Analysis Overview
Threat Level: Known bad
The file https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Lokibot family
Lokibot
Downloads MZ/PE file
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops file in System32 directory
Drops autorun.inf file
Suspicious use of SetThreadContext
UPX packed file
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of FindShellTrayWindow
outlook_office_path
outlook_win_path
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
NTFS ADS
Modifies Control Panel
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-01-16 23:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-16 23:30
Reported
2025-01-16 23:35
Platform
win10v2004-20241007-en
Max time kernel
301s
Max time network
303s
Command Line
Signatures
Lokibot
Lokibot family
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\System32\WScript.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\~~CB = "cb.exe" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\AutoRun.inf | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\AutoRun.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | F:\AutoRun.inf | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | F:\AutoRun.inf | C:\Windows\System32\WScript.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Printing_Admin_Scripts\fr-FR\pubprn.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnjobs.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnqctl.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnport.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\es-ES\OOBE_HELP_Opt_in_Details.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\it-IT\pubprn.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnqctl.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\pubprn.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\de-DE\OOBE_HELP_Opt_in_Details.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\es-ES\prnport.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prnqctl.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\en-US\OOBE_HELP_Opt_in_Details.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prncnfg.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\SyncAppvPublishingServer.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnqctl.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnqctl.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\it-IT\oobe_learn_more_activity_history.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\en-US\prnqctl.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\it-IT\prnmngr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\winrm.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\pubprn.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnport.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prndrvr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnmngr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prncnfg.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\uk-UA\OOBE_HELP_Opt_in_Details.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prncnfg.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prndrvr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnmngr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\en-US\oobe_learn_more_activity_history.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prndrvr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prnjobs.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnjobs.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\gatherNetworkInfo.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\fr-FR\OOBE_HELP_Opt_in_Details.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\de-DE\prnport.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\de-DE\pubprn.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\en-US\prnport.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnmngr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnport.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnport.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prncnfg.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnport.vbs | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Windows\System32\Administrator.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\fr-FR\oobe_learn_more_activity_history.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\it-IT\OOBE_HELP_Opt_in_Details.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prndrvr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnmngr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\fr-FR\prnqctl.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Printing_Admin_Scripts\ja-JP\prnport.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\pubprn.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\de-DE\oobe_learn_more_activity_history.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\es-ES\oobe_learn_more_activity_history.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnqctl.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prndrvr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prncnfg.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnport.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\slmgr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\slmgr.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnjobs.vbs | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5024 set thread context of 3472 | N/A | C:\Users\Admin\Downloads\Lokibot.exe | C:\Users\Admin\Downloads\Lokibot.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\WebviewOffline.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\WebviewOffline.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\ThirdPartyNotices.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\README.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\index.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\offset_window.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\notificationCenter.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_config_window.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunch.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\Welcome.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\vlm.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\Welcome.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office16\OSPP.VBS | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\MCABOUT.HTM | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\mobile.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Xbox360PurchaseHostPage.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office16\OSPP.HTM | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\view.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\bootstrap.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\pages\winrthost.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\ThirdPartyNotices\ThirdPartyNotices.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WebviewOffline.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\msapp-error.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\index.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\wefgalleryonenoteinsertwinrt.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\locallaunch\locallaunchdlg.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\whatsnewsrc\bulletin_board.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\index.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\index.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\WebviewOffline.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\Controls\Xbox360PurchaseHostPage.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html | C:\Windows\System32\WScript.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\WebviewOffline.html | C:\Windows\System32\WScript.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\retailDemoSecurity.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-17.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\tokenManagerErrorHandler.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobelocalngc-main.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\404-12.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\BlockSite.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\forbidframingedge.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\views\tokenManagerErrorHandler.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\sspr-frame-template.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\pdferrorneedcredentials.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\403-10.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\startfresh.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\views\roamingDisambiguation.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobelanguage-main.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\unifiedEnrollmentProgress.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_en-us_1279c10c2d9636d4\401-3.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-17.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\500-15.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\pdferrorrepurchasecontent.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\view\common-textinput-template.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-light-contentview-template.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeprovisioningentry-main.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\fr-FR\assets\ErrorPages\proxyerror.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeeula-main.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\oobe-footer-template.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\view\oobe-progress-template.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobe-header-template.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\hstscerterror.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\pdferrorneedcontentlocally.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\acr_error.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\BlockSite.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\es-ES\assets\ErrorPages\pdferrormfnotfound.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-light-progress-template.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeoutro-main.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\pdferrorrenewrentallicense.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobeoemregistration-main.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\405.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\401-1.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\ja-JP\assets\ErrorPages\invalidcert.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\sslnavcancel.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\views\nointernet.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\main.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-9.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\repost.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\retailDemoLocal.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoLocal.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.1266_none_777e4c5802d14c18\oobeFooterHost.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\404-6.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\403-11.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\403-16.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\500-14.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\popup\popup.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_b4fc93ef208f3edb\404-14.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f248a35f7c12459\404-7.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobewelcome-main.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\hololensDiagnostics\views\hololensDiagnostics.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\forbidframingedge.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\navcancl.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\view\common-header-template.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.19041.1202_none_4132a4047d5d53b2\SyncAppvPublishingServer.vbs | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_es-es_12451df02dbd2879\403-5.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\it-IT\assets\ErrorPages\PhishSiteEdge.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_10.0.19041.1_de-de_6988eb133eb82b0f\401-2.htm | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-light-footer-template.html | C:\Windows\System32\WScript.exe | N/A |
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\SpySheriff.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\BlueScreen (1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\BlueScreen (1).exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\WinNuke.98.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\InactiveTitleText = "85 56 248" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ActiveTitle = "87 184 217" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\WindowFrame = "210 226 45" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\Hilight = "103 208 87" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\GrayText = "83 82 16" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\InactiveTitle = "45 172 38" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\TitleText = "131 76 28" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ButtonText = "134 178 104" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\WindowText = "129 81 46" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ButtonShadow = "255 69 18" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\Hilight = "251 83 25" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\MenuText = "218 213 21" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ActiveBorder = "212 215 19" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\GrayText = "210 113 209" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\InactiveTitle = "232 138 94" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\InactiveTitleText = "189 6 214" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\Window = "240 181 234" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\Menu = "9 89 129" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ButtonShadow = "6 155 235" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\WindowText = "108 162 184" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\InactiveBorder = "33 114 95" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ActiveBorder = "205 83 68" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ButtonFace = "201 24 196" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ActiveTitle = "13 230 125" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\WindowText = "213 104 108" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\InactiveTitle = "154 230 223" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ActiveBorder = "34 249 247" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ButtonFace = "117 213 207" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\MenuText = "159 221 55" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\Menu = "37 235 117" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\HilightText = "134 65 97" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\Scrollbar = "24 205 178" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\Scrollbar = "255 70 138" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ActiveTitle = "107 172 154" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\WindowText = "182 244 53" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\WindowFrame = "146 192 46" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\TitleText = "58 229 194" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\HilightText = "45 192 177" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ButtonFace = "111 57 205" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ActiveTitle = "41 206 187" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ActiveBorder = "113 28 162" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\HilightText = "79 66 151" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\WindowText = "162 15 196" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ButtonFace = "13 223 114" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\TitleText = "174 163 230" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\GrayText = "107 143 18" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\WindowFrame = "244 143 64" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\InactiveBorder = "20 116 122" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\InactiveBorder = "12 235 49" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\WindowFrame = "207 92 207" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\Hilight = "225 188 253" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\InactiveTitle = "21 51 243" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\InactiveBorder = "175 119 123" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\Window = "54 246 208" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\Scrollbar = "232 193 49" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ActiveTitle = "221 47 156" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\Window = "28 162 39" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ButtonShadow = "229 14 75" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\ButtonText = "1 70 145" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\Menu = "130 44 43" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Colors\InactiveBorder = "18 140 217" | C:\Users\Admin\Downloads\ColorBug.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "%SystemRoot%\\System32\\WScript.exe \"C:\\Windows\\Administrator.vbs\" %1 %* " | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\ = "%SystemRoot%\\System32\\WScript.exe \"C:\\Windows\\Administrator.vbs\" %1 %* " | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\System32\\WScript.exe \"C:\\Windows\\Administrator.vbs\" %1 %* " | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open | C:\Windows\System32\WScript.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 257645.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 586891.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 287561.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 656225.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 168581.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 638947.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 681860.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 935111.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 333844.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 326509.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\Downloads\Lokibot.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1a8146f8,0x7ffa1a814708,0x7ffa1a814718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5632 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6332 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
C:\Users\Admin\Downloads\WinNuke.98.exe
"C:\Users\Admin\Downloads\WinNuke.98.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6456 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
C:\Users\Admin\Downloads\Lokibot.exe
"C:\Users\Admin\Downloads\Lokibot.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5644 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8
C:\Users\Admin\Downloads\SpySheriff.exe
"C:\Users\Admin\Downloads\SpySheriff.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4044 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:8
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\HeadTail.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\HeadTail.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\HeadTail.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\HeadTail.vbs"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2292 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5700 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5588 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2660 /prefetch:8
C:\Users\Admin\Downloads\BlueScreen (1).exe
"C:\Users\Admin\Downloads\BlueScreen (1).exe"
C:\Users\Admin\Downloads\BlueScreen (1).exe
"C:\Users\Admin\Downloads\BlueScreen (1).exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5824 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6636 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 /prefetch:8
C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6184 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,3032309997113373861,11466737081301964539,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Loveware.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c PowerShell.exe -command " (gwmi Win32_BaseBoard).Manufacturer -eq 'Microsoft Corporation' "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -command " (gwmi Win32_BaseBoard).Manufacturer -eq 'Microsoft Corporation' "
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\ifvm.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Loveware.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c PowerShell.exe -command " (gwmi Win32_BaseBoard).Manufacturer -eq 'Microsoft Corporation' "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -command " (gwmi Win32_BaseBoard).Manufacturer -eq 'Microsoft Corporation' "
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\ifvm.vbs"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Loveware.bat" "
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c PowerShell.exe -command " (gwmi Win32_BaseBoard).Manufacturer -eq 'Microsoft Corporation' "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell.exe -command " (gwmi Win32_BaseBoard).Manufacturer -eq 'Microsoft Corporation' "
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\ifvm.vbs"
C:\Users\Admin\Downloads\ColorBug.exe
"C:\Users\Admin\Downloads\ColorBug.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\HeadTail.vbs"
C:\Users\Admin\Downloads\WinNuke.98.exe
"C:\Users\Admin\Downloads\WinNuke.98.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 154.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | 21.114.82.140.in-addr.arpa | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| CA | 69.50.175.178:80 | tcp | |
| US | 8.8.8.8:53 | blesblochem.com | udp |
| US | 34.227.7.138:80 | blesblochem.com | tcp |
| US | 34.227.7.138:80 | blesblochem.com | tcp |
| US | 34.227.7.138:80 | blesblochem.com | tcp |
| US | 8.8.8.8:53 | 138.7.227.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 34.227.7.138:80 | blesblochem.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 34.227.7.138:80 | blesblochem.com | tcp |
| GB | 95.101.143.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 201.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 34.227.7.138:80 | blesblochem.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ba6ef346187b40694d493da98d5da979 |
| SHA1 | 643c15bec043f8673943885199bb06cd1652ee37 |
| SHA256 | d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73 |
| SHA512 | 2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c |
\??\pipe\LOCAL\crashpad_4196_QAKAFLMIFKARMQRJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b8880802fc2bb880a7a869faa01315b0 |
| SHA1 | 51d1a3fa2c272f094515675d82150bfce08ee8d3 |
| SHA256 | 467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812 |
| SHA512 | e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 91cffb352de4d6892ea7f707b8cfa653 |
| SHA1 | 5eb35b57ba50ee8e64877d005553e7567645efa9 |
| SHA256 | a0264972a093202066412b9c372379b5a6890130878aaa00158239e1124009fa |
| SHA512 | 5a45d8234bc7c6ee072035813256c550106c6e147fa62406e99e2f9f00989a78ba022a3eb40f142b6e30aae1177905f0339db412aeb1a6a2e15b6f296c6cea8a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 77967171f59ccc3661625186dff1c6f8 |
| SHA1 | 64cdc641a3be1aa2eb7e82a1b3cb3d4205209066 |
| SHA256 | 013f9b230a36eac2738a3bef6aab492330ae037c382ef3c9d4a3597a1aa9f82d |
| SHA512 | 545895b0966ac5f6f39ab371cc4ec9f18e6454c2434c5307dcb14d5722aec43b162fc5b324e1e8ec71dbb67d5704078445146c5ab14df0c9fe1ee96f1b219c73 |
C:\Users\Admin\Downloads\Unconfirmed 257645.crdownload
| MD5 | eb9324121994e5e41f1738b5af8944b1 |
| SHA1 | aa63c521b64602fa9c3a73dadd412fdaf181b690 |
| SHA256 | 2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a |
| SHA512 | 7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5cf201bcf97c5a20fad73d0fac46c092 |
| SHA1 | a21a3c473935614248ab3f066a2f1ceb088ce8d4 |
| SHA256 | 97aa5ba305dd9c7162047da55767c8f8fc7f4c1c4c6bc1a2bba9164ad63ec8bb |
| SHA512 | e97d4e3301a7cb5d426a19614a952689b89a402da791ae1429752811ee6f5802ad31d71c3efe8496d6c27d776f63f621368eafb942fa50d544ee23f1bbd20531 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b729700fccd0ed2a631362be24f04647 |
| SHA1 | 276d3e40a54ee0f2c08effd4865de4a89faaa9f7 |
| SHA256 | ed1293e110ddc3745f4f1db9cdba50cb025d9c95d5f047f79c385389a0472fc0 |
| SHA512 | d4b5a0b50264e39f96acc8cc61f6406637012b3f1b7dfa8efff04078de2a7d7c0dd931ab500433e4a56cbe0a78e90239b8c193ce73794fe97f33327f368a4e1e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 87eced250f539c822a023b933c59efe7 |
| SHA1 | 30ebaa418389f6ef0e9d1b81a57f7b9959a6b7ae |
| SHA256 | b7f1542fae857f41ad2940623c59bf4337e6ff6c4a3cefb427d0e20db002e699 |
| SHA512 | d5a2d614c50d648c99427e3c84ef6a0049aa6b3dbdc9769464a9cdc86c52b44c56f2bc9274247ccde1ad3925d7398864426f78ad3490f2008345919b8771f793 |
C:\Users\Admin\Downloads\Unconfirmed 586891.crdownload
| MD5 | f52fbb02ac0666cae74fc389b1844e98 |
| SHA1 | f7721d590770e2076e64f148a4ba1241404996b8 |
| SHA256 | a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683 |
| SHA512 | 78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 67ea42e53f408d821ae8b0a800c2dffd |
| SHA1 | 245a6b4f3e2de3e40e614102596957d99df5a0e7 |
| SHA256 | df88fa78afaa54df2526e4f11febc987f5c74df7c3ccfb73cad472fcf915a897 |
| SHA512 | ce0fabacde5484eb3cd60f97248c757d4e41cc9082a373e398167276a311db2c717f970f26f9b4b6c636c847e795e42b4d11908351f0b78c56f3a47d695176e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 46ad1708d3c85c0e84dacbbc634fbd61 |
| SHA1 | 735e9c5d244574443e68b646a100047065394f11 |
| SHA256 | 3a216385d74d967ad8b7a0f0e8b98aa75b5ec37f6b32d752e9c5123872e76cf4 |
| SHA512 | 1f0861194d1859f8f0ab14c90fb432ce9dd8a886e89c62f59f56c3e45fe84bd8ae223eab1272a3ad09dc47082914be2d4a18ef17172b510e4e75af5b29386783 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58587b.TMP
| MD5 | 659d845f6f9d80a2887e0991a7d24aff |
| SHA1 | 8ee305b40a7c188343f7e6ef1be69e0797dfe811 |
| SHA256 | 4656235a203c6825b1151cc3742567221608e5a6563de6099b886316e0bf35c1 |
| SHA512 | 6ae219162a0e08546da75b64a7321d330d9267d46ba3b849db32b800b8109428ee7a8aa3b14a77c19a78618e66494819e1db974147bf1347ecf253a9bd95b8a7 |
memory/5024-284-0x0000000000300000-0x0000000000352000-memory.dmp
memory/5024-285-0x0000000002600000-0x0000000002614000-memory.dmp
memory/5024-286-0x0000000005310000-0x00000000058B4000-memory.dmp
memory/1992-288-0x0000000001010000-0x0000000001024000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Lokibot.exe.log
| MD5 | 4eaca4566b22b01cd3bc115b9b0b2196 |
| SHA1 | e743e0792c19f71740416e7b3c061d9f1336bf94 |
| SHA256 | 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb |
| SHA512 | bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1 |
memory/2744-292-0x0000000002620000-0x0000000002634000-memory.dmp
memory/3000-294-0x00000000026A0000-0x00000000026B4000-memory.dmp
memory/700-296-0x00000000052D0000-0x00000000052E4000-memory.dmp
memory/5024-298-0x0000000004F20000-0x0000000004F28000-memory.dmp
memory/5024-299-0x0000000005AE0000-0x0000000005B72000-memory.dmp
memory/5024-300-0x0000000005BE0000-0x0000000005BE8000-memory.dmp
memory/5024-301-0x0000000005F90000-0x0000000005FD4000-memory.dmp
memory/544-303-0x0000000002DE0000-0x0000000002DF4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | fba98d5e9de55f98fbb9d936dacac9d5 |
| SHA1 | 27364458e76450d994759871bc235c4a469fd9f2 |
| SHA256 | 33db9900c12b2da1e961d4b82d2da570768ae994a5f630f2f787fa0447bf1e7f |
| SHA512 | a3ce732461fc8ab19f747be17d3c90308a7f0e4e8e6eb0e97a0cffbd192a0e0b29b26b4806859b642d3e1d62da43e1c2febe5a648c6de76f46cf7a951a2208a8 |
memory/5024-336-0x0000000005F40000-0x0000000005F62000-memory.dmp
C:\Users\Admin\Downloads\Unconfirmed 287561.crdownload
| MD5 | ab3e43a60f47a98962d50f2da0507df7 |
| SHA1 | 4177228a54c15ac42855e87854d4cd9a1722fe39 |
| SHA256 | 4f5f0d9a2b6ef077402a17136ff066dda4c8175ceb6086877aaa3570cabb638f |
| SHA512 | 9e3365c7860c4766091183d633462f1cc8c30d28871ae2cd8a9a086ce61c0bccf457f919db6826b708f0cf4f88e90f71185420edc4756b7d70137e2096f8797f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ed5f4213c17629776cd75510648fc019 |
| SHA1 | ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9 |
| SHA256 | e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87 |
| SHA512 | 71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 84b419bce013a5cced7c276af566efa2 |
| SHA1 | 8e4c5f1a3ef85b6c866d93695a7877d4ab0f369f |
| SHA256 | 30b6bb5773645498d353be5abbe3254ff155f39d07ab1e3a6f5243b60e5666e9 |
| SHA512 | 34ef07f113556d1db6c6b689bfcba5f01fe9545061bb6d114665c9beac963ce952d7f8df35c6ae0f3c35886b99848f82202b8231c8c937b1df79f8fd2a8623f6 |
memory/3824-384-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1a9fdaea7ca13959276c9d684bf3433f |
| SHA1 | 00ac54c986c706ddbb87ceffc9b57d73319ef42f |
| SHA256 | db0ecc0d2ab73d3aa08402b19745b84bd777ba1ffa9e58c58215f1c691bd84e6 |
| SHA512 | 9dbeeaf2a1527c137297a84bd75daa894225a84739df67db5269218f37776fa263c954d95d1de58a4b48a07f204a86acae15bea1b3518fd21aaec893132ed4a1 |
memory/3472-405-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/3472-407-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\0f5007522459c86e95ffcc62f32308f1_5ab270f5-f3a9-47d1-97d7-bbd50acf9955
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
memory/3472-426-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/3824-428-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 7a1f5c63b2cb94d0ce1b6985337ef685 |
| SHA1 | 9ff5a2b853d696b6795ac661f499b4d9d42e043f |
| SHA256 | 8f5acace14afb74c1294d6a1c33e1a1eee50fd599515f1808c23729a263fc0ad |
| SHA512 | e7ec025f1eb2372fea5bcc6472656cdfb47367083c8ebd702f8b1b426c30e007bba06d381a18829fdf03901f6f3296e50e9f662bd6b7420599713d9c7e53d930 |
C:\Users\Admin\Downloads\Unconfirmed 656225.crdownload
| MD5 | e0a3ab130609c80b452ee423d3a55355 |
| SHA1 | f5408df5f8d2765738db8f5080bb88cab105c038 |
| SHA256 | af1de4b7c65071f490cfd1425c45c9538fd7888cb7dc509304d8ec11cb046649 |
| SHA512 | 9326653d66a9866d517cdcdeb1abdf3fb8fdb2a8bc8c2324c916c10aabc7d5ca417c54c7409f0df6454041ad4c446b06b56510e7cc1eaa2b3cf54ec47cb79ae4 |
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM
| MD5 | 5dbb3658c2237679c7c64376f4991ec9 |
| SHA1 | 6893e8cb7e8889315ce60559e83ca36cd59a1aee |
| SHA256 | c30f2b2369ae5de4e54a5e520213c646ff41487ce25577aa6c8a08dd5a927238 |
| SHA512 | fbccb3f1e06354e3c09b2a0b606b080064abdb8f49ca06bd2ebacdf35531c8e672e9c6a3398a1348e617677dec55d0426786ae7d8f965b888698eed86521db4a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ae9da751f8a1cf187c97b161190e49da |
| SHA1 | 97a3a0f168c46e876ad658cded8e12056657d0b0 |
| SHA256 | 7aed9b63c19787170b039307f30089d4ff70ba88540cbe9531862a2ff3ff0cc0 |
| SHA512 | 17e007cf48b66e27d6c27037dadf1469e138e48f97454eca3757f3ad88f0a7cc12806a96132e216d646bb17cb7721e945b555d9b431e19f084e47de5aae99a75 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d4eeeb598cd7b6b5b35e416cb09627df |
| SHA1 | 5a94e033c01d51e27ff4af4ccdde5f81548e879a |
| SHA256 | 20d861257e29a92f3fde6dd573fbe110f86f4970255106f58581ca460e6efadf |
| SHA512 | 7dff1d2ce3c31a011b3e9074d843b69a2fbe660f966676a67f495ee47311c468aec001412c7faf2448c330f954747f9b0a6729f994fa26b946f261d9dc4dcca8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 34babe2949c9cbe0b5d9f62e2ac3b150 |
| SHA1 | 619858535e87fdd3aaa580cf1357d39034e73664 |
| SHA256 | 571ae24d8dc8d5aedeb139b6e0c06e0fe2ec1781bafa12dcef2eee8c4ae09a92 |
| SHA512 | 6154102cefa70d0cd52df56615dfc69bb3c1ed7aba19bdef105a89c039bdcafd595bb0ccaeb6e0573bad0de83d4e3c2423fce52e3dffdc8772602c99aaf36ef2 |
C:\Users\Admin\Downloads\Unconfirmed 168581.crdownload
| MD5 | b01ee228c4a61a5c06b01160790f9f7c |
| SHA1 | e7cc238b6767401f6e3018d3f0acfe6d207450f8 |
| SHA256 | 14e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160 |
| SHA512 | c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140 |
C:\Users\Admin\Downloads\Unconfirmed 168581.crdownload:SmartScreen
| MD5 | 4047530ecbc0170039e76fe1657bdb01 |
| SHA1 | 32db7d5e662ebccdd1d71de285f907e3a1c68ac5 |
| SHA256 | 82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750 |
| SHA512 | 8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\0f5007522459c86e95ffcc62f32308f1_5ab270f5-f3a9-47d1-97d7-bbd50acf9955
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
memory/3472-583-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 20922b29fe2193dc85f6e9ec8a564371 |
| SHA1 | ba327ef7d35d20f088ed6866142eaa6b3a9f3d01 |
| SHA256 | 7255881ca8243138b0e0dc4b571a7624fcc1d9357f2d53eaec2c55a896937672 |
| SHA512 | b7026418d94041c98291bd404a5b56f8cfefa36df1e9b65e2127df0b3fe038e05ab4b8901db7d96b717f3dde8dcf65a997a9e8513b059e21e038e90e7700916c |
memory/3480-605-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4f760ae751d68ca84f98aa941e72b1e9 |
| SHA1 | 741fa359ab802a9f44a59584b19f9ca9853ab92a |
| SHA256 | ad395168a4594bdaa5a5d4031c09af83c4a364f389693e12f18e932c9418e081 |
| SHA512 | 71732eb9210efa6c22fa8a884c4ab9c7487a2265c9406ff109012e5886930ba622e22469dc63c9e8dcb283391d2778a177d1c8a4bf66c6188a9bc2514abca9e8 |
memory/3480-619-0x0000000000400000-0x0000000000409000-memory.dmp
memory/4800-631-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Windows\System32\Administrator.vbs
| MD5 | 202a1eac250d555a6e58c12155a5686b |
| SHA1 | 1f9b2c10d7e1c22f613f7c546baa01164635b4ac |
| SHA256 | b1063be60335a912a642a16cf8d6c33613951cc79c99e530f0d2efacb2f99563 |
| SHA512 | c155ca5813cb423b16077227f8fbbb339851dac2b3f7d1bcb343875424e43ea7c735178d04567199a2f3d5980a322723693920b7426a28916ac723aa52674af2 |
C:\Users\Admin\Downloads\Unconfirmed 935111.crdownload
| MD5 | 6536b10e5a713803d034c607d2de19e3 |
| SHA1 | a6000c05f565a36d2250bdab2ce78f505ca624b7 |
| SHA256 | 775ba68597507cf3c24663f5016d257446abeb66627f20f8f832c0860cad84de |
| SHA512 | 61727cf0b150aad6965b4f118f33fd43600fb23dde5f0a3e780cc9998dfcc038b7542bfae9043ce28fb08d613c2a91ff9166f28a2a449d0e3253adc2cb110018 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 23012b4d52c27c4ed0d9117f5a25bdef |
| SHA1 | 6939cd2ccd0223524d202635a1229596cd17cbe0 |
| SHA256 | fb2893720b937501df25adf6e8f6134b78833f8207aacf89a2c7a1d9be5f51a8 |
| SHA512 | 8f34899c51c4b9c492cf850183a2eb4dd994ceed4c2ebe2639687966ddc2c3492653237b12e6e79d1f9cda54d2b07da70efed1287a96253dc2c9281280f43cea |
memory/3736-729-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 7345254026acf3cde0d347bb11eee3d6 |
| SHA1 | 357341b0fc49a51ebbdc488a2e8f4588658d7070 |
| SHA256 | b0c04d97a91b63021dec57d53a7eb8682b55a26211ac216d0f5a1d2e0cdb49e2 |
| SHA512 | c41831b652abcff01f7dc7abe5b318245e17176003f0327ce712c426a849ee5b93e0bf6c67f20dccbfe1627f6feb82df140328087dcee66d62b701e8dddd7ad0 |
memory/4576-740-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2228-742-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4628-759-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3660-761-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1508-763-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3480-766-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3228-767-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4820-772-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e7384f11-545e-4e4d-83fd-22559185a95e.tmp
| MD5 | 156901bb5f3725b6bf6cca2a5473d907 |
| SHA1 | 7d2e5afe11f1dfd04ac571b095538b199b21dbea |
| SHA256 | e045859693e8fd0a2052ab4d002e0f56719fbf12d086c7fb03a0728936355355 |
| SHA512 | 5df46e6f3f7189e428d0b570f1af047e43e3602140f7071501242f975acfc27c0e08b948c7267d21171a7b9270db588e0d3c6d88caefde2d6fe0b90eda30aaf4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e5854c43a130a963a03aa28bc12426d9 |
| SHA1 | 89820f0cc504f70499bafaaf40aea2150febcc72 |
| SHA256 | da8773ce9ff184fb47f44f06c31aa81120ac175e25241237bf8e28ca77537ff4 |
| SHA512 | f9d496f25d1dc6ca9c50e064e1b5618a9506ae90bf4c57b70cf3b2f59d2836848bf7468e2c9af6c6d99c5664eab6db17741fb7c9742542bc2463a170a0f821f5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4b0300e0bb368c08412456f80bb8b858 |
| SHA1 | 8d0d8280f78df77aa0714fdf9ffe537f11578183 |
| SHA256 | 7224bf11dd1efec4f6ad73f7ac4d0055f59c0f1e3c295bd05beeb209f9290bfd |
| SHA512 | 74599f672e3d5691949bf884b655a59d66584b407890082db3e2ebf08e31bad4d9b43e2eb3b7205cdd1a21907e92ed600eff7a3c8f4c2444f339c641eb552ce6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 114cc0a1e2bd49db8829f186b0d3a1ad |
| SHA1 | 2c164ae1b083c12127b5176a5d405d773fffd484 |
| SHA256 | e5981fc7e8c4f04991acce604ce9d30467b2fef6d16ffa1c028940ebfabd14ea |
| SHA512 | b83b72dda209b1801313acdcbcb6f818ef6b0a14a9d7f405e062ced9aa3ad210fac46ffd77a993584815d6d112a8c1b11b652a4fbbb5f1e0e5c0f5e6a8160193 |
C:\Users\Admin\Downloads\Unconfirmed 326509.crdownload
| MD5 | 499c5aa1b21e9029f76bc57de37907ad |
| SHA1 | a2552f2bc1f7d10eb409e864d15065ff1cab94b9 |
| SHA256 | eacce5121ddb3922e6234a3210e9e291028d0520e1ceb7e325d3a093917eb228 |
| SHA512 | 56e9bacfe08f6511ad54c4134f7a051b434e0e3db60a73eebd4d3f12dd29f9f95ed77e54765ec10f4b50894e2ba0ee0de66288c148f1feef9084f61baaa41a50 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 58ad384a3cc24c30443830e544592c28 |
| SHA1 | c4f75b4e8b0229d1e2054dfc76516b87fd2f50d6 |
| SHA256 | 5131de5e6660fafcae8e1047bb348cd244d2f78d073f8807611acbe5f373b49d |
| SHA512 | e3f8d34e36bc56fd8cf18e3e6912bc3cccbd6ead078f23fab21d96841a9f799f9c28413a813c19237827d7a90b34ce57fc7374e8e1258c19d992c1090c736cb8 |
memory/4916-1155-0x0000017EEB1D0000-0x0000017EEB1F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lqltw4tg.e5o.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f387ce06102de09ae19197e5542c5f3e |
| SHA1 | 52ab875ac96a7491d29b8b2edc330d5c3638c127 |
| SHA256 | bd6eb7fd0698339eecc0fcfaf0444040974ed1e2b4afd42429e454e658965146 |
| SHA512 | abacd87b02e2debed5f7bbc96a4b13e55f77d67b513fc1254c350368f69edbeccf4712e005e50b5b05a905ae78c04f2cf654894e831f5dae6699e608ea02f99d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b8f5d8817d2f5fdf90f0798783fd1f35 |
| SHA1 | a67cd9c41c1d7ee7428eb8c35c0275077ea9b02b |
| SHA256 | 723fe98746ef5bcc30298ae3584b30cdfe3ab29f456640c32af48b516c700b3f |
| SHA512 | 3367d253577459a55e47f303d9a56d0d8cfb3821e7eb44790b815b5f0b504d692694ba229251ed12b61d99316926dcf25729d169ccf7836f96e3fe66bf84ca01 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b0519d6b95be69edf616be6da9bf7ae3 |
| SHA1 | 54a947bcf9fdd135ba8d3a8172aefe5bc6f89636 |
| SHA256 | 220f4784dcc9310996dabd857255db16539c5f2f198631632610e610b375c823 |
| SHA512 | 757ec514eb52f0f40e4198404df9b66f3efc0875d99e38bcc2ba91fa6ad233a71949556fd2a99f3bede063c01a9a6e2cb7baac97f6454ef1e0386cd2561638c2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f397d342f587d4e98e6eac71bcf6e38d |
| SHA1 | 181331bd45407be754bf4acd42f1c5403f286eea |
| SHA256 | a5784e74565add52be10682f47d0c581c5aa39a81f22962aef511ebbac7755a2 |
| SHA512 | 54d468497e7d59df5e8d42be39762450ffcb5229a38204b54a87c2d24e668d80de119023cf971b33c0781f302f3e31acfc986b69a2f6f22889002b6ee617cb9c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | c785f820cfcff43432041a0218a4f2cb |
| SHA1 | d19edcba69eae3b7b3734b58ce3a435f89cdfc48 |
| SHA256 | b67dec2a4947f62c25cfb8cdfa127a658c695e27cddfaee5178b9d42baef17f7 |
| SHA512 | 14daa9cc67e30a4f4da3a23349a131dee984b787dd21dbe7658d1e7f8333a8d8cfa4705e93819920e1f2a7480c969c42b68cc6245aaa76a6ba4c9ff539bae39e |
memory/3068-1406-0x0000000000400000-0x0000000000414000-memory.dmp