Malware Analysis Report

2024-12-07 14:30

Sample ID 241014-fxm3jszcmc
Target Doge.Virus.exe
SHA256 b01cad461b4a6baea7f3a175280998ff912730918b94eb123677b1ef12ac26a1
Tags
bootkit discovery evasion exploit persistence ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b01cad461b4a6baea7f3a175280998ff912730918b94eb123677b1ef12ac26a1

Threat Level: Likely malicious

The file Doge.Virus.exe was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery evasion exploit persistence ransomware

Boot or Logon Autostart Execution: Active Setup

Possible privilege escalation attempt

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Checks computer location settings

Executes dropped EXE

Modifies file permissions

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 05:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 05:15

Reported

2024-10-14 05:17

Platform

win7-20240903-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\$WINDOWS_DOGE\bootrecord.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\vdk150.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE1558~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SUBMIS~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMANIAN.TXT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\EMAIL_~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\LICENS~1.HTM C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~3.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~3.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFIL~1.ICO C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\server\classes.jsa C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SECSTO~1.ICO C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DISPLA~4.TXT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Onix32.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE99D5~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LOGTRA~1.EXE C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\SERVER~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can32.clx C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icudt36.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ADD_RE~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\REVIEW~2.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\STOP_C~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\COURIE~1.OTF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MINION~1.OTF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AXSLE.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RECDE7~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\IDENTI~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\COURIE~2.OTF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\SY______.PFB C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\CRYPTO~1.SIG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~3.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CROATIAN.TXT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MYRIAD~1.OTF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\GREEK.TXT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMPRO~1.CER C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MYRIAD~3.OTF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\COURIE~4.OTF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\FORMS_~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\RE78D9~1.GIF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MINION~2.OTF C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\helpmap.txt C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\$WINDOWS_DOGE\dogelist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\$WINDOWS_DOGE\Dogeui.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\$WINDOWS_DOGE\end.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\$WINDOWS_DOGE\GetReady.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\$WINDOWS_DOGE\Doge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\$WINDOWS_DOGE\Doge.exe N/A
N/A N/A C:\$WINDOWS_DOGE\bootrecord.exe N/A
N/A N/A C:\$WINDOWS_DOGE\shake.exe N/A
N/A N/A C:\$WINDOWS_DOGE\dogelist.exe N/A
N/A N/A C:\$WINDOWS_DOGE\Dogeui.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\$WINDOWS_DOGE\Dogeui.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe C:\$WINDOWS_DOGE\GetReady.exe
PID 2124 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe C:\$WINDOWS_DOGE\GetReady.exe
PID 2124 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe C:\$WINDOWS_DOGE\GetReady.exe
PID 2124 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe C:\$WINDOWS_DOGE\GetReady.exe
PID 2712 wrote to memory of 2664 N/A C:\$WINDOWS_DOGE\GetReady.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2664 N/A C:\$WINDOWS_DOGE\GetReady.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2664 N/A C:\$WINDOWS_DOGE\GetReady.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2664 N/A C:\$WINDOWS_DOGE\GetReady.exe C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 1204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2196 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 2648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2664 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2664 wrote to memory of 2096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe

"C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe"

C:\$WINDOWS_DOGE\GetReady.exe

"C:\$WINDOWS_DOGE\GetReady.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FED8.tmp\FED9.tmp\FEEA.bat C:\$WINDOWS_DOGE\GetReady.exe"

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogoff" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWinKeys" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaiviorAdmin" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "HideFastUserSwitching" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v "NoChangingWallpaper" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f

C:\$WINDOWS_DOGE\Doge.exe

Doge.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1F4.tmp\1F5.tmp\1F6.bat C:\$WINDOWS_DOGE\Doge.exe"

C:\$WINDOWS_DOGE\bootrecord.exe

bootrecord.exe

C:\$WINDOWS_DOGE\shake.exe

shake.exe

C:\$WINDOWS_DOGE\dogelist.exe

dogelist.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\232.tmp\233.tmp\234.bat C:\$WINDOWS_DOGE\dogelist.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\takeown.exe

takeown /f "Program Files" /r

C:\$WINDOWS_DOGE\Dogeui.exe

Dogeui.exe

C:\Windows\system32\icacls.exe

icacls "Program Files\*" /granted "Admin":F /T

C:\Windows\system32\takeown.exe

takeown /f "Program Files (x86)" /r

C:\Windows\system32\icacls.exe

icacls "Program Files (x86)\*" /granted "Admin":F /T

C:\Windows\system32\takeown.exe

takeown /f "SystemApps" /r

C:\Windows\system32\icacls.exe

icacls "SystemApps\*" /granted "Admin":F /T

C:\$WINDOWS_DOGE\end.exe

"C:\$WINDOWS_DOGE\end.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E189.tmp\E18A.tmp\E18B.bat C:\$WINDOWS_DOGE\end.exe"

C:\Windows\system32\taskkill.exe

taskkill /f /im dogeui.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im svchost.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im csrss.exe

Network

N/A

Files

\$WINDOWS_DOGE\GetReady.exe

MD5 5655228fd9277469c4591beb6d18e66c
SHA1 2fed8e3c7f4bee7637244455d2e133cb5ece9260
SHA256 2c4065e8d4f1baa25b9488d41dcb3b5339a51f4ca119dbc35f70d6697930bf39
SHA512 729471c755bb070f4b1f7977ec5771ec2ce525b094729f44ea1e2144f36bbc399f2ed2f9b02ad7bb7a8940275e8dae268cbea70750ff544ea12aeff222e351e9

C:\Users\Admin\AppData\Local\Temp\FED8.tmp\FED9.tmp\FEEA.bat

MD5 6e665ef1afb57e1ffa6e1025da487164
SHA1 0131b28085e0e0f5fa49c1045243ec77f8fb4c9c
SHA256 8b5646f2032cc029e4227f61504c31d6a6949a67e29255535b075188ebe9694f
SHA512 2635a1f472ef95b8a809fb9be53dafaf460f26fbf38560b9d0e381829ff4ecf0b9f8e235264404d18d76ad4b81c2de967d168bb9330dd7b5cf2243a7dbb329bc

C:\$WINDOWS_DOGE\Doge.exe

MD5 585ed6653cddbf6102db44e91c6b1a00
SHA1 a977cff46df2fc94b27a95650d0252de3b034d0b
SHA256 5a3e9a48a214ce5b43ca054193661dd0481d4fcf811ccaec893db0af8dde6f20
SHA512 e4e27b10e6e131fa3955a26fdbdf455cdf4f2bd317fa332b880f327c2837829408f65ec11256fdd8348326a6632943fec9eeee91d95aadbc34d67a89c9a4e715

C:\Users\Admin\AppData\Local\Temp\1F4.tmp\1F5.tmp\1F6.bat

MD5 95a30e93bb9d5ace0d5a115b189072dd
SHA1 24777f3d3818444ff417eba4735e610de9bcf1e0
SHA256 a4450d353337b998783d9d38e5f08fc6fd62bd34291613630fc343d7bfc40951
SHA512 83f75138a501d0034f61423d03a9e6104ed3ee80f91207ec27422a8d6378dfff9c291e666ff32a9880f4cfb6d55c1d56f497b6dd66cc311fc7e095049e2fe7fe

C:\$WINDOWS_DOGE\shake.exe

MD5 f4f7aaa39e35b6be5b6557e196cfdee9
SHA1 774fa52609324031a23148155f77c88ecf5cb0df
SHA256 9c316bbb5ed2ecc94521369e701a3e8ef93b7043c1c7ac070c1bd60f698d9cdd
SHA512 cc2da9511d53f56681221071a7282b80132356c26d628f5b931f6d2ae33513c6e4a7a4e70b3733d53408154afb78f6e99d3c4b3af0782fb4c2fab24388d893b9

C:\$WINDOWS_DOGE\bootrecord.exe

MD5 86200a3553fe401a155973b71061a541
SHA1 66d0636e548281bd8761b0e49425ca5fdc663ee5
SHA256 6ec68ac374bee00cf12310fe17d1b2cc3f7c50a293e9eb878785e26493ed1524
SHA512 26a71dbfe0ff27dc84e2a2fb8acd0367d3e273b1912affbd1889b38192a4a804cdd73f2852bf3c82608e15a36ad6840ce746918a6334b2abdf458c9bd1669fb7

C:\$WINDOWS_DOGE\dogelist.exe

MD5 93dc7998146afbc835f20a713f388ab6
SHA1 136544c02e7235263f8904d2a2afbc433d0891ef
SHA256 a086e7f6b516c20544bd3851f5b596e67618ca10e3870abf6ee149b63427f5ff
SHA512 5af3462d1d947c4647743727629a20f1b12ec8b7e75450eb694886249f6c72d911f0c68e0a9cab515e7ab6b1592a003674c4a8b9e215c63145ecd80f7942fe69

memory/2316-40-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\232.tmp\233.tmp\234.bat

MD5 9b1b399a2e609f876d45ab1d50c10731
SHA1 579258e6670bfad0d13a9c21f1a2df319bd5fccf
SHA256 2506fdc34880bfd8934e39ba2359eb8da62951ca055bf06794ba1fa2b5c4e4d9
SHA512 05e5e02d77c7e864d88e9bf6d4758bed76fb5cb1732d1e6720db9a66a577bb3f082df096e5e312bc89f631b60f6397ced16a19d87dfa6be1b32793de737e1a20

C:\$WINDOWS_DOGE\Dogeui.exe

MD5 cb3671d58ffd6d07b32880e638a32889
SHA1 59f7bd56fc1dae2c360bec1560c9376a55f702cf
SHA256 08253c3cddd484b1c61d22af1341049736e82e77dd8dce06d9abafac166d1957
SHA512 3140ee11bb023dccca3dbfcea2d720244cd1fd8edfb9c06d42a2f956d98bade6c97ade411ce6de07ae25c333ce2559e182651c71b39c05f9aff9cf4edaa86a62

memory/2528-46-0x0000000000B60000-0x0000000000C42000-memory.dmp

C:\$WINDOWS_DOGE\lovania.wav

MD5 b64bd3091670a0c34b30cc65ab12372c
SHA1 91ea6deeabd96eb08874a29dcdc0e452017428bf
SHA256 5758563db28f8cc9e767c8ab78a9f72d755dfd6f21531d91856613e720303863
SHA512 6bdb27298c2f183c654efc1c31db0eb7c621a1d26f07350ef94a6376c6692fb4bbaeffa159c8b5cb1f7d1f41f47f51498b88d98502877099475fe9c4150fc155

C:\$WINDOWS_DOGE\end.exe

MD5 152b76fef6e4889073356fd2038ad589
SHA1 9bf2fc443a450bdd9f836cee7e173000a690bd74
SHA256 4fbf90dc64db0051f364e0ada90e24f4216b902139a825935ce4f1a6425e836e
SHA512 cf2b04c1936d2aee8c69d5ddf306d41f615bce6ba078482a9b945f3312a030152de77f35c5fdc80850951cf904b3b7f6ad71bc32f61bcd101b16c226628814e9

C:\Users\Admin\AppData\Local\Temp\E189.tmp\E18A.tmp\E18B.bat

MD5 d2fe887d089044d02469b20e9c7d6916
SHA1 79d945ff355cf48fe7601117a2d6653c538481dd
SHA256 bbd848d281e471c268a6986c8c24cb64ba50567c81f5ba92ed211592fb0fa871
SHA512 0b3069b2159e9badbedf0b83173b26d9aa97a50ea39a635580f049cec8c1c82ce2b3ce1ceb9fd68d38d80a5f4eb0e9d86156dd6ad976965199768b3fb31a0609

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 05:15

Reported

2024-10-14 05:17

Platform

win10v2004-20241007-en

Max time kernel

7s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\system32\reg.exe N/A

Disables Task Manager via registry modification

evasion

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\$WINDOWS_DOGE\GetReady.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\$WINDOWS_DOGE\Doge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\$WINDOWS_DOGE\dogelist.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\$WINDOWS_DOGE\GetReady.exe N/A
N/A N/A C:\$WINDOWS_DOGE\Doge.exe N/A
N/A N/A C:\$WINDOWS_DOGE\bootrecord.exe N/A
N/A N/A C:\$WINDOWS_DOGE\shake.exe N/A
N/A N/A C:\$WINDOWS_DOGE\dogelist.exe N/A
N/A N/A C:\$WINDOWS_DOGE\Dogeui.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\$WINDOWS_DOGE\bootrecord.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\$WINDOWS_DOGE\\protection.jpg" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\$WINDOWS_DOGE\Dogeui.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\$WINDOWS_DOGE\GetReady.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\$WINDOWS_DOGE\Doge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\$WINDOWS_DOGE\bootrecord.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\$WINDOWS_DOGE\dogelist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\$WINDOWS_DOGE\shake.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{B8756FF1-7A93-413F-B7AC-90A3FFB02468} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\$WINDOWS_DOGE\GetReady.exe N/A
N/A N/A C:\$WINDOWS_DOGE\Doge.exe N/A
N/A N/A C:\$WINDOWS_DOGE\bootrecord.exe N/A
N/A N/A C:\$WINDOWS_DOGE\dogelist.exe N/A
N/A N/A C:\$WINDOWS_DOGE\shake.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe C:\$WINDOWS_DOGE\GetReady.exe
PID 3856 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe C:\$WINDOWS_DOGE\GetReady.exe
PID 3856 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe C:\$WINDOWS_DOGE\GetReady.exe
PID 4672 wrote to memory of 3204 N/A C:\$WINDOWS_DOGE\GetReady.exe C:\Windows\system32\cmd.exe
PID 4672 wrote to memory of 3204 N/A C:\$WINDOWS_DOGE\GetReady.exe C:\Windows\system32\cmd.exe
PID 3204 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 4472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 2200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 5084 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 4952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 4952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 4388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 2248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 4340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 3144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 3144 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 3224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 3224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3204 wrote to memory of 4568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 4568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3204 wrote to memory of 4512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe

"C:\Users\Admin\AppData\Local\Temp\Doge.Virus.exe"

C:\$WINDOWS_DOGE\GetReady.exe

"C:\$WINDOWS_DOGE\GetReady.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\91EF.tmp\91F0.tmp\91F1.bat C:\$WINDOWS_DOGE\GetReady.exe"

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableLockWorkstation" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableChangePassword" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoClose" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogoff" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoWinKeys" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaiviorAdmin" /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "HideFastUserSwitching" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d 2 /f

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\$WINDOWS_DOGE\protection.jpg" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" /v "NoChangingWallpaper" /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /t REG_DWORD /d 1 /f

C:\$WINDOWS_DOGE\Doge.exe

Doge.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\978D.tmp\978E.tmp\978F.bat C:\$WINDOWS_DOGE\Doge.exe"

C:\$WINDOWS_DOGE\bootrecord.exe

bootrecord.exe

C:\$WINDOWS_DOGE\shake.exe

shake.exe

C:\$WINDOWS_DOGE\dogelist.exe

dogelist.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\takeown.exe

takeown /f "Program Files" /r

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9829.tmp\982A.tmp\982B.bat C:\$WINDOWS_DOGE\dogelist.exe"

C:\$WINDOWS_DOGE\Dogeui.exe

Dogeui.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3e4 0x310

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.fr/search?q=n17pro3426

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc813e46f8,0x7ffc813e4708,0x7ffc813e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.fr/search?q=dogecoin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf8,0x124,0x7ffc813e46f8,0x7ffc813e4708,0x7ffc813e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5392 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.fr/search?q=doge+the+shiba+inu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc813e46f8,0x7ffc813e4708,0x7ffc813e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1

C:\Windows\system32\icacls.exe

icacls "Program Files\*" /granted "Admin":F /T

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.fr/search?q=doge+the+shiba+inu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc813e46f8,0x7ffc813e4708,0x7ffc813e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.fr/search?q=the+how+2+remove+doge+virus

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc813e46f8,0x7ffc813e4708,0x7ffc813e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7628 /prefetch:1

C:\Windows\system32\takeown.exe

takeown /f "Program Files (x86)" /r

C:\Windows\system32\icacls.exe

icacls "Program Files (x86)\*" /granted "Admin":F /T

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.fr/search?q=n17pro3426

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc813e46f8,0x7ffc813e4708,0x7ffc813e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1

C:\Windows\system32\takeown.exe

takeown /f "SystemApps" /r

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8524 /prefetch:1

C:\Windows\system32\icacls.exe

icacls "SystemApps\*" /granted "Admin":F /T

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.fr/search?q=doge+virus+download

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc813e46f8,0x7ffc813e4708,0x7ffc813e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=gweaFYD6LSg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc813e46f8,0x7ffc813e4708,0x7ffc813e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9024 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9048 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7420 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=FGLuKaCWX3A

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc813e46f8,0x7ffc813e4708,0x7ffc813e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9872 /prefetch:1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --service-sandbox-type=print_compositor --mojo-platform-channel-handle=9452 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.fr/search?q=doge+memes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc813e46f8,0x7ffc813e4708,0x7ffc813e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9992 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9640 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3032 -ip 3032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=qrcode_generator.mojom.QRCodeGeneratorService --field-trial-handle=2124,13940041691443119616,1559561703203340147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9976 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3032 -ip 3032

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 2340

C:\Windows\system32\taskkill.exe

taskkill /f /im svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.google.fr udp
GB 142.250.187.227:443 www.google.fr tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 142.250.200.36:443 www.google.com tcp
GB 142.250.200.36:443 www.google.com udp
US 8.8.8.8:53 36.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 142.250.187.227:443 www.google.fr udp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 216.58.201.99:443 ssl.gstatic.com tcp
US 8.8.8.8:53 2.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.201.110:443 play.google.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 172.217.169.42:443 ogads-pa.googleapis.com tcp
GB 172.217.169.42:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 42.169.217.172.in-addr.arpa udp
GB 216.58.201.110:443 play.google.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 devtools.azureedge.net udp
US 13.107.246.64:443 devtools.azureedge.net tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 edge.microsoft.com udp
US 204.79.197.239:443 edge.microsoft.com tcp
US 204.79.197.239:443 edge.microsoft.com tcp
US 8.8.8.8:53 239.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 rr3---sn-aigl6nzr.googlevideo.com udp
GB 172.217.169.22:443 i.ytimg.com tcp
GB 74.125.175.136:443 rr3---sn-aigl6nzr.googlevideo.com tcp
GB 74.125.175.136:443 rr3---sn-aigl6nzr.googlevideo.com tcp
GB 172.217.169.22:443 i.ytimg.com udp
US 8.8.8.8:53 22.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 136.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 173.194.69.84:443 accounts.google.com tcp
US 8.8.8.8:53 rr1---sn-aigl6ns6.googlevideo.com udp
GB 74.125.105.6:443 rr1---sn-aigl6ns6.googlevideo.com udp
NL 173.194.69.84:443 accounts.google.com udp
US 8.8.8.8:53 84.69.194.173.in-addr.arpa udp
US 8.8.8.8:53 6.105.125.74.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 172.217.169.10:443 jnn-pa.googleapis.com tcp
GB 172.217.169.10:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
GB 216.58.201.110:443 www.youtube.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 yt3.ggpht.com udp
GB 142.250.178.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 1.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.200.46:443 youtube.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 rr4---sn-aigzrn7k.googlevideo.com udp
GB 173.194.139.9:443 rr4---sn-aigzrn7k.googlevideo.com udp
US 8.8.8.8:53 rr3---sn-aigzrnse.googlevideo.com udp
US 8.8.8.8:53 9.139.194.173.in-addr.arpa udp
GB 74.125.168.200:443 rr3---sn-aigzrnse.googlevideo.com udp
US 8.8.8.8:53 200.168.125.74.in-addr.arpa udp
GB 142.250.178.1:443 yt3.ggpht.com udp
GB 142.250.187.227:443 www.google.fr udp
GB 172.217.169.42:443 ogads-pa.googleapis.com udp

Files

C:\$WINDOWS_DOGE\GetReady.exe

MD5 5655228fd9277469c4591beb6d18e66c
SHA1 2fed8e3c7f4bee7637244455d2e133cb5ece9260
SHA256 2c4065e8d4f1baa25b9488d41dcb3b5339a51f4ca119dbc35f70d6697930bf39
SHA512 729471c755bb070f4b1f7977ec5771ec2ce525b094729f44ea1e2144f36bbc399f2ed2f9b02ad7bb7a8940275e8dae268cbea70750ff544ea12aeff222e351e9

C:\Users\Admin\AppData\Local\Temp\91EF.tmp\91F0.tmp\91F1.bat

MD5 6e665ef1afb57e1ffa6e1025da487164
SHA1 0131b28085e0e0f5fa49c1045243ec77f8fb4c9c
SHA256 8b5646f2032cc029e4227f61504c31d6a6949a67e29255535b075188ebe9694f
SHA512 2635a1f472ef95b8a809fb9be53dafaf460f26fbf38560b9d0e381829ff4ecf0b9f8e235264404d18d76ad4b81c2de967d168bb9330dd7b5cf2243a7dbb329bc

C:\$WINDOWS_DOGE\Doge.exe

MD5 585ed6653cddbf6102db44e91c6b1a00
SHA1 a977cff46df2fc94b27a95650d0252de3b034d0b
SHA256 5a3e9a48a214ce5b43ca054193661dd0481d4fcf811ccaec893db0af8dde6f20
SHA512 e4e27b10e6e131fa3955a26fdbdf455cdf4f2bd317fa332b880f327c2837829408f65ec11256fdd8348326a6632943fec9eeee91d95aadbc34d67a89c9a4e715

C:\Users\Admin\AppData\Local\Temp\978D.tmp\978E.tmp\978F.bat

MD5 95a30e93bb9d5ace0d5a115b189072dd
SHA1 24777f3d3818444ff417eba4735e610de9bcf1e0
SHA256 a4450d353337b998783d9d38e5f08fc6fd62bd34291613630fc343d7bfc40951
SHA512 83f75138a501d0034f61423d03a9e6104ed3ee80f91207ec27422a8d6378dfff9c291e666ff32a9880f4cfb6d55c1d56f497b6dd66cc311fc7e095049e2fe7fe

C:\$WINDOWS_DOGE\bootrecord.exe

MD5 86200a3553fe401a155973b71061a541
SHA1 66d0636e548281bd8761b0e49425ca5fdc663ee5
SHA256 6ec68ac374bee00cf12310fe17d1b2cc3f7c50a293e9eb878785e26493ed1524
SHA512 26a71dbfe0ff27dc84e2a2fb8acd0367d3e273b1912affbd1889b38192a4a804cdd73f2852bf3c82608e15a36ad6840ce746918a6334b2abdf458c9bd1669fb7

C:\$WINDOWS_DOGE\shake.exe

MD5 f4f7aaa39e35b6be5b6557e196cfdee9
SHA1 774fa52609324031a23148155f77c88ecf5cb0df
SHA256 9c316bbb5ed2ecc94521369e701a3e8ef93b7043c1c7ac070c1bd60f698d9cdd
SHA512 cc2da9511d53f56681221071a7282b80132356c26d628f5b931f6d2ae33513c6e4a7a4e70b3733d53408154afb78f6e99d3c4b3af0782fb4c2fab24388d893b9

C:\$WINDOWS_DOGE\dogelist.exe

MD5 93dc7998146afbc835f20a713f388ab6
SHA1 136544c02e7235263f8904d2a2afbc433d0891ef
SHA256 a086e7f6b516c20544bd3851f5b596e67618ca10e3870abf6ee149b63427f5ff
SHA512 5af3462d1d947c4647743727629a20f1b12ec8b7e75450eb694886249f6c72d911f0c68e0a9cab515e7ab6b1592a003674c4a8b9e215c63145ecd80f7942fe69

memory/804-40-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9829.tmp\982A.tmp\982B.bat

MD5 9b1b399a2e609f876d45ab1d50c10731
SHA1 579258e6670bfad0d13a9c21f1a2df319bd5fccf
SHA256 2506fdc34880bfd8934e39ba2359eb8da62951ca055bf06794ba1fa2b5c4e4d9
SHA512 05e5e02d77c7e864d88e9bf6d4758bed76fb5cb1732d1e6720db9a66a577bb3f082df096e5e312bc89f631b60f6397ced16a19d87dfa6be1b32793de737e1a20

C:\$WINDOWS_DOGE\Dogeui.exe

MD5 cb3671d58ffd6d07b32880e638a32889
SHA1 59f7bd56fc1dae2c360bec1560c9376a55f702cf
SHA256 08253c3cddd484b1c61d22af1341049736e82e77dd8dce06d9abafac166d1957
SHA512 3140ee11bb023dccca3dbfcea2d720244cd1fd8edfb9c06d42a2f956d98bade6c97ade411ce6de07ae25c333ce2559e182651c71b39c05f9aff9cf4edaa86a62

memory/3032-47-0x0000000000450000-0x0000000000532000-memory.dmp

memory/3032-48-0x00000000054E0000-0x0000000005A84000-memory.dmp

memory/3032-49-0x0000000004F30000-0x0000000004FC2000-memory.dmp

memory/3032-50-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

C:\$WINDOWS_DOGE\lovania.wav

MD5 b64bd3091670a0c34b30cc65ab12372c
SHA1 91ea6deeabd96eb08874a29dcdc0e452017428bf
SHA256 5758563db28f8cc9e767c8ab78a9f72d755dfd6f21531d91856613e720303863
SHA512 6bdb27298c2f183c654efc1c31db0eb7c621a1d26f07350ef94a6376c6692fb4bbaeffa159c8b5cb1f7d1f41f47f51498b88d98502877099475fe9c4150fc155

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 5a1c8b6db994749bf1db816c60d39b52
SHA1 ff5f09d7697a71d9deec8457145149e6e96028ce
SHA256 31a07dba8984e282ba45c0cbd8d9d83311dd1555337badedf25e3be5f544844d
SHA512 8591ac1a94ded79af2cca7d0b0e4a0e86ccde4ed9677e651af450821cb3f0bbea9fe07a941f64e7e0c9f9130c6f3fc3d63912b9bc157c632f1f2d3947f19b193

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 a5fa40ddee88bd403d12c6ff43aea6a0
SHA1 26a9d9b68f89fc79f47b5c376aa4685c3e008aa7
SHA256 9079248c275d6ea5b8cb42f9bfb054adef5c885d1b7199d39c5cbb1092b7085c
SHA512 9d2157d7e37c4b119c1cdba60a4c389e52abf7987b8b3153fa465fab4e1a30abb3404642b8ce2ddc9bb35d769012c525da6133e503280ec5ac4e90b544891a6c

memory/2568-61-0x0000000004A00000-0x0000000004A01000-memory.dmp

memory/2996-63-0x000001F30DF00000-0x000001F30E000000-memory.dmp

memory/2996-62-0x000001F30DF00000-0x000001F30E000000-memory.dmp

memory/2996-67-0x000001FB0FFC0000-0x000001FB0FFE0000-memory.dmp

memory/2996-96-0x000001FB103D0000-0x000001FB103F0000-memory.dmp

memory/2996-95-0x000001FB0FF80000-0x000001FB0FFA0000-memory.dmp

memory/3972-215-0x00000000048D0000-0x00000000048D1000-memory.dmp

memory/4036-221-0x00000201F1600000-0x00000201F1700000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2CFNWDLC\microsoft.windows[1].xml

MD5 539db492f33fccee9be530dd0bf34a46
SHA1 650b2a3583d6c9499b4ed73e9a5dca37f342a50e
SHA256 f6d425aad05b46e77b53e5737c85f4ceab6531e773ea87eb985754be5ec19999
SHA512 9328f2fa286b4a9ca6ae57ddd9fca0b1140e5f68a5e143fd8ae6ea212a1af5d7b6b2289c324fa9480ca8d2e6d3b0cf7115611a56a3a161c5ad2f988f6ae62a0a

memory/4036-226-0x00000201F2760000-0x00000201F2780000-memory.dmp

memory/4036-261-0x00000201F2AA0000-0x00000201F2AC0000-memory.dmp

memory/4036-260-0x00000201F2720000-0x00000201F2740000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 37f660dd4b6ddf23bc37f5c823d1c33a
SHA1 1c35538aa307a3e09d15519df6ace99674ae428b
SHA256 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

\??\pipe\LOCAL\crashpad_4264_LZFDFUKCIBMYRRVH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7cb450b1315c63b1d5d89d98ba22da5
SHA1 694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA256 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512 df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2fe117e6141514e2fc582310b6d90cea
SHA1 711ce9b568cd7854ad034892abdedaff040eab0c
SHA256 8b1dd9a0ddee1574f35d4dfc83283a4e20a35d52b900a27b9b4c9ed5e594586d
SHA512 502b74137dcaeec018a9cb74910d625d34742067470c44f738f9aaec554178a3a26d1379db63062dc3b03d7b23392ae712dfd2c37c593904d7ab771d216d03d1

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

MD5 e93f16fce6817bf2f30a2777ef20e168
SHA1 5bb713ae587a51841dc29d7adc6ef1da72a23da2
SHA256 738c60f80c5d9be58cccd02f59c845f5a5206340f5769b46f2adee8971aff59d
SHA512 520b6440a05f8fe3addab737aa9cdc870861d84400fbbdc133448d3adeade73f260fa99e44501178ee6cbc415ad4be83a74c25701fbd1b70d1e4028852cfd798

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 1585c4c0ffdb55b2a4fdc0b0f5c317be
SHA1 aac0e0f12332063c75c690458b2cfe5acb800d0a
SHA256 18a1cfc3b339903a71e6a68791cde83fca626a4c1a22be5cb7755c9f2343e2a5
SHA512 7021ed87f0c97edc3a8ff838202fa444841eafcbfa4e00e722b723393a1ac679279aa744e8edde237a05be6060527a0c7e64a36148bd2d1316d5589d78d08e23

memory/5760-405-0x00000000048A0000-0x00000000048A1000-memory.dmp

memory/5248-408-0x000001C7C8020000-0x000001C7C8120000-memory.dmp

memory/5248-412-0x000001C7C9180000-0x000001C7C91A0000-memory.dmp

memory/5248-432-0x000001C7C9550000-0x000001C7C9570000-memory.dmp

memory/5248-421-0x000001C7C9140000-0x000001C7C9160000-memory.dmp

memory/5248-407-0x000001C7C8020000-0x000001C7C8120000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133733565442631953.txt

MD5 817e51e31d518bddc95109aae663f051
SHA1 14daa2bb26459607279536e8a60ab1486ac2ff15
SHA256 55adc589f944b87d60034a6ed88b5497ae50eab5f107ff0397b81df0a753bdc1
SHA512 3e87831779d69af246c6866110424ae192cd0198ba70ac9dd20fc6758b49238fdfe938cf537540237c2a252ce1e4c77412fd430c68ae203e3a59a6bb206d20c8

memory/5032-569-0x0000000004500000-0x0000000004501000-memory.dmp

memory/3736-573-0x00000199A5320000-0x00000199A5420000-memory.dmp

memory/3736-596-0x00000199A6850000-0x00000199A6870000-memory.dmp

memory/3736-586-0x00000199A6440000-0x00000199A6460000-memory.dmp

memory/3736-578-0x00000199A6480000-0x00000199A64A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 dea2ace6c87cd3565eae649af70078a1
SHA1 849f3b0e408e8c31e18d534324838e32c1dc74c4
SHA256 dd0c92eb77cbe70a0efe3710b1a49a415d51df669dddc4ea62c2776abcd210df
SHA512 b438494f05a5b6f80dc116e5a42ac6a79b92cf8cad818986d5118dc112c44782e2975507fc8b7c01c449c4b9acbc2a88996a3118ee82aab908756187cc6428ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fc7f60e23c5e6d83cd789301c80f299e
SHA1 2ac7615b4a5666379b281c859df60f0d621cb37d
SHA256 f0bfcfec8d07334ffcc53898b98dd720b54d6e1c67e2837edb35e82fcc864f5d
SHA512 dae2039287142084e68ac8864107317e765270f88d8940ec0018308728ec9e73b00be984b16bd9c520781e566a74f95b989d0e7b4c45f5be4e1a983e9b0aa194

memory/5760-755-0x0000000004D10000-0x0000000004D11000-memory.dmp

memory/5188-759-0x0000020133500000-0x0000020133600000-memory.dmp

memory/5188-762-0x0000020134400000-0x0000020134420000-memory.dmp

memory/5188-782-0x00000201349E0000-0x0000020134A00000-memory.dmp

memory/5188-774-0x00000201343C0000-0x00000201343E0000-memory.dmp

memory/5188-758-0x0000020133500000-0x0000020133600000-memory.dmp

memory/5188-757-0x0000020133500000-0x0000020133600000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c622653fdb75640907dc0db2dab6316b
SHA1 653c6e69e358d8638d1a3023d8ba13540da48843
SHA256 aa16a38f3d79e2d29308339e6c68de6e5656c7891ffbe57b12dae6a122d98be6
SHA512 7974862524334bb5dc0886620d929e8740aa6c03dc6e902b90cba6f31eb60004d60b07e6cfd66f7bfc7b7268baeb1a2dfaa438ef959f8d30b83f98178b9827cc

memory/5308-921-0x0000000000910000-0x0000000000911000-memory.dmp

memory/3684-929-0x0000027BF1250000-0x0000027BF1270000-memory.dmp

memory/3684-960-0x0000027BF1620000-0x0000027BF1640000-memory.dmp

memory/3684-953-0x0000027BF1210000-0x0000027BF1230000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 87c2b09a983584b04a63f3ff44064d64
SHA1 8796d5ef1ad1196309ef582cecef3ab95db27043
SHA256 d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0
SHA512 df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 2f6f1f80c4ed1fd57f214bf40a885a57
SHA1 0287e82d5044c01ea99f69ab02673fe8262bb9b4
SHA256 422596b36956a2800b4dbdc3c81acc6e960c73bbc373653a471d713ff7098d68
SHA512 06fc97aa33a16b411d601f61b308c5e34f984eeb10acb752dc909b591feac285c4ab313571c70e70d2a81441bac1fde4272fd4536fc2f13ffd683d8efcc90129

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 98b4d5be3ba8189aa1bad236a156fe15
SHA1 0a4faf083e8033a49d90d9b0c84bb4b152036756
SHA256 2fa65a392e38e5ea8919969db3c72f26130a6b17998879158a5d75354886400f
SHA512 f6fbd1ee8768f804c382c7b680b4efee19fd2ebcd114850f858d518e80c1b401e94c054df38d643c1f7872702f02359263dad3ccb006c719ad3ed6168f465256

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584958.TMP

MD5 5fcdcf65e7df950974411f82cbe6b7c2
SHA1 bbb153756d885d2d27ec3aa4f054131170a30831
SHA256 2434472a7b331ba159c385c4f12b5736e9200a78a547b0451d25d76152d11fe8
SHA512 a0f111454b4e58f32b0022bc2940e3e018a61261549eb326f3c6dfac78aea8debab36b6cb2ba3bdf863b349a77cf1c1a2bbbb21b9417f8cffbb021333629e6c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 31467e2cf80f1dd4a8cf7065146b1cb8
SHA1 ab40870ff702a149ddf2ec6bb0f72d0593204669
SHA256 9931d63184c3a508ec82c5e13d889bc8611dfc0fb03684c625e6aa730e967c32
SHA512 dfdaf2e09653fdacaace2480f608ceeea8cf2960b9cdfad1102abd1dc4faee3311cc43cca093c3133222e3cb39d2015f8b97855b329692c667d6a08d310c8bc8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 724bc189bd30fc50c2f1e9a260b31425
SHA1 43e11a80c741445f72db31925dc158652d7a3218
SHA256 984c4cdab121a5be95fe3befc8b924875e6ce57be455bda046cce01e27206687
SHA512 525b867528f3061224d9221ad905102fd018d0cce096f15c7dffca72ade1b5901c1b570778eaeb502da5ed7a1ac67491746fca68c2736d56092e94f36747d11c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a7c40c460738c5c7d19e39f98e50e3a6
SHA1 b72a68d4e927ad26de3c1c8106f802cb292a505f
SHA256 fbdc1ba615d56437ad682329aad309eff345d1097027898e9b2ded0008f00f39
SHA512 4c53b4fb1f76788ada1a63870d58762bccd80ebb760cc21570c871a9a5d1bd1f2248fe90a33d0327f91cb8bee4f1abe6c56e50d29260cc72099ec44adc1db70a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6b44fff9156a18c4_0

MD5 ce2b989a38ce66533a855d5a1fe82381
SHA1 45385c6b32324611485235a36eef272125136421
SHA256 d1232c3093b516b5eebe589f63ee5f0e51c66e054471c23cf2a43fc56cdbfc17
SHA512 df9b4d5d32c5ad2eaa9f212f024006510b9887057db0a6c55eef4e6f05a50a87b7c639c62f08d311cddd4824e81386f1372021fb791ddbbb53e6345a5f482925

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\674dc55c641aa82f_0

MD5 0c967b1203fd7d47ac31571b930c87e1
SHA1 80769af2c3395abca0d3f3a9a914b69f73ea6ed4
SHA256 e1bc47e9d9b09535d952afeb87c8778d5ec0c42e9f5b89e5ad87be2c370d830a
SHA512 787bc969088acf71f7dab1b853c642426b3496a0b9aa139e1ffd38377c3182f8f4c6fc160291a4bb6f1b924890957201c648852190cb7aae508fdfd351890dfe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d001f5afe0e49bce542620933b1d4203
SHA1 5bf9173a383273b0261b68e0e659923e7d8fcef3
SHA256 c381fb14f0e2a8e02dd640e9ef6d1152a35dce8956c6400cd830feb138759a16
SHA512 73854d5b70ec24ff558e3159cd5e237ddb4d4ed52fb4572c3d8aea47468609aa8587d5b4109600693a72188082e7f02212cdc36f387173f648cacfad3a1f80e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a6f96f87a8b9c11993f2b1bb859f006a
SHA1 e5834fe7c8c39b565e0a4ad706fcbebfd6706258
SHA256 b3adb9436c9c005a3803a4b3450c680395b20dee2a6aeaa4e718cf535e78a7f2
SHA512 95a95a3f8ba2f620bf535fac20a534f9157837620e28ae1d2edc71bc1593fd50615a4f483cbbca5f498a978bffdc5ac8b7f2ddafd068b2c023f14d9c51b7a8c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ee71a3a0ce093d2bcbb2df251005ddc2
SHA1 b88319ffe542ab26bdd59c5a521154b3750b1e99
SHA256 e9a7ea04e3827a9011122e99074a0c19ccd3d7b8a2f81ebe3a91727a1f6520ea
SHA512 d8c3d476920217a47cc4a76907770fe10e4ead8cfc559544fbf09ab13b214802b88081067f109dc00528846c5df83b32da5161da36f8e94f308b2cd13834d4e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 6621b82a6885f7b18d6fd867d27fb64c
SHA1 00ad5559a400979c8a9b45730a31b7227a0716a0
SHA256 b6e8dc3e55f28a887c5651d1c64e9c7a4c61b96add339720b38cc13663db4e3b
SHA512 392e872d0e6c032a0074d813c38a8c7c02a8a38af7ef0727ce246884fa65a9ccfad24b496e1bcbec667d79ebb5ba4b62be7debf1193d0675cb6a0e5fe2d39d28

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 cbf311f5b4661f50542abb80e6c7e721
SHA1 9b58bf970b8cd5c4afa13076f929f942453ff02d
SHA256 ebaf1ecc5381f5ed187300616453adb8facbee07c2d09db98b14102b3aaa5d51
SHA512 36d37f7808d7bd4e3f3bc1eadb67e30fbcd1a9f999146e8aec56e308df096bacd859ca0d5443595ac92279c9fe127da1b09653d56c9f9729077038d92424fcdc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 97244a4b866e404446dc139016cf23fc
SHA1 54b2c9d1498907d75c6722b145729361b2353f47
SHA256 2fb7c27a7ff245726c6d886d5342cbd81ebb451c0dcd9a231af2252e8952ffac
SHA512 aede88d704c2bc0210189880d4260b9e35a9081eb21c51409048287ff35fa88aeecb036661baff2605419897ab644a4fc8e7fcfd93c14096d5e91503f5a4fc65

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 827d0f3e7e8a6d9f3170812d1b009dfb
SHA1 58ef04591d54373a999f5afa0c0cb18593453c03
SHA256 4d3cbbe1665e8f1b4bf3f36a7d4bb240c17fa1448368fef276aa0e058815efbc
SHA512 f399a99dbadd7271171918efb53c8f3a6e4b437e867c0edcffbb81d580fffdb3c450b8cab3751ef59911f238609502f90ad2a7d9fea42a67b29d52d59b5f4481

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 87860880aa947ba58fdaac5bce300c93
SHA1 3d8fb49ea423f64afb1813c9a9b55a2522887e5b
SHA256 117c6ffa9d5da17cd3c22f170e932abb0a2ea669950d4f4c3ea5371a55b1f60e
SHA512 365728f69e27e48a412d75b22eb3e5d5864f5c6a70fe09212feac09c9f4bddd0ddc03e4afa1b8648231b05d6a673e8bd8c5d68f64725b5e9d4cf05cee2107819

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 4ac0874a5923bea7c8f2b00d922baabd
SHA1 ff3adebbdb88b3c69690c6cf732a420d3c7d58e5
SHA256 5568f50e192089f17c842988b5006d0bd46841e61ba3aff3674cf743b43b132c
SHA512 22bebf0d8618378a64129887e93177acbff13dfde0af64f8a36ccba16f8ca834d0b8e156b11f06c6fa0f9b0aecb22f28eccf196a725df4742354fac3dc17ee79

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 4fb3af51b4327b09699330472bfff5c7
SHA1 7162b4894eb69be0ecbe3d7943494162aeb3c40d
SHA256 8455e60973f27e8bfa8c3894853e8120122a16731f879a5b5652a172ab5cb0cd
SHA512 5b7b7ceb4adcd86cf54d7e0fe5b1bca3559c3fac5cc1c607b26dd5c5768f1d19ad48e0952dc3d131275d60b9f5ceb370657f1b889c9e8f4778ce14b2efa6332f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ac650e04a0ed1e200b1cb4b70100cc05
SHA1 f8d02edffe85f84873940910b4ff5fb9352d6586
SHA256 0ffc9b77150f588336cfb5c349e550a82dff4971fba151f4d56bbd1b7c6e6a45
SHA512 effe913d630e7c30ea9d94fee6201d5df18ee6042523339f5d6cbfe5af2057375b43b488bda9760002ceabf57c9c8d994ddd73b38c3c46dbd8113d0ba2cae76a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a1676e6f1ffb7b8d8de40f907c24b9bc
SHA1 758bf4b1dca37792c49ddaa6ea162bb0561a0209
SHA256 782de58e67614239fc8192b2c5755894e3983f42099153443d5bf540e95b3f46
SHA512 a94ebf2cfc21690e3616efc97d0eede3d5c3382ee3044a843539bddc83d38f498648712767a0817278f9388c40d0681919a9d13362eebcf349387d4bffc12396

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 1812e60bea825dd499cc48327e60ac5f
SHA1 cb0aea47ec9d7cc55e9b33049c209d69537c7299
SHA256 cf0ed65240b0bee02c76929a7c24468fbd74cb9ee28c5444d683fcfbf3a303c7
SHA512 c0ec22b5b9d490c3b3508d11b2719ea831afb3487b881d66f169219f0ccf77480e31642d5c1f47f64c6baa8134f84222e0129a4a61540fde88827ae9b6d5ee1e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe594608.TMP

MD5 a67bab0cbf8822fed8c99a8e94bc6812
SHA1 1c07203f39f56948e2ba3f643a2e1e8777a7f084
SHA256 ae735cb96b7c7aa2eab7d9433e10f20c897841eba7eea66d92dfd32e88ccfd55
SHA512 e5249870856e7995a022ff47aca5abac5de9da18f54d93b9007748bb6d9fd906efb8559a4b4853920ba5025889b9bec178fef87a854c315189717a7115f391a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\d605ceb3-c184-447e-8059-5103b3675bc7.dmp

MD5 4a380a456e614c5deb96a7ec74218409
SHA1 be5835a782f52328649565af21b9f2c6f41c1eec
SHA256 9b19ffeefd18f244a2eb355b8fa2c2a1cc6154f2da3acf67f2ab891a3adcf92b
SHA512 127c5455ae682b80afa28b03223bd9b92761740c14d36040cd077016256088f589777c78d1e36af32c27553a80a176cf871783677200abc49c04702f937e0cb3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e36dd8f6-9d5a-4a6a-b38f-0e03affd4315\index-dir\the-real-index

MD5 fca32214e1dbb3560f4f749dd6464301
SHA1 460dbea14b9fc808b95662d228ed3235815886aa
SHA256 72c5b8147c477c9c7920f64f25ceeb60b3b523a9f6722b1a8747600aeeec229c
SHA512 a679e8a3077d0204c496579d6c7ec85904773d10f9d7c37fb8ed14c2ed7d499e1deaf3f0669c0e63f850bc4b403a2bd1f2ad87cffda8759ce902574d6f1457fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e36dd8f6-9d5a-4a6a-b38f-0e03affd4315\index-dir\the-real-index~RFe596141.TMP

MD5 92711235d829b9f84cb33c7662b5a215
SHA1 e815ac1ab352808ebc96e29b538da3a96a58b6b0
SHA256 3cc750a6bf18f99617a87623c7e10f98d964926055ee71599882b9e3127f9843
SHA512 bf41f788c636cd196d44afbf00f7ebfb4d1194627082bfd3107f24dbcac955baca3f54def9769e75f87f103117eb61c159e8b4f5a35c81ad61fb17ccc914aeca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 bc3fba5965dda9592338a4788e276c17
SHA1 7fe90e5fedb0b5cafd3dfcf35dd9b0f4f31a50b5
SHA256 2a7ee147de046c150da11bb2288994d591289c2addd37633539b3757997ca7a4
SHA512 9ae158d503a7ce2325651f53ddda9a00cca83dd3434fe2e5ebf913fd9e114a5b50613473e51e23b2c01e7eb5e858a043027ae1c30bc78aeadb4eaf62b700a383