Malware Analysis Report

2024-11-13 16:35

Sample ID 241109-qp2abatraz
Target https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
Tags
dharma infinitylock wannacry warzonerat credential_access defense_evasion discovery execution impact infostealer persistence ransomware rat rezer0 spyware stealer upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe was found to be: Known bad.

Malicious Activity Summary

dharma infinitylock wannacry warzonerat credential_access defense_evasion discovery execution impact infostealer persistence ransomware rat rezer0 spyware stealer upx worm

Wannacry family

InfinityLock Ransomware

WarzoneRat, AveMaria

Warzonerat family

Wannacry

Dharma

Modifies WinLogon for persistence

Infinitylock family

Dharma family

Deletes shadow copies

ReZer0 packer

Warzone RAT payload

Renames multiple (487) files with added filename extension

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Credentials from Password Stores: Windows Credential Manager

Checks computer location settings

Drops startup file

Adds Run key to start application

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Blocklisted process makes network request

Enumerates connected drives

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in System32 directory

Sets desktop wallpaper using registry

Suspicious use of SetThreadContext

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Browser Information Discovery

Enumerates system info in registry

Checks processor information in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Modifies registry key

Views/modifies file attributes

Uses Volume Shadow Copy WMI provider

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 13:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 13:26

Reported

2024-11-09 13:33

Platform

win10ltsc2021-20241023-en

Max time kernel

355s

Max time network

356s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe

Signatures

Dharma

ransomware dharma

Dharma family

dharma

InfinityLock Ransomware

ransomware infinitylock

Infinitylock family

infinitylock

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" C:\Windows\system32\msiexec.exe N/A

Wannacry

ransomware worm wannacry

Wannacry family

wannacry

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Deletes shadow copies

ransomware defense_evasion impact execution

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Renames multiple (487) files with added filename extension

ransomware

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe.96F17A444683FD4BC4AC5C54BE2D08580ACD3F0467497C5489C62E0E275E5E8D C:\Users\Admin\Downloads\InfinityCrypt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CB6A9651.[[email protected]].ncov.96F17A444683FD4BC4AC5C54BE2D08580ACD3F0467497C5489C62E0E275E5E8D C:\Users\Admin\Downloads\InfinityCrypt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3AB9.tmp C:\Users\Admin\Downloads\WannaCrypt0r.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta.96F17A444683FD4BC4AC5C54BE2D08580ACD3F0467497C5489C62E0E275E5E8D C:\Users\Admin\Downloads\InfinityCrypt.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD3AC0.tmp C:\Users\Admin\Downloads\WannaCrypt0r.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\InfinityCrypt.exe N/A
N/A N/A C:\Users\Admin\Downloads\InfinityCrypt.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\WannaCrypt0r.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\WannaCrypt0r.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\Xyeta.exe N/A
N/A N/A C:\Users\Admin\Downloads\Xyeta.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\DesktopPuzzle.exe N/A
N/A N/A C:\Users\Admin\Downloads\taskse.exe N/A
N/A N/A C:\Users\Admin\Downloads\@[email protected] N/A
N/A N/A C:\Users\Admin\Downloads\taskdl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
N/A N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pdyantnatxy168 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\"" C:\Windows\SysWOW64\reg.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-87863914-780023816-688321450-1000\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-87863914-780023816-688321450-1000\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\Info.hta C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Windows\System32\CoronaVirus.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\Downloads\WannaCrypt0r.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\Downloads\@[email protected] N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5768 set thread context of 6004 N/A C:\Users\Admin\Downloads\WarzoneRAT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 6100 set thread context of 5184 N/A C:\Users\Admin\Downloads\WarzoneRAT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-xstate-l2-1-0.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\invalid32x32.gif C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\ReachFramework.resources.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\BUSINESS.ONE.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\msipc.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\EdgeWebView.dat.DATA.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationTypes.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jinfo.exe.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\msdaremr.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODBC.DLL.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.ps1 C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\vk_swiftshader_icd.json.DATA.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PackageManagement.resources.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\SmallLogoBeta.png.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\assets_picker-account-addPerson-48.png.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.v11.1.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ppd.xrm-ms.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libuleaddvaudio_plugin.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\ext\access-bridge-64.jar.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\jvm.lib.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ul-oob.xrm-ms.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_livehttp_plugin.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ValueTuple.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\PresentationUI.resources.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\id.pak C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ppd.xrm-ms.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_description_plugin.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_it.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\fonts\LucidaBrightItalic.ttf C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClientSideProviders.resources.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsdp_plugin.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_am.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Controls.Ribbon.resources.dll C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-synch-l1-1-0.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2pkcs11.dll.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\am.pak.id-CB6A9651.[[email protected]].ncov C:\Users\Admin\Downloads\CoronaVirus.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIF058.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEF6A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEF8B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEFCA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEF5A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF173.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5aecb3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5aecb3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEECC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEE2D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEE4D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEE7D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF0F5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEDBE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEDFD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIED5F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Tasks\sys.job C:\Windows\syswow64\MsiExec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\DesktopPuzzle.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\InfinityCrypt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCrypt0r.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WannaCrypt0r.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\CoronaVirus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\@[email protected] N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\InfinityCrypt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\taskse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Xyeta.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Downloads\InfinityCrypt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Downloads\InfinityCrypt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Downloads\InfinityCrypt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Downloads\InfinityCrypt.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-87863914-780023816-688321450-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\THE_HEURISTIC_OF_NORTON_IS_VERY_BAD_AND_PRODUCE:POSITIVES-FALSES C:\Windows\System32\WScript.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A
N/A N/A C:\Users\Admin\Downloads\CoronaVirus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\InfinityCrypt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\InfinityCrypt.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\taskse.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 4964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 4964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 1420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2372 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe39d146f8,0x7ffe39d14708,0x7ffe39d14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6a73d5460,0x7ff6a73d5470,0x7ff6a73d5480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6084 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:8

C:\Users\Admin\Downloads\WarzoneRAT.exe

"C:\Users\Admin\Downloads\WarzoneRAT.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E60.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Users\Admin\Downloads\WarzoneRAT.exe

"C:\Users\Admin\Downloads\WarzoneRAT.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2BAF.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6372 /prefetch:8

C:\Users\Admin\Downloads\CoronaVirus.exe

"C:\Users\Admin\Downloads\CoronaVirus.exe"

C:\Users\Admin\Downloads\CoronaVirus.exe

"C:\Users\Admin\Downloads\CoronaVirus.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\Downloads\CoronaVirus.exe

"C:\Users\Admin\Downloads\CoronaVirus.exe"

C:\Users\Admin\Downloads\CoronaVirus.exe

"C:\Users\Admin\Downloads\CoronaVirus.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\a9ec42d58944402d8c11ffd6f4a6cc58 /t 11592 /p 11576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6292 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6260 /prefetch:8

C:\Users\Admin\Downloads\InfinityCrypt.exe

"C:\Users\Admin\Downloads\InfinityCrypt.exe"

C:\Users\Admin\Downloads\InfinityCrypt.exe

"C:\Users\Admin\Downloads\InfinityCrypt.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5956 /prefetch:8

C:\Users\Admin\Downloads\WannaCrypt0r.exe

"C:\Users\Admin\Downloads\WannaCrypt0r.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 250731731158994.bat

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Windows\SysWOW64\cscript.exe

cscript.exe //nologo m.vbs

C:\Users\Admin\Downloads\@[email protected]

@[email protected] co

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b @[email protected] vs

C:\Users\Admin\Downloads\@[email protected]

@[email protected] vs

C:\Users\Admin\Downloads\WannaCrypt0r.exe

"C:\Users\Admin\Downloads\WannaCrypt0r.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe

TaskData\Tor\taskhsvc.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1964 /prefetch:8

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pdyantnatxy168" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pdyantnatxy168" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2728 /prefetch:8

C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe

"C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\Downloads\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding CFBF4692FB45DC3FAF9D017FCD32DFAB

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 998ABFEA64427AA8F75600B612E7BB5C E Global\MSI0000

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1732 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7136 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5060 /prefetch:8

C:\Users\Admin\Downloads\Xyeta.exe

"C:\Users\Admin\Downloads\Xyeta.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 23252 -ip 23252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 23252 -s 484

C:\Users\Admin\Downloads\Xyeta.exe

"C:\Users\Admin\Downloads\Xyeta.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 23796 -ip 23796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 23796 -s 456

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 /prefetch:8

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Carewmr.vbs"

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.avp.ru/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffe39d146f8,0x7ffe39d14708,0x7ffe39d14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,13616296373046309213,12100932006120277714,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5020 /prefetch:8

C:\Users\Admin\Downloads\DesktopPuzzle.exe

"C:\Users\Admin\Downloads\DesktopPuzzle.exe"

C:\Users\Admin\Downloads\taskse.exe

taskse.exe C:\Users\Admin\Downloads\@[email protected]

C:\Users\Admin\Downloads\@[email protected]

@[email protected]

C:\Users\Admin\Downloads\taskdl.exe

taskdl.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 106.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.69.228:443 nav.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
NL 20.103.156.88:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 168.61.222.215:5400 tcp
GB 20.26.156.210:443 api.github.com tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 arizonacode.bplaced.net udp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
US 8.8.8.8:53 137.0.55.162.in-addr.arpa udp
US 168.61.222.215:5400 tcp
DE 162.55.0.137:80 arizonacode.bplaced.net tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 51.140.244.186:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 168.61.222.215:5400 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:64765 tcp
LR 197.231.221.211:9001 tcp
NL 194.109.206.212:443 tcp
FR 212.47.240.10:443 tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 168.61.222.215:5400 tcp
DE 217.79.179.177:9001 tcp
NL 194.109.206.212:443 tcp
US 8.8.8.8:53 177.179.79.217.in-addr.arpa udp
AT 109.70.100.65:9005 tcp
US 8.8.8.8:53 65.100.70.109.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 collect.installeranalytics.com udp
US 44.219.104.77:80 collect.installeranalytics.com tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 77.104.219.44.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 168.61.222.215:5400 tcp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 www.avp.ru udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 168.61.222.215:5400 tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
US 168.61.222.215:5400 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f6126b3cef466f7479c4f176528a9348
SHA1 87855913d0bfe2c4559dd3acb243d05c6d7e4908
SHA256 588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4
SHA512 ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8

\??\pipe\LOCAL\crashpad_4928_GBDMKFPRDEVHVPBE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dda6e078b56bc17505e368f3e845302
SHA1 45fbd981fbbd4f961bf72f0ac76308fc18306cba
SHA256 591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15
SHA512 9e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2f90f56b01120b4f9d52dc93c553af6a
SHA1 216f77c3c383358ccfffc3645c5f592c6abdd569
SHA256 bac9999e8d32fb6204b64a81535335f4082f6518fe403279d2ecf37ee0d0415c
SHA512 bced35a6c6b1c4f64e703675b3bbb50c681f21e079e445bf35b601fbd4fb3f81a32b06d026dbe865e47e5f2331e4b6281c306f8de9721722e38149369a8322b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 90cc75707c7f427e9bbc8e0553500b46
SHA1 9034bdd7e7259406811ec8b5b7ce77317b6a2b7e
SHA256 f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb
SHA512 7ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 0535110cba20696a5f1027ec3b63e2c6
SHA1 fb7b8bb2364777422cb71cedce03cef5e570b6d4
SHA256 80057b612b4573a5ebabf44e856a15bd88791d90fea8f7f1a94586a1513138a3
SHA512 9bdedf2ab9357cd0b4429f5ce515a09883b6369334a9236c78fd8fc38a5b6225e32115dca951c355f11eb781f00c4eeb413fb0205a5299c9ae0ad58074bb7186

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 6b5c9cd5a09d64a9de2f27c49ccc8877
SHA1 b55a12cc522708436c76038b31592d2bd56f2d6c
SHA256 8170b446b82a924e502ac19eccbef7dc4f7aad1a43c34c8ebf2742e87aabc50d
SHA512 edbebe812ad65dc4d8c1722b6b1d058eefac60472ba8d59242d2e403e1b2c1acc727236ad4ea2094ea87043f2830a3ee2d52ef847a7201df54e3be57205fc085

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6697f7cf8063e7db2c2bc4a28ee60b3b
SHA1 5879f90704bf7c6a0ced94182e3e8d09bdb1eb4c
SHA256 25fbf307af5a486387e143a2d3263e8de862377358b546391ca0f4856aad619d
SHA512 b430f28bec98e3bf3882d04cd60d178c91b94d94e5f72b85cfde94a01b60e509067f3871e5ae81fa2cd968e923676f6be7f66bd5114e3472f6a104d926851a28

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b9fc79ee8bbb809685e6d73af98632f0
SHA1 faa8e91545a4bda07fd9c2f0ebddd84826b9db6f
SHA256 a064fa4dc0dfb7727db06b7833ad2da0a1ffb533d55a1670d9257868c896b12d
SHA512 df2830f11140c1a4ec7bffe6a17dc6d8cc95234984d6cb74d7a816cd1542c1ffafe4cc5b0afda2125f1c0f37d052ae93fe989fb61fb1ef6e08f5e811c1581063

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 0d8c8c98295f59eade1d8c5b0527a5c2
SHA1 038269c6a2c432c6ecb5b236d08804502e29cde0
SHA256 9148e2a2ba2a3b765c088dc8a1bdcc9b07b129e5e48729a61ebc321cb7b8b721
SHA512 885a734a97a6f8c4a8fb5f0efa9fe55742f0685210472ed376466e67f928e82ddf91ba1211389d9c55dd1e03dc064aa7a81d1fca3cf429fbaf8f60db8b1348c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b887aec2659b0efd3d34460928731f1c
SHA1 ad0042305662cc89322bd3d2189151135cb2ebdb
SHA256 83c6d6cc1617b5ca1eb99d6045977563b747efa106dcc06d945f6b1df0cc2962
SHA512 ac93a651d68332053fb4faaf39f94b0f420205f2a3205022e83f28349f91dd1ab035e39b698984aadcca42c2331ec200ca6ec71d5502c15ccb166126a67cd220

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2249b1b54c85cfac97a446e98ebd0a18
SHA1 c402c64306622e86122b3261ae90575a65f03792
SHA256 de65d5ee8d49944a8a8fcc12dffc24b5371846a8f2e48844ceb80bc0f5366728
SHA512 9d3f2b68a7878dfcb99f7400b08ed643bd34afa39a6814208133aa26928a72a57e68f597fb518070c3c0c9bfead133232de7763dc955b4020f145412acafc130

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fe07.TMP

MD5 d5bbfedf52b84deea2d8f82cd89a239d
SHA1 4e80cabc1b8215ac30e6bdccbe2fc895e5af6f73
SHA256 37db813e1809b96a1adcb2e4eebb0547c52c53fddd1f9b10fd031ea45ddd4899
SHA512 4fea321726aa76ef94737c44fd021662563170062bc168394d71dff99b4bedc9634b56a1abc5df091a44907e08f1c8ba5daa3bb378ade8ecb45c951a00e54568

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 af39e5fca76f0f6564010fc74ac66f29
SHA1 4ce8c4f2da1b5cf0f59697f862be979624ef2eb2
SHA256 c98ec97178550af3fc9fae9d52deb74d00179dff29ab2a780c766cd099b3c982
SHA512 958848360bd63d9cec88c9f5a551d3045b3886b69a68fc42e14e10c006232d31b2023fe170d1f914a46ace0589e0f68139f7b8436315c95abb672075c9d0aa50

C:\Users\Admin\Downloads\Unconfirmed 661488.crdownload

MD5 600e0dbaefc03f7bf50abb0def3fb465
SHA1 1b5f0ac48e06edc4ed8243be61d71077f770f2b4
SHA256 61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2
SHA512 151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 41f835ec0293ae40694e99c187f480af
SHA1 c02082e0e0e90529d2b37bc9cf12745979d8b4ba
SHA256 66dbeefc3b37db7a7dce1ae5961d4b97826e18d3acde06820988e2e165fc3bc4
SHA512 1081949f732c904fa74a8dc37a6398faffb79dab69679f1ed35aafbc20e29f04cb8b86ddee9977c9a48432b64fb0ea7cc1329b40a57d383b0856728a8e15d04f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6f777ccbb4be52984ff6a9762b43ab7e
SHA1 db56566069f8724a81f2ff139775b945c68d66e4
SHA256 87ce8b212606521976f7bd8db48d493b6e93b3e1633bb79e24415a150fa56b92
SHA512 2a080c09a42d051fc49ede9f200ef9607dca0fe4104dec28efa7291d3fe8b8bdd140855829e5fe58fe092c3b298e75d0d664216666ef7cc25b2fd761b3f46924

memory/5768-367-0x0000000000270000-0x00000000002C6000-memory.dmp

memory/5768-368-0x00000000055D0000-0x0000000005B76000-memory.dmp

memory/5768-369-0x00000000050C0000-0x0000000005152000-memory.dmp

memory/5768-370-0x0000000004EF0000-0x0000000004EF8000-memory.dmp

memory/5768-371-0x0000000005C20000-0x0000000005CBC000-memory.dmp

memory/5768-372-0x0000000005310000-0x0000000005338000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1E60.tmp

MD5 9c7b4e01f08f73a989e7e03918c84b04
SHA1 9b35c5c995d1c5bbb38d0e475df97f675500bee3
SHA256 408a9f0fdb453a62bcc02d65410fcb12c1fb497402ce500c4f79dec0938afd12
SHA512 cab1e6a51b48d1ee28bee33e6fb68bdff8ab377bd63b0df018b66ee9d8f332bfa03ba57135b7ddb69cd5c17e5c7de54c0ad7b887537712d471b2fc538c0f9f3c

memory/6004-375-0x0000000000400000-0x0000000000553000-memory.dmp

memory/6004-377-0x0000000000400000-0x0000000000553000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\WarzoneRAT.exe.log

MD5 99bc7c92ff1f6642977ff3c7465fab28
SHA1 1eff41803e0e41dc0875a487c0518b1b57d06361
SHA256 786039babd4fa235b09901db1874338548d823ddd8fb4e801f84b880eb2bb49a
SHA512 8edb36c9a1045f34a72b4b376b63324d3df7d61008a63bd84b8e764bedff9b460fb0b260ca9ffbe5a79a3a8468e52f419adef3ea197fa89f8268d0d93457dda4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8598998b282449f7ac61344733ea41c9
SHA1 84fc6d4f0c96556fca812bdf28190fb25d9c582f
SHA256 030b8ea83a045e9341cacdc98b50e7a34d4d187f8aae13888d1d82051af74ff0
SHA512 fb08f2f024c56deb4113d44561310d282b56ecde771f9b4bb253a73bdbee5908e38009ba4cbbc2b27d228b7945cc2e668e488446f837c99381175001c6005e48

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d471c2d1f394aaa8a914ecce867ae9f8
SHA1 586409fd1d9b7a687fc62c7f4eba664dac0fbee5
SHA256 0248cb39df8a1556c7a26dc621b2d7a065f9d7c7ac556a5ab51e73d74b9b5c6d
SHA512 dfa7179db1a04e953ffc829c58d72dac3086e3621ddcd604c1fb07e9ec69e47cf41aba2f6b5c2a73068054f474372c072654bc1b2109720fcb4e5381d21d7c3f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f44119215513fc1c7c4c54e013be7278
SHA1 76ba4c793b897069d403127500ca03baee2728da
SHA256 a51eaeca52704943137799b4921920077993c6ffb42a6df7aa65096a367183d3
SHA512 d48df816075192a6c571757a5a802560fa19982365ad77b79d976955abd8565835cf0b8eae2eb015a330a51926c2c57ee0e86f187b892a9626589c904f6b56d4

C:\Users\Admin\Downloads\Unconfirmed 522221.crdownload

MD5 055d1462f66a350d9886542d4d79bc2b
SHA1 f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256 dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA512 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

memory/5632-464-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7f4c4470bac344f83bddca47fe706b71
SHA1 da84aabd93befe37a8daf353c86b9e305693d2ee
SHA256 911f9fb0e82a49459af57dcf42357cb5a3d09b8725cce08a40f8e326c4ca48af
SHA512 15e0cc3a2a04bf54a56196b1d78ab3254b72feaf711e08aa1f7aea2a94d2d839028ea3b77042992dcd67082590a19f08f03acbf645cc5261d567e3c1063a8da0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8dbb4526b8cac9f2cb0d4704b70eafba
SHA1 e22968f53378275b39fbb78359e7a58ffad00b36
SHA256 4b7d64f997e006159ac317e5b15f57873992bafae94fa95774c993012d2ce849
SHA512 7fd1e7bebde35bc097383374a09072953a6f8edce6111003a45b1c818662d8cd3a227921c16d5eeecaa9a58f3e4e6b953c1b6713b3db0a55be82e52dcf406d32

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a2c1e8d359f704270e41486ea5a0d7dd
SHA1 087bd4f576981e610fd26e05f5000f462080462c
SHA256 b7e72d822ff0753d18193065de7ba24d9ba366b2793c565af8cc71b4709d77a0
SHA512 fe1a3e597004d6f2ec3cf18ff08dc6f9913eda0a377ad70e275ddf587f09d8d8bbdcee8a053685062742c9fd2a0fefbd90437480a62e60beab3335f31292b0fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f1aefd0d378eb603196ab91261dab17e
SHA1 bd87d469300da02a13972d7038d9f68b06b3ac41
SHA256 fab58f793101ef8ffcce1094e85f8db9c126361c1fcd6d7356c0e896c18b530a
SHA512 cc9c9dd5362ed164e52cd018c1cd53a0b51f7a3df4e99f930d5a05038ebada6cb5ef5b76e7665938d139637fcfa512f6ad806e5d470ae44c3c15963b12c85cac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58b4d4.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

memory/5632-503-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-CB6A9651.[[email protected]].ncov

MD5 2b19434856ba7f29b0ed36be6d1438d3
SHA1 4176a9700f453dd4475025ec32759823a4571802
SHA256 a7b0b748e8d4c9d404b9e4fd0f9b84cdbc70605785bd30815c3ab45e5819ddeb
SHA512 f805a1f3018b244e000ba61084ede8b09e62df9fffdaecdcd91f0b4bd702b982ac4c87d97e0b422a0ee897fe757df378f320fce761b99bbf697ced4c5c81c02e

memory/5632-4260-0x0000000000400000-0x000000000056F000-memory.dmp

memory/12512-4436-0x0000000000400000-0x000000000056F000-memory.dmp

memory/5908-6847-0x0000000000400000-0x000000000056F000-memory.dmp

memory/5908-9360-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

MD5 9e02552124890dc7e040ce55841d75a4
SHA1 f4179e9e3c00378fa4ad61c94527602c70aa0ad9
SHA256 7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77
SHA512 3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

memory/14588-13734-0x0000000000400000-0x000000000056F000-memory.dmp

memory/14588-14535-0x0000000000400000-0x000000000056F000-memory.dmp

memory/12512-17688-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 dc1fead1a573751765cafd211836ba29
SHA1 1d94ba0be07f3e81518fb5be569ea00e3b6cbc25
SHA256 991d3d799a919cbac9895ac58d8a6e62ef3173f78f2e0a9bb5b92578cbb8f8ed
SHA512 b12e15e781cab71469d6960e7a2760ab6b376a260533fbbb7d761c827659b1d3e2838754e42fcbdebbe6ee92ff0714bfd61d24004f8a57af8885a0be6e774898

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 4e786ef6de6d058a7ee21d714b5878f8
SHA1 a25cf3a4ef2c4208064a295fc00bf84be1557e8d
SHA256 fd7a0097dcdb4360e99e3131665aaf1cdddb65f638323d8dcd86832ac1c65b57
SHA512 79f32a2fe5204c324bcdfd5b11b3d7423cb8961e61350ef8b1a40390212bb1f2125be11aa9a8761edb2fd4c760a39c9f18394a8bd8bc55148ff2937b4ea67bac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 8a99370cbc67874d68319f5b624173fa
SHA1 46d9eec29e0fc6d642407e5d9250a2f4dc65e990
SHA256 d5c8d14b82bdd5b502444d9cfbfe9ebd3e041a819bd5c187a50ca7a6b2c929b3
SHA512 813170bfdca29d5f0de41f4f538d6d2955750419998c35bf4aaf55b9e8864ba3ffe41d039463ffc0f7d5793d90d1e7a76b9bb77f68f002d63b4ebf5531d0e921

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 cfff8fc00d16fc868cf319409948c243
SHA1 b7e2e2a6656c77a19d9819a7d782a981d9e16d44
SHA256 51266cbe2741a46507d1bb758669d6de3c2246f650829774f7433bc734688a5a
SHA512 9d127abfdf3850998fd0d2fb6bd106b5a40506398eb9c5474933ff5309cdc18c07052592281dbe1f15ea9d6cb245d08ff09873b374777d71bbbc6e0594bde39b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 b2fd30df44561caba77e306bab6d040d
SHA1 3aa15b05e9428b20b6072c770db79f097f0558f9
SHA256 5d6c32e6ce14a8b55f4eca20d6b324b68f401977e42e858fcb0d14d3bf642a0e
SHA512 0c1d2a2680b50189f2582cbc136f64340ed69c140ca376c87d3cd37cb842fe069ffa7fca2dfcf99590a602a073ec8ea033a1fa4c6496f14864b1624fa9a17a07

memory/12512-18352-0x0000000000400000-0x000000000056F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

MD5 b805db8f6a84475ef76b795b0d1ed6ae
SHA1 7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256 f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512 62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8a744bd209a07bb2b0d8baae20f47911
SHA1 492a445cd6609b2a8e7e58f63c244fae84c1bd67
SHA256 b04ce75c7745d9e2e551507bb7f30298c45ce320221675884642e1b5dc7b84d0
SHA512 542cee5fce3274b28defbd208a9445e7275d005d4789117892db48e7b9a3a755286b3a7decb9cc7fdc19b050f1cb6b9695fac6cab08d78794644ee323722edba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5941b2.TMP

MD5 b408bed1e92efeaab69c911bb5f7b454
SHA1 5d1412c38b92e80c7f3b32be36ddf9f59cecfe68
SHA256 450540bc006eae4124d6df25c2f0c02edadd3778a185bf606a42da94e1b72dc8
SHA512 8894e0199d14a1031db80f7df56128910e6d5156fd914c52b76f0223f65ba843df83d948dfe1adf7236010df663f5323ddbc1852e83a46ed4f69d3cef8e96b04

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 585cd3b3e5ea9f202368fb2c478a3805
SHA1 90044d6dfc93aa2350e404353676e93e0b3d229c
SHA256 dd9ffd70375184a49bf73434b0ef054fa27459a058eef7da6a26b1d022f145ad
SHA512 95947e047b9cdc4680ed6464e8fd9f22e93201fd98e220791ad163f79083c0784c09ab564b605ee1b9801a1a7620e1d71f41bbbcee01e41d814a3e9f4dddbff5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State~RFe5977e5.TMP

MD5 6c4e76deb6b70e78c39fcbf3a2ebdc6a
SHA1 6396ebcadf40317e0e68fe7eaff581765990b930
SHA256 ffa6031d19350e8bbdf8dc20202d30f5eab80ba6d39bbc3b29ccbda78bd30739
SHA512 28b36b04441b3583901e9dde83b099473411695b47286a7679ee4cd0cb2b1d74e5014c01e8596756c91899e990eee9a5f2a7c8f2b4b1b28e326ec6b347f0c0f0

memory/8960-19921-0x0000000000FB0000-0x0000000000FEC000-memory.dmp

memory/8960-19922-0x0000000005930000-0x000000000593A000-memory.dmp

memory/8960-19923-0x0000000005A90000-0x0000000005AE6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9d01c002d76852466537b4fd4694b457
SHA1 14d52733d45e3a0b6ff1faac8514ad6f227e6104
SHA256 75fcf1e35a1b2e66f22d80baa9cf58e5367bfa38be94acaa5cecb0307cb4dd82
SHA512 e17efd7ef2bdb7d35b65e7875cbac04ec7eaf32f99d1372d24064fdc3746883c2adfdea70ccce75461a2bcaae5549558fa101db58b5301a55c649dc290a1b260

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe598747.TMP

MD5 4d09caf64068ce08d48c47d907ec7c22
SHA1 47f417135b38bd2ca601591fa481f0f872c55d7d
SHA256 b78312f65001ac6a5da7e4c63ff762b2c0ebc0d3deba4018df0cf1602446f3a3
SHA512 debb5812acc123006e0bfcb16953cb4a792547f42d1c16ab796c31b3d110e84660fe0ad836b411b7e22c6de5c63a4542c7fa808d3ac5f2cc7a4e40f7789319bf

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdate.dll.id-CB6A9651.[[email protected]].ncov.96F17A444683FD4BC4AC5C54BE2D08580ACD3F0467497C5489C62E0E275E5E8D

MD5 af3205bc60861b4d25e6f625f3ea1fd8
SHA1 d15fef7d5f77d1093214b5880fd18acd0f55f988
SHA256 9de3a351eb9a8953fd5cf952015a170625129614e71b6f7f0643d402f7fd19fa
SHA512 943559e5d04e8f8910d0d7e69e6164dec315eb3ebdb6a12decca0e4b6b82e6651573e941b5c34869e151821795a9c1310b177f49e24835da33fa8e0fa20322b2

memory/8960-20444-0x0000000008EE0000-0x0000000008F46000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ea7a07768a6082883239dc40930ccb83
SHA1 d9662bf84b5209791f35d3485f9955c80b49d827
SHA256 cf61fd8b33711ee9908ca5934677b14fd498b057fe7bc97ce1f79f0bbe2849e4
SHA512 0bb4ad28f2372f66c85b5b9df28ff7d7c74238c5de0a97b97a512373188625e790c46f683c7ede3772c1de3e7d1cc4b126ccd5654824e336d57cc65fa355ce1c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 72bb7cf44a1c8981a92e163db8947915
SHA1 2e17819a314c6f834123956668a927a4b193956a
SHA256 d391115ad10f69bd8040ccec3cf21c855490fd178404e3ad13634bcb745ccc4e
SHA512 a51b7c24f3660b2bef63494e3fed18efb73200b94294dd812e008134a0da0fba7da12adf88fac4628ca18ac89383c2ac61e27093a7f3e7ab1a40c988cb90a99e

C:\Users\Admin\Downloads\Unconfirmed 276822.crdownload

MD5 84c82835a5d21bbcf75a61706d8ab549
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

C:\Users\Admin\Downloads\msg\m_finnish.wnry

MD5 35c2f97eea8819b1caebd23fee732d8f
SHA1 e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA256 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

memory/14568-20591-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\Downloads\@[email protected]

MD5 7a2726bb6e6a79fb1d092b7f2b688af0
SHA1 b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256 840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA512 4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 dac07019aec07952364f89c5f9b8390f
SHA1 ae612905164518423d5ee6177bea18d90cd6062e
SHA256 5b37e8454a54b2211b4a117492c174fb2d92e508108758b5671a893d17e562bd
SHA512 7c54158dcefeaa9db4faf76e292dbbef90f40a9bc2552c5185994cce8290c17bdeda84d6f3f5c9c864b9011adb4bc80739258fe9c03235b8467e582ea8ae1484

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 90c81c5f1d7cd9798387c800854d1a29
SHA1 c35f055214fbd1eca8957991c67db4dd752f5223
SHA256 21cc337a2c4d41df77ba15a60fcb063ec453545a9f02bd610c4b4dcdba1fc43e
SHA512 d987867784b21fbc10971a9df4ce89eb789580ae1a73c6af5af212eee060f9593d24fe13431f8315438ce5f44221e0e537ed2f729e5bbaf892d863d8cfd2c182

C:\Users\Admin\Downloads\msg\m_filipino.wnry

MD5 08b9e69b57e4c9b966664f8e1c27ab09
SHA1 2da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256 d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512 966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

memory/25164-20899-0x000000006E2B0000-0x000000006E332000-memory.dmp

memory/25164-20902-0x000000006E150000-0x000000006E172000-memory.dmp

memory/25164-20900-0x000000006DF30000-0x000000006E14C000-memory.dmp

memory/25164-20903-0x0000000000CE0000-0x0000000000FDE000-memory.dmp

memory/25164-20901-0x000000006E180000-0x000000006E202000-memory.dmp

memory/25164-20911-0x000000006E2B0000-0x000000006E332000-memory.dmp

memory/25164-20915-0x000000006E150000-0x000000006E172000-memory.dmp

memory/25164-20916-0x000000006DF30000-0x000000006E14C000-memory.dmp

memory/25164-20914-0x000000006E180000-0x000000006E202000-memory.dmp

memory/25164-20913-0x000000006E210000-0x000000006E287000-memory.dmp

memory/25164-20912-0x000000006E290000-0x000000006E2AC000-memory.dmp

memory/25164-20910-0x0000000000CE0000-0x0000000000FDE000-memory.dmp

C:\Users\Admin\Downloads\Unconfirmed 414076.crdownload

MD5 dbfbf254cfb84d991ac3860105d66fc6
SHA1 893110d8c8451565caa591ddfccf92869f96c242
SHA256 68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
SHA512 5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

memory/25164-20934-0x0000000000CE0000-0x0000000000FDE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9d0308f9bdf1472583d925a836fe33ad
SHA1 b5c86968df81a62ce85b2936931e8f8a4cc54ce9
SHA256 a2d84370b1fda1eb2412b0862d508d48f3b49a763aeb83941535c3b57f357586
SHA512 3aabb1ec438e2638b90d9753215d6de367d5cecb29ca37e0b0a6c5217521d942d261d5f30f1f0a4817b6ef7de6381dc9d64cf140cdee52e3703f0bd88c2ab252

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 eeaa9c81ca8c23d700860a66ccc97abc
SHA1 f8a1f99b5b5ef636116e24fd6198e9264b97971f
SHA256 b83ec983eb684095b4d33e58f2cd647c8c3668a7acbd884adf868ca363a1a2a0
SHA512 246d624e194bc10682f04ed0c77e9902010181dad5c8a07ba5ca507519ccf3c9916d2ffd64beb4a1a9b46adb52ed1a7b1aa8b891beb52f61f172104ec09cae00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d3edb5a6ba4a1ac663734273d62e6f98
SHA1 ee11a7712ff552de645c65f04439b1c814fbff93
SHA256 5947dd295db08cda3e1acfcb2b1598efd82e680f54332e4230bbe26b2539cb10
SHA512 5136306005eee18854090d2d16206f6dd4b5082d1a4bdd23ae6b0440e14bad029e51a917ccaa08c47eed93f06ca71f2c516d25ade746ad017c3b31aa730f7314

memory/25164-20981-0x0000000000CE0000-0x0000000000FDE000-memory.dmp

memory/25164-20987-0x000000006DF30000-0x000000006E14C000-memory.dmp

C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

MD5 513e8626b6350f4827b311779543a6c8
SHA1 36b6def35cf5c2b5bb80a85126908faf6b144e10
SHA256 0a7fd26d0a17f88d3658f004a261499143f6a27cfce559d1c1050b67e815ed64
SHA512 3861bde831173090feec5d2921dbf9225e06750f709f8ab1dcf99a538e8f8cb1805e61cba5fbd65b7f7280dc647ec47f309fbe5f08679ae2025a78192c2f7181

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll

MD5 3531cf7755b16d38d5e9e3c43280e7d2
SHA1 19981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA256 76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA512 7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi

MD5 27bc9540828c59e1ca1997cf04f6c467
SHA1 bfa6d1ce9d4df8beba2bedf59f86a698de0215f3
SHA256 05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a
SHA512 a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{51A137F9-8C8B-479D-9089-ED23EA83C182}.session

MD5 1ad7906f7bf672d09b31792ff8668eb1
SHA1 0bbdafd80d47136b3fdd57df78c220737e13c54f
SHA256 87e58c61ec91ffac33b6bb5ce58d2275b207fe1b7232e3693cc73a5df5f0af0b
SHA512 b8112b9ab5aa5f791017ca8b0c6e955c6e9ed907e60c51fe1367a304d34d3e33b1e3f8f973201aea67e82f5e6daac9e46fde54265b05de0630f223022e1f2e01

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{51A137F9-8C8B-479D-9089-ED23EA83C182}.session

MD5 e6756a2a37abd7cdb26ee14933adc48d
SHA1 41dadc2dbedc6b83d8fa8f97636a121127dd054c
SHA256 f88d636ea3d4ed7a81a08c906f926f6267de3eabe22c6e3cc3d642bff25ea7a0
SHA512 2039027d6968b44e50b0f073ec2c9274c473d75e64246b32d980f3056854ae0b894e1fe27b34740836d3580e53234522b2ad0c1d1b7be5b7f4e3e2300306cfde

C:\Windows\Installer\MSIEE4D.tmp

MD5 d552dd4108b5665d306b4a8bd6083dde
SHA1 dae55ccba7adb6690b27fa9623eeeed7a57f8da1
SHA256 a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5
SHA512 e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

MD5 b63ae27ca6d659218403cbc512222146
SHA1 47b676d4070fe7d57a8baa58d7fbbcf24fdb5436
SHA256 ccf6273b471c33561ea703585b07c6f768b1fcf22df1667f6df410761862073a
SHA512 6f5e9dc08350631f126d282338836c5fd0d2a2a67798fecfd729a924f955c4da785865627cd00dc9ddc78b2b0594a6a122ecce5ba4534786dd3335b14de650bb

C:\Windows\Installer\MSIEE7D.tmp

MD5 4083cb0f45a747d8e8ab0d3e060616f2
SHA1 dcec8efa7a15fa432af2ea0445c4b346fef2a4d6
SHA256 252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a
SHA512 26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

C:\Config.Msi\e5aecb6.rbs

MD5 884dca083be692907f1e6f3a1742777a
SHA1 f82a96010c2d224ec81f9743d279baa52c7032bc
SHA256 d1f75b4fef5a7e9d44a18420203e78f2f516355daa9e41953b012bed81868c31
SHA512 087da4889e34e325bce018bc658a2b2bf98f6abc57e5712c3b18ed9282b5d74f27762e59c634c2075c4f7a82f6a79d152a64c379d02bcc2dab4b59888fc28e8d

C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini

MD5 79c94f5a5baa774f6414aa11522413be
SHA1 7870b8e0247bd8866fbf3acdb9b3186b8ab70b63
SHA256 6eb58afd8f40ff6e5d2e29d41f4c62d1c10917a319e0d5d3793f0f1db47d7cda
SHA512 da9bf38d508214f6f279ca5051f93544615480ab49d72ee248185a30fe0a8ec61117ff520cabd34343956582ee49266a9db4dc29f5c0afb4e94c7d24c2e7b941

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

MD5 c5392c3a1c15582789aa975c5795d730
SHA1 1b3ab57cd3d57c7a245212393d32f8933b7e4ca9
SHA256 48ec23f96b1946bd0cb9a8a0341e703ac28f69179f748498f49186acb8db9c8d
SHA512 d05f6dac0cd92466f2ff0be511eb3e50c0a2685c5de12eee6d7fc74ce98781a98a1f7a2250f8ceec95d84178305ca824048b14f770c747877b4b47c64095f492

C:\Users\Admin\Downloads\Unconfirmed 470546.crdownload

MD5 9d15a3b314600b4c08682b0202700ee7
SHA1 208e79cdb96328d5929248bb8a4dd622cf0684d1
SHA256 3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15
SHA512 9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

memory/23252-21360-0x0000000000400000-0x000000000044F000-memory.dmp

memory/23252-21362-0x0000000000400000-0x000000000044F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 de2702523db7a8bd3fd8020b4e31caf6
SHA1 32e44799542385d3087f568379c45856cca35d1e
SHA256 687a2f20a5d1938541f6e004c7b1f81558f718a293ab2f637a734b19d9f75b3f
SHA512 e44a07e278d4c27b93e74a090ce37dca819162dd30040c438475d8dc80037aec31eb5f8836e8631e0b02868c653718e004911ffd40f744124378480011d3719b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ddbc58239a22aa6da5ba9e1c3f1352fc
SHA1 f4ef6501ef1700f7a48e7d863f749f03e5d5d7ea
SHA256 6ba64517e2ddf1e784338669745e5876a0253a4bee3d50794df343b372368334
SHA512 9c79b24fb6cec92f52436d9306dde0612fb6db45c80ce6427b84b6d6308d13b808c37a6e058f0e8195e5c562c4f591444e7a08c4101b0eb192bb1b8ba509e26e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e9ef8532900657f163f3e4f87fa47819
SHA1 997a108a4e87afec4fde9877a0acb890a3268938
SHA256 6e9da05719d8894c0e0e520c951507f08918c95a739b821ac1592343a53c2b86
SHA512 32821b3b85936e54c93fab156e805d4991187bf26882eaada98ad22780b2718e1118b627a9c6f228d3db970d39c562a48446d196b9774e79eae3e3b0ebe16faf

memory/23796-21399-0x0000000000400000-0x000000000044F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6bb489889eea2c94dac94ce43987ac00
SHA1 ab6371ec4ea91bd7411723d0e895f95df3ac1df5
SHA256 a241c8d97fa731a27eafd9fecf0e98abb3bd2e7bfa60b39c6375e4da96250050
SHA512 071fa0eaf36aaadda5c3f5ceee0c9f9bccc51ecfcc90428d719903c31b872c840753f983a69200179026de07779894b7dc610a169b0eff758cf75957e8cd5e75

C:\Users\Admin\Downloads\Unconfirmed 351168.crdownload

MD5 0eeb59abb53bb2aef4fa819f8437a643
SHA1 14e9b3223662b5d74aca26edffb4eea27e8c6f23
SHA256 2f5d32b3f1990ed53857aba65bc428a3fa33d231c1c059b8a8b2ed09076ad607
SHA512 6397bac318d90a008f54b62410dfd797234be83f8bff8b33392427442885d50f498c40ee0eee97f7272100de68ae917af95d3e75d1902f5fe6ae1b8a14c8b6e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 24b0198230b0a3d55c6ffeffa2e185dd
SHA1 ff46063ea923a60a67e270efed277ea39c330c06
SHA256 a1608b06cbf44dce41e87464d7c27a4d99a7e34078fe90f88888987431b09151
SHA512 11be611b516494c6c05464e1161131d3d79a618b1df247354812667eca355d44892a4581b2c86a2d6feb4eb0a4a81c099504e90cae6486c042cd6ebed9c7c903

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7a27dae88e166a82956bb8c7ecddfb5c
SHA1 7a94d2d52ff86c3ce490d0cda71c760ec98536d4
SHA256 2d7bd023a2b78a909867d2f88b0f2cd70592ba53106b867531e601325c98d5ac
SHA512 c9573ba0a02a80ae6c674b2df62bd7cc44fb53d7d68777999c74f0aa5505f53a3cbe09a3c15d9a00a194a815f44d3c55242abd56fbb7a7f8881f11c6097741f4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 acce09ec94e30c50a6ac3f1c6a436ec5
SHA1 659ccedd9d7f451dfa66297b85e7a42a5d9ff2aa
SHA256 eb18b548e0bbbba99213b994a43f2dc5611c567eb56a216da5c4f54afc0ba239
SHA512 59653720bebb2fe5816e63b7aa11f8d4a2c2b8596e2f0e6ce400a0500e4b8638a5d761135bac2e560b2b0cfdc8d23f5631b5516969c59d9079fca47ab3c72492

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 65927f2378cb603f3a54f73d1c190af7
SHA1 e4a4a40d1e4671bde2a9e441ae095467b73a521d
SHA256 05518203b7bf832110418876d2d984542d683b8704c3cddab5aff1b2e21d9b54
SHA512 49aa979b18b170733ab89bc0499aea4f7c238b85bbd8913a533580e0ac91015c1b1271bcdd5667cac6f33aa48595407966e6faf09ece033223756e58d5b8ae4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f792edc3683beb10582612d9b7de0f43
SHA1 49b3a4974bad45685f7d45b52102d849e6e7a523
SHA256 67c912c91ebc14ab255595d2d3b712bcd5d13ef66efd14fc8bd210bc8e4cb21f
SHA512 1f0788afdcc1ab18369e84e2252a14b029572064e757ed099fe76855d1a0e1d95382483b7e26b2df4ad6e98a6dec8c56c58205f3f4f70a1272069d10673a3eb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 55d596ff83ba39c7610655f9db3c5ed9
SHA1 68009a6a8b607eecfe3e88e6c2d313ff0b004be0
SHA256 d49953cc315150ae14c1ba9726f9ae3b12ec4cba9b59e5d17d02b18fdaeff154
SHA512 49ce5ae4d4b2ab8229a6a18c303672b9f443ef33c0ec27ab6e2c9efd609b94990d77808a7c2ad71e8c2da09195748df48ccb7a0736fece1a02975e635ebe5dc4

C:\Users\Admin\Downloads\Unconfirmed 976631.crdownload

MD5 2f8f6e90ca211d7ef5f6cf3c995a40e7
SHA1 f8940f280c81273b11a20d4bfb43715155f6e122
SHA256 1f5a26f24a2bfdd301008f0cc51a6c3762f41b926f974c814f1ecaa4cb28e5e6
SHA512 2b38475550edee5519e33bd18fea510ad73345a27c20f6457710498d34e3d0cf05b0f96f32d018e7dc154a6f2232ea7e3145fd0ed5fb498f9e4702a4be1bb9c8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 86421c659787af772e311a1b6261e97b
SHA1 d2d4717fe1dc52f879b733cb642b87cd4603639b
SHA256 0b9758f401bf7d7a29a72275b1cabacd488316c1bffc1d6acd4812d1b2e69f18
SHA512 6b86e4d76eae87c2ef7439f3466e346e3863dbc9add6613c1e6220d07cf4aaa9b2b84ca5ff1004d30c888b1b6a55a99ced12f703a5cfbd7c4f132fe1e21f8691

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d4c8fcbe9476fe1d46da15bcb56fd50a
SHA1 19b01a38da119c2c1f36df7d43c2a628d7ddb6ee
SHA256 ba50daba2dce020e0e8b64ce418f9a4aeb08dc3b4f82802c914a3685f0ce7d2b
SHA512 6c895e50b759e4d7809b447080bd82404837c55776b9e411901218f45d231bc110cb0b0a549dca8431d9fe0052d1b73b8d09a6db39755c43bb4160271017f492

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d6d022411dfad52da1db659571d16c35
SHA1 e9421d2a5eba2f3b8e4ca942be7903391b381f54
SHA256 bcfedbaf310900cc5d3a9a10ebeba4bfd5e4727441d49b6e23f071e8128b351b
SHA512 84a9888bc34a04c7e388f82817081b6ba3b76f00859f2cc7bdb1a938057c2145d766c396298e7ea5d784120109ec41fa148fc0f80b35f33dc2932f7b8dfcc919