/4036-640-0x000002C6D7300000-0x000002C6D7400000-memory.dmp

                                                        Filesize

                                                        1024KB

                                                      • memory/4036-645-0x000002C6D8400000-0x000002C6D8420000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/4036-655-0x000002C6D81B0000-0x000002C6D81D0000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/4800-516-0x0000020C4F790000-0x0000020C4F7B0000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/4800-500-0x0000020C4F380000-0x0000020C4F3A0000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/4800-488-0x0000020C4E300000-0x0000020C4E400000-memory.dmp

                                                        Filesize

                                                        1024KB

                                                      • memory/4800-492-0x0000020C4F3C0000-0x0000020C4F3E0000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/4800-487-0x0000020C4E300000-0x0000020C4E400000-memory.dmp

                                                        Filesize

                                                        1024KB

                                                      • memory/4900-791-0x0000000004940000-0x0000000004941000-memory.dmp

                                                        Filesize

                                                        4KB