Analysis Overview
Threat Level: Likely malicious
The file https://github.com/pankoza2-pl/malwaredatabase-old was found to be: Likely malicious.
Malicious Activity Summary
Possible privilege escalation attempt
Downloads MZ/PE file
Disables Task Manager via registry modification
Modifies file permissions
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
Modifies boot configuration data using bcdedit
Enumerates connected drives
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies registry class
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-14 07:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-14 07:47
Reported
2024-10-14 07:49
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Disables Task Manager via registry modification
Downloads MZ/PE file
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\438C.tmp\TrashMBR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\438C.tmp\HorrorGui.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\WScript.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\438C.tmp\TrashMBR.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\438C.tmp\TrashMBR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\438C.tmp\HorrorGui.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 60212.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\WScript.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\WScript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\438C.tmp\HorrorGui.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0a8746f8,0x7ffc0a874708,0x7ffc0a874718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4680 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6116 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe
"C:\Users\Admin\Downloads\Win8.Horror.Destructive 1.0.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\438C.tmp\438D.tmp\438E.vbs //Nologo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\438C.tmp\Horror8.bat" "
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\bcdedit.exe
bcdedit /delete {current}
C:\Users\Admin\AppData\Local\Temp\438C.tmp\TrashMBR.exe
TrashMBR.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\taskmgr.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\taskmgr.exe /grant Admin:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\taskmgr.exe /grant "everyone":F
C:\Windows\system32\taskkill.exe
taskkill /f /im logonui.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\system32\logonui.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\logonui.exe /grant Admin:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\system32\logonui.exe /grant "everyone":F
C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\explorer.exe
C:\Windows\system32\icacls.exe
icacls C:\Windows\explorer.exe /grant Admin:F
C:\Windows\system32\icacls.exe
icacls C:\Windows\explorer.exe /grant "everyone":F
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\438C.tmp\music.vbs"
C:\Users\Admin\AppData\Local\Temp\438C.tmp\HorrorGui.exe
HorrorGui.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x2f4
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im wininit.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6200551882998235220,5271982580265869737,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5024 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | 21.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e443ee4336fcf13c698b8ab5f3c173d0 |
| SHA1 | 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a |
| SHA256 | 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b |
| SHA512 | cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd |
\??\pipe\LOCAL\crashpad_1692_EPXUTZSKLVWTJMRY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56a4f78e21616a6e19da57228569489b |
| SHA1 | 21bfabbfc294d5f2aa1da825c5590d760483bc76 |
| SHA256 | d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb |
| SHA512 | c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 77c00fa6740e3b28df077c2a0ab1fad3 |
| SHA1 | 4a83d53d20f1321eaf31a59fbfb0f2acf3ecc4fc |
| SHA256 | 8328b05ed4f29480a54c09efe8174dacafd4542682b2e4efcbcc32edcf5e32ff |
| SHA512 | 9de7e37c159d729f3c8db4f74de885f3534f3a990f8f22e022ee3ff1d280c97d644e27d65c047375bde2b38c3c4837fd9da20188344cb759ef3ce30ade796ab5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 409d59929fa3a3f7cb804332de0714be |
| SHA1 | c54f9e9ce40f7cf10da04ef3165cf47ea35bf97c |
| SHA256 | 549877c70613e7077d293b6cce7f30b06ed2dd2737aafdf271a03f2f2590419a |
| SHA512 | a7ae2ae423a20632426f9b098567ed1fb7f8e8c3e58389c9dce8271f6917f372a45767a84cd29d4d0b63f52e0e9ce4ee2d92c0aaef1e570ca9012255e1bba48e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5cb66de64ac9b603f2a464dcf318fead |
| SHA1 | ca25e488f5b3592f12b7e5003843c08940a9afc2 |
| SHA256 | 7bc0adc466136c03fbd9c341a92940339f4883feab811b7d852429b3add03536 |
| SHA512 | 1257320011c59be4e766c2a318032047822c3eae2e9f3b3afc24eb33f01c6b82693b057d375933035e31624012dda109e1276b291b3fe04bf7f712e0660f48a0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 807419ca9a4734feaf8d8563a003b048 |
| SHA1 | a723c7d60a65886ffa068711f1e900ccc85922a6 |
| SHA256 | aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631 |
| SHA512 | f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a22ed3b1f345d9b03d3d74c71825905d |
| SHA1 | 6182cd035e244a0238e13f6367b7f534856b7a7d |
| SHA256 | 01847a9ec3cbd0dd1044be67db2302676a442f6a8872d833f5d0ab17a3d1cc9a |
| SHA512 | 84943580d63bbe4cb81d74ba902d8b52f494a09fb488ad50dba6ffca7040052c893ecb2f5782a480f6d5e320c3dfc74e9c45e11891fc26d17bd9727a2af9045e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c6bb.TMP
| MD5 | 71a8c8a76bd13dae79ab6ea2162b7c80 |
| SHA1 | 50700d645ce8336b99f5aaf640080cd53251a429 |
| SHA256 | e0de0c81e8f2351ad20fa48783f8242d54004e456f2e8cff31f4dae07a9576c2 |
| SHA512 | 0bf69e21c4583596c69a38bd43ce23eca05176f34e0c8666e669d6d968c0bcdd83ea5847b6a3443600e418020bdb7b96e6cb20e5f7050a76ec1be610be4b7dc6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8e12d30082b5901b9d9d7a1fcc1f4722 |
| SHA1 | e4cdf8ce8fdc8ca9355e8084045ea7bc1420bca5 |
| SHA256 | 6fbf224bbd8629cd1dd645af3945bb1bfe5ccff83aee3a690bdfcc073cbd15ed |
| SHA512 | 275a9540310f56009e4db878c36b0e49369535a8958e0a4bdeade8d8515799d38e520f8eb6f5031c2a678a91dc554464ebf324066a351f80120857f59aa9e8c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 0004dfc2e14dd6138e9d1a1af29c069c |
| SHA1 | 1f147794355213dfbf5c08df616be334101851c9 |
| SHA256 | d443de4d8324d2e82ef290e571bdae13ad1bce9b4235874ebce4e3125a28c6b2 |
| SHA512 | 771d58d22738bce6d0b93ad789b20fa8b015bc806dddad6bb1fff2cfb79766e3f323392480335754db69e9b695b14644381c0bc0b2cf3095f69a0fe5a46587d2 |
C:\Users\Admin\Downloads\Unconfirmed 60212.crdownload
| MD5 | 846d847d9b1247c57824d5d2601a7faf |
| SHA1 | 2119dccee1e98af31fd193cf38bbfd8614f183bb |
| SHA256 | ba8fa2c240edfc35c3078fcf31b87c0e1af4404dfc1f52e0d5640edb061355fc |
| SHA512 | 8cbad0562c13f997fd2e90e6f3a998cdbd2c207592c1d85e6bcf5c794a65bbf2322355a33c9d1af4f03519447c397e7b34dfea179c30d1a054d32d6031c723ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 90a622431f575345897cf77817a995b1 |
| SHA1 | 27f0b4c4a808109f5947a10d0c44eaaf00882757 |
| SHA256 | 83af7d1e3aa2d93d1befe2811a960d782aecf3700e610f4ac2f64d5ff8cb6822 |
| SHA512 | 145d165e75c411b77ede0d3cf9685b50bf1001cd894e0c3b0d0574c1b9b439c65dd5d7a5338a7cbc987e9c075a8ee9dff7c6d0f15c4ad431e683adf39eeb6c99 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8ba2554452cd898e15235ea600577f90 |
| SHA1 | 82974040b04e3cb34d6a2bc480657bc0e7d79088 |
| SHA256 | 8c7a9f5bf836b768e104fba6ed34f80f6702adf9adf2505320faf04dd19c1a1f |
| SHA512 | 812b0e1efe78aa93de45c63304f685e50b298f819b95994bff0563e642d8f3ed0a9b4d6eabd8139dd9b1904f7daa86f2ed19255a4d688a576b83706fcbfb141c |
C:\Users\Admin\AppData\Local\Temp\438C.tmp\438D.tmp\438E.vbs
| MD5 | 3bafc447cf86b66198f84690cb592adb |
| SHA1 | 5d16e560003b0ca1efa914aa0960fa84dbe1a0a6 |
| SHA256 | b96a442adc718e9e0981b1c3bea2c8172f6c5b2c8c1fecda5c311c95728bafff |
| SHA512 | f0aaef88ff735c8823cf83bf513a95084ccc617aa97bfed8ee86dc1366ae8cef679a7b5bf48116370493e0074fd7f56ce7e5e9f22bfbd8dd6f2f7c8489419700 |
C:\Users\Admin\AppData\Local\Temp\438C.tmp\Horror8.bat
| MD5 | 36fcf85ec52716f5fd8ea625a11c13c6 |
| SHA1 | 60a720249c6bb3617e904445c247487dba96af9c |
| SHA256 | 3aba2d676284209730ff20b28a8415a3c41c88f402301b14437040bf2baebe0c |
| SHA512 | 1ba72a3ea4cf1014f0072184067611448276fff273f803c829d1f6bbeb6dd24c7dca41eada5b78f2ddc7dabadf5c5a66e11cd4f8a5aea31d261a69ef186d09f6 |
C:\Users\Admin\AppData\Local\Temp\438C.tmp\TrashMBR.exe
| MD5 | 87f09f4a202bf9c0adcf6fed942aa703 |
| SHA1 | 96bf11ff017e31ec2242c0024c372628c40cbd4f |
| SHA256 | acf8abe9bd2f61840a247b4796ebedad20f69a85dbdf8a4100f5d7d306b064b1 |
| SHA512 | 85202719aa875b2697ae3082a79a3ca7c1e1be377d6b19f9f159488a5f9d6ec6e9ec35352b067a1bc15546165764acb108c11203bf482ea43684e433717eee58 |
memory/4588-310-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 63d94e9846e570803ecf07d6d8f086f5 |
| SHA1 | d2c6997f90bf62df74867b6c83a2dff8e6bf7a55 |
| SHA256 | b848a82f7fbf217a442db0b47389db16d9040325b5f031d3a0722115a3e5f9d4 |
| SHA512 | 12b7036056049698bcf8b9979dc48dff770c45b6f57747d50920ded43e4f08f02add7c099a4ab2a5f1b3edb6653d0f5843cb45e845c7c916312acb3fa83149c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | b8fdc8d04b83beb089126efbce00f896 |
| SHA1 | 971ff6e70884b2cdf229be5a0cad066e3bdb085b |
| SHA256 | c3084bc354488bb98cea934da0e3d6a462b574774df7f3b4fe289688acf3ebfe |
| SHA512 | f5f0033e6bc47a723773fb221dbb2d5b684209ffc7a8046e708df1f5cade52b05158d2fc09fdb3867ca1922734f64fc5cb3bb7224da24df348085092385a45fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3b387466e157315db8e665a9a03417af |
| SHA1 | 32ff587946f4376599289f2558dacf78eb6c2a06 |
| SHA256 | 8b00f139a63a060030c192b67c0fbf934efb13efb618742f33a36b477aa88f7a |
| SHA512 | 211718a1bba3edc66fa39afe65153e7fa3ba706e964c80d5cd5c7038df7a366bb126f99661dc10e797f03cb2ac28d9b919976a2d76837ecde295e5d867f3bdf7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 803bab4a9b5f6aeee90f7b2cd7fcd703 |
| SHA1 | 34621885b73bf45144fcbeefcc2eb40ef6a5832a |
| SHA256 | 82eecaaaee373b018a67d059881abe08c7534f9088a6b107c52861ee082ce24a |
| SHA512 | 55da4f30b766638e46e79d7fd3a7f3458ec07f6795ae0687432e4d9cb9cdbbcd545cd721d5c7495863d13f68ade989d69ec1e0c88c5817f04057917d052aaaa2 |
C:\Users\Admin\AppData\Local\Temp\438C.tmp\music.vbs
| MD5 | 8b703f9c48eb3724348af746e7610061 |
| SHA1 | 599aa1820096e92546ea8d863d46cc49404e19e6 |
| SHA256 | e8cd555c43973e3b2e6fa0e80d602abc3d7c43a17bc51a6d0ba08e20ea3feadd |
| SHA512 | d38e39e3f9ff71f68d3d851b635bcc27939656ec085369652a324d8b0c95042e722a07b0b06a0a25f0f2b51d5ad1addc3174c472bda3f86cbf28376ba4870208 |
C:\Users\Admin\AppData\Local\Temp\438C.tmp\HorrorGui.exe
| MD5 | b2653aa06a2253e8155eb81535b20e6a |
| SHA1 | 0cf61fc537d8d73c71724febd0f1f34a6fddc838 |
| SHA256 | b4e106e22c4d3e51c87d3d5853298210572ab2834f5e2a0beaf1df7d96c57d29 |
| SHA512 | 143694740660ac46f0c6c78903e8378fd402b5338dfb68c3e4a148f6f83036eaea3be6bda160d59ed1c5b52ba235823e284a0564ab9dbedcc3d3a6e40584fd98 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Temp\438C.tmp\clingclang.wav
| MD5 | 1c723b3b9420e04cb8845af8b62a37fa |
| SHA1 | 3331a0f04c851194405eb9a9ff49c76bfa3d4db0 |
| SHA256 | 6831f471ee3363e981e6a1eb0d722f092b33c9b73c91f9f2a9aafa5cb4c56b29 |
| SHA512 | 41f4005ec2a7e0ee8e0e5f52b9d97f25a64a25bb0f00c85c07c643e4e63ea361b4d86733a0cf719b30ea6af225c4fcaca494f22e8e2f73cda9db906c5a0f12ae |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 987a07b978cfe12e4ce45e513ef86619 |
| SHA1 | 22eec9a9b2e83ad33bedc59e3205f86590b7d40c |
| SHA256 | f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8 |
| SHA512 | 39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c330c4a29b48cc00d9bec985495495d8 |
| SHA1 | 363b7072aeafe5e40220fe8a8bf0dbf71350718c |
| SHA256 | 2b49ef9f11a9b9034be544b3ec2a02ff7db592f3fb3d0fe0f70bf7e497d7ee98 |
| SHA512 | 36cc0ad2648f2bef7674968cf194ec6ca26e5d66c255ec26553b58041855525eb89d29dce4e465960e695bcaedcdfead1d208ebd9b4962f7aad1ff71681e5dbd |