Malware Analysis Report

2025-01-18 16:06

Sample ID 241127-trbn8a1kcs
Target sample
SHA256 4ca41a640085e2ca954e641790ed976dfe97e35e68a01c6a6b0bcbf92ec2141a
Tags
crimsonrat warzonerat discovery evasion execution infostealer persistence ransomware rat rezer0
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ca41a640085e2ca954e641790ed976dfe97e35e68a01c6a6b0bcbf92ec2141a

Threat Level: Known bad

The file sample was found to be: Known bad.

Malicious Activity Summary

crimsonrat warzonerat discovery evasion execution infostealer persistence ransomware rat rezer0

Warzonerat family

CrimsonRAT main payload

CrimsonRat

Crimsonrat family

WarzoneRat, AveMaria

ReZer0 packer

Warzone RAT payload

Disables Task Manager via registry modification

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Modifies WinLogon

Enumerates connected drives

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in Program Files directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy WMI provider

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 16:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 16:17

Reported

2024-11-27 16:19

Platform

win10ltsc2021-20241023-en

Max time kernel

141s

Max time network

144s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js

Signatures

CrimsonRAT main payload

Description Indicator Process Target
N/A N/A N/A N/A

CrimsonRat

rat crimsonrat

Crimsonrat family

crimsonrat

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CrimsonRAT.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\WarzoneRAT.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbibra_dreb = "C:\\ProgramData\\Hdlharas\\dlrarhsiva.exe" C:\ProgramData\Hdlharas\dlrarhsiva.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Downloads\000.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Downloads\000.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\Downloads\000.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\Desktop\Wallpaper C:\Users\Admin\Downloads\000.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5872 set thread context of 6100 N/A C:\Users\Admin\Downloads\WarzoneRAT.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a2b0fa07-87f2-4cb3-ab58-4bc3d3482d27.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241127161734.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\000.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\shutdown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "130" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\뗃𐀀\ = "crdownload_auto_file" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell\edit\command C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" C:\Users\Admin\Downloads\000.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\.crdownload C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\뗝휀耀.crdownload C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\뗝휀耀.crdownload\ = "crdownload_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1669812756-2240353048-2660728061-1000\{CAA31D48-B660-4587-9CD3-A0AB0C74F6D1} C:\Users\Admin\Downloads\000.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell\open\command C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\.crdownload\ = "crdownload_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\뗃𐀀 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell\edit C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell\open C:\Windows\system32\OpenWith.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\WarzoneRAT.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\Downloads\000.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\Downloads\000.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 2432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 2276 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 1992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 1992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3408 wrote to memory of 3580 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7fff91e146f8,0x7fff91e14708,0x7fff91e14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff652ae5460,0x7ff652ae5470,0x7ff652ae5480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6600 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5636 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\CrimsonRAT.exe

"C:\Users\Admin\Downloads\CrimsonRAT.exe"

C:\ProgramData\Hdlharas\dlrarhsiva.exe

"C:\ProgramData\Hdlharas\dlrarhsiva.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7052 /prefetch:8

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Unconfirmed 282964.crdownload

C:\Users\Admin\Downloads\WarzoneRAT.exe

"C:\Users\Admin\Downloads\WarzoneRAT.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp28FA.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5588 /prefetch:8

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3916 /prefetch:2

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Unconfirmed 695785.crdownload

C:\Users\Admin\Downloads\000.exe

"C:\Users\Admin\Downloads\000.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im taskmgr.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' set FullName='UR NEXT'

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic useraccount where name='Admin' rename 'UR NEXT'

C:\Windows\SysWOW64\shutdown.exe

shutdown /f /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39c7055 /state1:0x41c64e6d

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 172.165.61.93:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 172.165.69.228:443 nav.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 data-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 data-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
GB 95.101.143.202:443 www.bing.com tcp
GB 95.101.143.202:443 www.bing.com tcp
US 8.8.8.8:53 202.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 95.100.195.163:443 r.bing.com tcp
US 95.100.195.163:443 r.bing.com tcp
US 95.100.195.161:443 th.bing.com tcp
US 95.100.195.161:443 th.bing.com tcp
US 95.100.195.161:443 th.bing.com tcp
US 95.100.195.161:443 th.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 163.195.100.95.in-addr.arpa udp
US 95.100.195.161:443 th.bing.com tcp
US 95.100.195.161:443 th.bing.com tcp
US 95.100.195.161:443 th.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.133:443 login.microsoftonline.com tcp
US 8.8.8.8:53 161.195.100.95.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.109.133:443 user-images.githubusercontent.com tcp
US 8.8.8.8:53 154.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.114.21:443 collector.github.com tcp
US 140.82.114.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 21.114.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 aefd.nelreports.net udp
GB 2.22.144.37:443 aefd.nelreports.net tcp
US 8.8.8.8:53 37.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 168.61.222.215:5400 tcp
FR 185.136.161.124:6128 tcp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 168.61.222.215:5400 tcp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d9a93ee5221bd6f61ae818935430ccac
SHA1 f35db7fca9a0204cefc2aef07558802de13f9424
SHA256 a756ec37aec7cd908ea1338159800fd302481acfddad3b1701c399a765b7c968
SHA512 b47250fdd1dd86ad16843c3df5bed88146c29279143e20f51af51f5a8d9481ae655db675ca31801e98ab1b82b01cb87ae3c83b6e68af3f7835d3cfa83100ad44

\??\pipe\LOCAL\crashpad_3408_FPXDJTXXADTFPWNR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b9fc751d5fa08ca574eba851a781b900
SHA1 963c71087bd9360fa4aa1f12e84128cd26597af4
SHA256 360b095e7721603c82e03afa392eb3c3df58e91a831195fc9683e528c2363bbb
SHA512 ecb8d509380f5e7fe96f14966a4d83305cd9a2292bf42dec349269f51176a293bda3273dfe5fba5a32a6209f411e28a7c2ab0d36454b75e155fc053974980757

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 f9055ea0f42cb1609ff65d5be99750dc
SHA1 6f3a884d348e9f58271ddb0cdf4ee0e29becadd4
SHA256 1cacba6574ba8cc5278c387d6465ff72ef63df4c29cfbec5c76fbaf285d92348
SHA512 b1937bc9598d584a02c5c7ac42b96ed6121f16fe2de2623b74bb9b2ca3559fc7aff11464f83a9e9e3002a1c74d4bb0ee8136b0746a5773f8f12f857a7b2b3cb4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 da89e3d303345a944b54719f5c86a201
SHA1 a111cf1ea7b6160bde071d20a9237f3fac756aaa
SHA256 517393879b2a59c25ad60a0eb9636f94e7908eab18262f6888180675176f15ea
SHA512 274bdbe08ad035b22045705a41386c2a6eaa72d774621fca82b6fb0785a0638ecc2cf39baf28f52d64976b45682d590fe65d1c3bd310df7d0205e6013f30702b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 e91a0687e9de7636a450bbb8b0b1a6e1
SHA1 85fa165cbc61577012bf8bafd57a91119eeddd91
SHA256 50236c4044780b68d63726aeb8cf53b0bfa41c5c83b9168d56c333f03ae63fe5
SHA512 be2eab70a9591aebc30c32444b7bb8863e6235ff5c489ac43dda6fd6a67d693a5adf6c6419a17f9d08eb50ca27a386adb125f90703ef754533092ed04a816336

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 57d28230dbf3fd4c46b47444221574f2
SHA1 3f09c2b2ba45d4792e170852d6e547e4232a69cf
SHA256 749a1dd1964519f32a4a87fe0d365a7d657336413c6d7e05ae5504949e0ec100
SHA512 c55b98d66ccda4df545508914dc684a0ea8eb02dfe6bcb82da1bfb80c2ab8753ba78a7bc7bddace49c6638f3341575d1d8ee7227e94eee1190d09d70dae0095d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bf8c40f82ddf811311f7719404d7ec62
SHA1 8753fcc0c2ccfe2326b33f507ff9433d44f2f9ca
SHA256 50b4f1c83ebebdd8bb9005fc2175a8731a3ca36ad5de1cb67682f61db17e6776
SHA512 318f4dfec2de5f1c6ca2b585df84eb9eb1bfd6a2b70ba77cd283a896dcd5a63e32f43ccaa1dcc140f0c82ae8658295650f279bc5f4687585c751dd59bb91242d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8866bb2cb6793971ee0716191d1895a0
SHA1 97cae5284f480ea944610c1f4599ae52015198a4
SHA256 5c747e252ec4e2354308eef7130a5dd3a4e8e6491e9c74f53f1e9a9b133e28b2
SHA512 a024a11b266b31322491eb863616d4f1c12e118cf7ee5bc8049def0ae917482e6286b037a81f577c3160fd108bdd9360efa993439683c4f5d80f997d47fe8a17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d3412a01d4c3df1df43f94ecd14a889a
SHA1 2900a987c87791c4b64d80e9ce8c8bd26b679c2f
SHA256 dd1511db0f7bf3dc835c2588c1fdd1976b6977ad7babe06380c21c63540919be
SHA512 7d216a9db336322310d7a6191ebac7d80fd4fa084413d0474f42b6eff3feb1baf3e1fb24172ea8abcb67d577f4e3aea2bc68fdb112205fc7592a311a18952f7e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 77f5a5f8e7ac56a0e2bd1146b3cdc326
SHA1 ad881943257252c418f0814ae2f79cbabac549aa
SHA256 1baeaaa63411bcff92adf8f4bebd9d1f44fbf79bf7d3dd543e029ae35b8f8b0c
SHA512 fd30167a944077a4d7548a382cb66c2b35c65bd95ae3e57662d223aac224b85cfdfdb44cfd8845fbf5794188981742d66a53b0e1ba15325e0d3420390872855d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2e5f3b92125346e07f82374626ea9595
SHA1 f812c657cdfcf13323480be82549b7726f4e0f01
SHA256 1ccae4f7c92224b233c12016ca5ea66e5cc6e396931a797741f8ce46e9ea2d9a
SHA512 6b8587702bb9b1e4397d63c9d0584c5a61d8f7370b7e11a6530da9c7f68592bf69bd0c53302c1677afbb0b0fbdf4c5fa20831622ffbcce82fb7bbc7f5760105e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 68755760a8598df5a9cb65bfd5dbc56f
SHA1 3a4f4695353099d20590976d0ca6e0cdfa343a4b
SHA256 873488164261740beae1eadfb702031769d8ed13320680c9aa317f3c429ace6c
SHA512 fcf8f9e7b6f6f8e127ae44c831cda97e483ee7983d5bb020a1f4ae07e441ec81ab7759ca367c51d4ce4b4af8a5d9e9d037f9ee9d062d0908a1c7f24bffe77758

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586d1d.TMP

MD5 1c94deebbea316fcd6625c94d928c6cf
SHA1 4cdc96c9b4b1e6b0784b229804c9ee5f6152cf32
SHA256 be9d7980215fc32796ee45107f743b3ccda8b26b504a3210651e6eafc89fbfac
SHA512 03cc3b928ed4fc9dc91431b4efa1f17ad5a8d4a22cf30328abb5d4502cd0aa90c8f2ac763e8472a79c57595d62ee43eb4371ef454f38fb12f1b9734d6b77aa98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 55361d648f5bd887b2192f874ac32978
SHA1 7469801826af0c3ffb8bca94362866a2f3da9922
SHA256 704c041c20ad239c56cdc0852dcaad966690af3c5bf2a8c2bd5a989250f8a613
SHA512 15da06e7657d55f5ad0c2db59a4bcd6ef2b0512ae20bdd4e0b865b84fb439e011258e9cff33092ffc040903e238f93b0e9d766ad47cd293f05153a8bc7e43358

C:\Users\Admin\Downloads\Unconfirmed 508071.crdownload

MD5 b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1 ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256 dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA512 4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 eb2472af841012b25a306922117ae783
SHA1 a4011245d8fc1865e21b3eb0bca75ea5c1c94c35
SHA256 1f3ad4c488dd39986f5e5ea26135b9ac7c583156055c76312f215ddada5a2b8d
SHA512 5bf25e64117bcd00ef79cf6faf4904e3afacbb30d61a4c3775b9e19f80a2a0c7baa92af261d70f206337cb4c1b827c387fde7c765de1b7477314f4207167c551

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 174d550b1335a3eb59f00e6323fcd223
SHA1 ea243f26523b2dc5e35cfe7fdcb873dff01d51e7
SHA256 1c4fe492a5e2a5ae08d4009e0ee4577796ddb72cef9bbba55308cd2e2ec532a2
SHA512 e2522c87d5168c7175de7e17684580956631e5c5931a8268c8cbfb75fa176788d6fafc80f679a349b25f5ecc563afcb2b50262c8588de20cad981a8b34636ac3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9bfdd04e048fe9298dd49c6984d33138
SHA1 e5abc53c5eb8a0a55b0cebe8210e4667e7bedfa9
SHA256 01bf16adcc9a2063ad4d17d8e98f8853ad0a7d327b010c26d7c774a3a1295100
SHA512 244553d0575a40cbccbda6778d71af1efb98d28921a0a0f598d3e466218eb07c43c71e22c535f098b7f1a044fc983b600af6d5370f172af678ad2862287a4bce

memory/6108-513-0x000002C304FC0000-0x000002C304FDE000-memory.dmp

C:\ProgramData\Hdlharas\mdkhm.zip

MD5 b635f6f767e485c7e17833411d567712
SHA1 5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA256 6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512 551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

C:\ProgramData\Hdlharas\dlrarhsiva.exe

MD5 64261d5f3b07671f15b7f10f2f78da3f
SHA1 d4f978177394024bb4d0e5b6b972a5f72f830181
SHA256 87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA512 3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5bfefd3d73f26f08b463e0931286bdd2
SHA1 18d08b31fc8b157affc54b786b42781ea6a4fc9b
SHA256 6623508ca28ffedbe15a1aec22c00790268d7033a3fb492ff1291223db4b7a9a
SHA512 b9bc5f46864d7e3261b6f98da502562e66b06672aeec8f362be2f2a04f5d8ae552dc14fde4de570bd3fa85c514e41e08635ba02f3577514a941af7321920777c

memory/5132-563-0x0000021D16070000-0x0000021D16984000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 11c5601645e26205a97ff13fa915bcf6
SHA1 876d54e3efbf8d2b865053c5f2235dbef854a0e1
SHA256 95347a254f4c370dec4829334b48a513e74763d65f65b1364f7385a3f958f624
SHA512 2c4b43a94a9a2c6a4b6ee081c1746c643a1d1ba11d2029bd8405742ed959365e6a5646b1c9202cfd9a82fa8f5703161c25c2040d65851bb3f1c4ba8796296468

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 edb1fc491189759c19710b85917f06e8
SHA1 738aac8093fa3bf23a6829271794df77e20ac8fb
SHA256 772e95986d5d5b5a0fbdc340432360bd82806eacb83ca835bc5498929c80c7bf
SHA512 d8adfe984ee918b39552ecf115e1afcb8aaf88d88e6598b240499301e0c84a056f690a352259e689081a13f151584430193a6b997958b43943c07543d32b45fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58d76f.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

MD5 339b4f5f70606510738907218a293f5b
SHA1 40680aa68ab0020eaba6ab7931bd0cda111f2843
SHA256 efa18fafa3d2e1b5e55d154285f2d7b031dcadb9ccd212ee5839c3c6561e7995
SHA512 fa50953b82bb7c63c449649dfa38a26119e08c0608c44c847a59543ac78c1da5a68e9b4b9939e3afb0324237b2cedf9f98b98b483ee8398be66386a877cdd5e1

C:\Users\Admin\Downloads\Unconfirmed 282964.crdownload

MD5 600e0dbaefc03f7bf50abb0def3fb465
SHA1 1b5f0ac48e06edc4ed8243be61d71077f770f2b4
SHA256 61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2
SHA512 151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 667546e3d192574a1506d76579a1e0af
SHA1 0aaf9da58a6f79dc31397318ed8846fb5ad62b11
SHA256 3bb4cd35d9eaeeb14e0ca65ccd2729c0a463affa2fcc59694320c09acb43738b
SHA512 c7efab3492893086447bca50b9a1817e86275bb9dadc1af8f2ec3644f64454fa8e17e4a431e2df26950c5c4b2cf576bb8b5e19994f22a1a7df5e9cd064298298

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2189423377a3117c14ebffc945ee3ba3
SHA1 23ac4d9479a4b304123460c130221285ec305fa2
SHA256 3c79ad838804bf18787da02e6ee076656eeb6000cfa3f057417a6d2a2d0d9822
SHA512 d58f0f205a3f3f030b8b5aae94f0f96b2c96f711b3f89972e0897583fc816fbf9dcd7b9acb635d6e39f40bc378fe63322af423fca9e7b523dbd9497ccf992999

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a4350d9a6d7412d29894125bfbf8831a
SHA1 d6c1d675ef27be5641d7cfbecffe5553e6ab3309
SHA256 1498d448f3f2d5b48f9ef44707496725072aff66253bfa1707494cfedc070e8d
SHA512 c7ad05ffb37913aa54f244387f6e45ed52c1be27f4ff4adb26b4331ee31ba4dfec1c387b0ab8106256ed723fe283445c9f32e8422164bdedac842540dfef41a0

memory/5872-630-0x0000000000CC0000-0x0000000000D16000-memory.dmp

memory/5872-631-0x0000000005E40000-0x00000000063E6000-memory.dmp

memory/5872-632-0x0000000005AB0000-0x0000000005B42000-memory.dmp

memory/5872-633-0x0000000005A80000-0x0000000005A88000-memory.dmp

memory/5872-634-0x00000000065C0000-0x000000000665C000-memory.dmp

memory/5872-635-0x0000000006520000-0x0000000006548000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp28FA.tmp

MD5 9695310bc7712c412051f3ef0fd46485
SHA1 eb704aa1dbd896f09043e6ed190fb6abe717907e
SHA256 655e111abd81994ea333676d0e2ac368d41a3f33b1fb2d1e70c79b46d9905727
SHA512 61ee9f7bde873aedf567888de712ee79162b1ed81e8ae4059830110e42f1c6d448161042071dbc4d582d61c31154b375d01e62b711588f5806d5a5505197086f

memory/6100-638-0x0000000000400000-0x0000000000553000-memory.dmp

memory/6100-640-0x0000000000400000-0x0000000000553000-memory.dmp

C:\Users\Admin\Downloads\Unconfirmed 695785.crdownload

MD5 f2b7074e1543720a9a98fda660e02688
SHA1 1029492c1a12789d8af78d54adcb921e24b9e5ca
SHA256 4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA512 73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 bba955cce8a8cc5d8da835dd31e5902f
SHA1 9fca79509742d40215c0e034bc9d368754fab428
SHA256 eabe9c3ed24623219c6368c8207cd72907f84e4b7b6111fb47090858ae199b98
SHA512 ff50770e860b024c5b33919ca42a807feb145083fb011a33fb353a1676d7716325d59a19b61faa86b9a3818177212c7782dc1377d89d17edf8c5c46e3fbd831a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4fd7999fbe222be7214ef826c615629e
SHA1 6f84de58f1983ae2295cf14ca5646b7a4d7ecdf7
SHA256 8b70888067e607b3972ce80da0385dd3a00a22e28af25b4036d31ec5cafad7d9
SHA512 e53b8a7ce12c4fb089856ba8ca1e68cdfdc47d7bd6d8e4c69b8f6942523940ffe04277a4104e191fd21ae46773106a401911ea5d0e989529c3f21eaa4b23d9de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 77d8450824336f586dff2cd6df7e3a6f
SHA1 6d219252de3bafcc984e9b1148eaf9271b137399
SHA256 674883129d7df8984cfd8d73ef80c9f92866b5683f9fc728d3f3c33287f594ff
SHA512 9fdc5bdbbb510832beffed64e7356e86911d1cdccb79fd7b719058e113701de99685ea58fe81cceb7eefe2b238aa8d34bd423a1786e931e0dd2e28aa34d2a45c

memory/3468-699-0x00000000001B0000-0x000000000085E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\windl.bat

MD5 a9401e260d9856d1134692759d636e92
SHA1 4141d3c60173741e14f36dfe41588bb2716d2867
SHA256 b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA512 5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

memory/3468-715-0x000000000C4C0000-0x000000000C4F8000-memory.dmp

memory/3468-716-0x000000000C490000-0x000000000C49E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rniw.exe

MD5 9232120b6ff11d48a90069b25aa30abc
SHA1 97bb45f4076083fca037eee15d001fd284e53e47
SHA256 70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512 b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

memory/3468-721-0x000000000C540000-0x000000000C550000-memory.dmp

memory/3468-723-0x000000000C540000-0x000000000C550000-memory.dmp

memory/3468-722-0x000000000C540000-0x000000000C550000-memory.dmp

memory/3468-720-0x000000000C540000-0x000000000C550000-memory.dmp

memory/3468-724-0x000000000C700000-0x000000000C710000-memory.dmp

memory/3468-725-0x000000000C700000-0x000000000C710000-memory.dmp

memory/3468-727-0x000000000C540000-0x000000000C550000-memory.dmp

memory/3468-726-0x000000000C540000-0x000000000C550000-memory.dmp

memory/3468-728-0x000000000C700000-0x000000000C710000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 603189f7de26b1d28922bf6a80a8db55
SHA1 3fa48919963431562795a597aea10e0c0d1056d6
SHA256 41a2381311ea55d09af842214a5206c4c9c3c6a6b5502ecacd1ae0ae08eb42a7
SHA512 36b5fcfecb1ce33f651314f59c85a3dcea90739435ef0ed271748fa5a8d689fb9499631f12aaacd9750f3a150c9ce6a601e81c3e80b513624637e3d5d5a47e89

C:\Users\Admin\AppData\Local\Temp\text.txt

MD5 9037ebf0a18a1c17537832bc73739109
SHA1 1d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA256 38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA512 4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

C:\Users\Admin\AppData\Local\Temp\one.rtf

MD5 6fbd6ce25307749d6e0a66ebbc0264e7
SHA1 faee71e2eac4c03b96aabecde91336a6510fff60
SHA256 e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA512 35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064