Analysis Overview
Threat Level: Known bad
The file https://streamtoearn.io/ was found to be: Known bad.
Malicious Activity Summary
Cryptolocker family
Dharma
Fantom family
Dharma family
CryptoLocker
Fantom
Deletes shadow copies
Renames multiple (664) files with added filename extension
Suspicious Office macro
Disables Task Manager via registry modification
Downloads MZ/PE file
Loads dropped DLL
Credentials from Password Stores: Windows Credential Manager
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Checks computer location settings
Adds Run key to start application
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Program Files directory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
NTFS ADS
Enumerates system info in registry
Opens file in notepad (likely ransom note)
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-20 00:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-20 00:59
Reported
2025-02-20 01:05
Platform
win10v2004-20250217-en
Max time kernel
344s
Max time network
347s
Command Line
Signatures
CryptoLocker
Cryptolocker family
Dharma
Dharma family
Fantom
Fantom family
Deletes shadow copies
Renames multiple (664) files with added filename extension
Disables Task Manager via registry modification
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\Fantom.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\WinNuke.98.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\CryptoLocker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Fantom.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Fantom.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-1170604239-850860757-3112005715-1000\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-1170604239-850860757-3112005715-1000\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\CoronaVirus.exe | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Windows\System32\Info.hta | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram.jpg | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-200.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Staging.DATA | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\DECRYPT_YOUR_FILES.HTML | C:\Users\Admin\Downloads\Fantom.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\System\ado\msador15.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationUI.resources.dll.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_altform-unplated_contrast-white.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\FetchingMail.scale-125.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Compression.Base.dll.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-256_altform-lightunplated.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-pl.xrm-ms | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-MEDIUM.TTF.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_mi.dll.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\ReachFramework.resources.dll.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-conio-l1-1-0.dll.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\CASCADE.ELM.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fil.pak.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\playreadycdm.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\ContactPhoto.scale-140.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-96_altform-unplated_contrast-black_devicefamily-colorfulunplated.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\ui-strings.js | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\PSGet.Resource.psd1.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\WorldClockMedTile.contrast-white_scale-100.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-36_altform-unplated_contrast-white.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\ui-strings.js.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-125.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-48_altform-lightunplated.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_BeforeEach_AfterEach.help.txt | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\OSFROAMINGPROXY.DLL | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\id.pak.DATA | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Linq.dll.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Light.scale-100.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\ui-strings.js.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-pl.xrm-ms.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\am_get.svg.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLargeTile.contrast-black_scale-100.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jsound.dll | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.Primitives.dll.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-16_contrast-white.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\core_icons.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Internet Explorer\en-US\DECRYPT_YOUR_FILES.HTML | C:\Users\Admin\Downloads\Fantom.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\jdk\icu.md | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\PeopleLargeTile.scale-100.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INF.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-24_altform-unplated_contrast-white.png | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adc_logo.png.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ppd.xrm-ms.id-CFBE28CC.[[email protected]].ncov | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Fantom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Fantom.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\WinNuke.98.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\CoronaVirus.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\CryptoLocker.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 824397.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 875959.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 6192.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 363008.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA | C:\Users\Admin\Downloads\CryptoLocker.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 825095.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Fantom.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Fantom.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://streamtoearn.io/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff971f146f8,0x7ff971f14708,0x7ff971f14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1900 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6456 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6216 /prefetch:2
C:\Users\Admin\Downloads\WinNuke.98.exe
"C:\Users\Admin\Downloads\WinNuke.98.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6508 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1212 /prefetch:8
C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2248 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6584 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6804 /prefetch:8
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\system32\mode.com
mode con cp select=1251
C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\e8d89aef93d94ad4977d1e545b3889b5 /t 21972 /p 21964
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\fbfc2ceeb77342cb9ac583b9aecf0461 /t 22308 /p 22276
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1164 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3968 /prefetch:8
C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,1053204874046494246,14006204166959126793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Zloader.xlsm
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | streamtoearn.io | udp |
| US | 172.67.74.167:443 | streamtoearn.io | tcp |
| US | 172.67.74.167:443 | streamtoearn.io | tcp |
| US | 172.67.74.167:443 | streamtoearn.io | tcp |
| US | 8.8.8.8:53 | app.streamtoearn.io | udp |
| US | 8.8.8.8:53 | upload.wikimedia.org | udp |
| US | 8.8.8.8:53 | d1jl7r3beoolrj.cloudfront.net | udp |
| NL | 18.239.38.20:443 | d1jl7r3beoolrj.cloudfront.net | tcp |
| NL | 18.239.38.20:443 | d1jl7r3beoolrj.cloudfront.net | tcp |
| NL | 18.239.38.20:443 | d1jl7r3beoolrj.cloudfront.net | tcp |
| NL | 18.239.38.20:443 | d1jl7r3beoolrj.cloudfront.net | tcp |
| NL | 18.239.38.20:443 | d1jl7r3beoolrj.cloudfront.net | tcp |
| NL | 18.239.38.20:443 | d1jl7r3beoolrj.cloudfront.net | tcp |
| NL | 185.15.59.240:443 | upload.wikimedia.org | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 2.18.27.82:443 | r.bing.com | tcp |
| GB | 2.18.27.82:443 | r.bing.com | tcp |
| GB | 2.18.27.82:443 | r.bing.com | tcp |
| GB | 2.18.27.82:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 20.190.160.130:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.110.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 184.164.136.134:80 | tcp | |
| US | 8.8.8.8:53 | yhngandqxbmk.ru | udp |
| US | 8.8.8.8:53 | mdotdfqahgas.org | udp |
| US | 8.8.8.8:53 | bgxgreimgtfs.co.uk | udp |
| US | 8.8.8.8:53 | ocytuvvvpysb.info | udp |
| US | 8.8.8.8:53 | bprclgnvfrvn.com | udp |
| US | 8.8.8.8:53 | olspoxbfowjv.net | udp |
| US | 8.8.8.8:53 | doccdwsrnkov.biz | udp |
| US | 8.8.8.8:53 | qkdpgogbwpce.ru | udp |
| US | 8.8.8.8:53 | hxxohdhyitya.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | iiypcuwnrkom.co.uk | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | jwioytmuqmri.info | udp |
| US | 8.8.8.8:53 | khjptlcjadhu.com | udp |
| US | 8.8.8.8:53 | jgcksvrepkid.net | udp |
| US | 8.8.8.8:53 | kqdlnnhsybxp.biz | udp |
| US | 8.8.8.8:53 | lfmkkmwaxdbl.ru | udp |
| US | 8.8.8.8:53 | mpnlfemohtqx.org | udp |
| US | 8.8.8.8:53 | vuhowwigdegh.co.uk | udp |
| US | 8.8.8.8:53 | jqicarmsjpet.info | udp |
| US | 8.8.8.8:53 | wqrljhujcult.com | udp |
| US | 8.8.8.8:53 | kmsymcyvigjg.net | udp |
| US | 8.8.8.8:53 | awlmbpqkgpsb.biz | udp |
| US | 8.8.8.8:53 | nsmaekuwmbqn.ru | udp |
| US | 8.8.8.8:53 | bsvjnadnfgxn.org | udp |
| US | 8.8.8.8:53 | oowwquhalrva.co.uk | udp |
| US | 8.8.8.8:53 | elrwemmanwdb.info | udp |
| US | 8.8.8.8:53 | fvsxyhsuttij.com | udp |
| US | 8.8.8.8:53 | fhctqwydmnin.net | udp |
| US | 8.8.8.8:53 | grdulrfxsknv.biz | udp |
| US | 8.8.8.8:53 | invuifueqipu.ru | udp |
| US | 8.8.8.8:53 | jxwvdabywfud.org | udp |
| US | 8.8.8.8:53 | jjgruphhpyuh.co.uk | udp |
| US | 8.8.8.8:53 | kthspkncvvap.info | udp |
| US | 8.8.8.8:53 | kslkxuilopir.com | udp |
| US | 8.8.8.8:53 | xomxbmvuxuva.net | udp |
| US | 8.8.8.8:53 | mrvkpfubpvxq.biz | udp |
| US | 8.8.8.8:53 | anwxswikybly.ru | udp |
| US | 8.8.8.8:53 | oupicnqprbul.org | udp |
| US | 8.8.8.8:53 | cqqvffeybgit.co.uk | udp |
| US | 8.8.8.8:53 | qtaitxdfshkk.info | udp |
| US | 8.8.8.8:53 | epbvwpqocmxs.com | udp |
| US | 8.8.8.8:53 | sjvsfkmtyiuh.net | udp |
| US | 8.8.8.8:53 | ttwtacciiykt.biz | udp |
| US | 8.8.8.8:53 | uigswuyjaokg.ru | udp |
| US | 8.8.8.8:53 | vshtrmoxjfas.org | udp |
| US | 8.8.8.8:53 | wlaqjduxcthb.co.uk | udp |
| US | 8.8.8.8:53 | xvbreukmlkwn.info | udp |
| US | 8.8.8.8:53 | ykkqbnhndawa.com | udp |
| US | 8.8.8.8:53 | aulrvfwcmqmm.net | udp |
| US | 8.8.8.8:53 | ijmmgxtouqfg.biz | udp |
| US | 8.8.8.8:53 | vhhcjsxpmbex.ru | udp |
| US | 8.8.8.8:53 | jbkftoyegpob.org | udp |
| US | 8.8.8.8:53 | wyfuwjdfxans.co.uk | udp |
| US | 8.8.8.8:53 | krqirdqsggvi.info | udp |
| US | 8.8.8.8:53 | xplxuxutxqua.com | udp |
| US | 8.8.8.8:53 | ljobftvirffd.net | udp |
| US | 8.8.8.8:53 | yhjqioajjpeu.biz | udp |
| US | 8.8.8.8:53 | mnwqimblnbjq.ru | udp |
| US | 8.8.8.8:53 | narlphhrfihe.org | udp |
| US | 8.8.8.8:53 | nfujvdgbyasl.co.uk | udp |
| US | 8.8.8.8:53 | orpedxmhqhqy.info | udp |
| US | 8.8.8.8:53 | ovbmtrxpyqas.com | udp |
| US | 8.8.8.8:53 | pivhbmevqxxg.net | udp |
| US | 8.8.8.8:53 | pnyfhidfkpjn.biz | udp |
| US | 8.8.8.8:53 | qataodjlcwhb.ru | udp |
| US | 8.8.8.8:53 | orsrnmlnympa.org | udp |
| US | 8.8.8.8:53 | cpnhqeyipden.co.uk | udp |
| US | 8.8.8.8:53 | qmqvedqjmtkq.info | udp |
| US | 8.8.8.8:53 | powertoolsforyou.com | udp |
| US | 8.8.8.8:53 | ekllhueedkye.com | udp |
| US | 8.8.8.8:53 | qawnyrirkcgc.net | udp |
| US | 8.8.8.8:53 | exrdcjvmbsup.biz | udp |
| US | 8.8.8.8:53 | suurpinnxjbs.ru | udp |
| US | 8.8.8.8:53 | powertoolsforyou.com | udp |
| US | 8.8.8.8:53 | gsphsabioapg.org | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 71678a9de9a3336190ff95537cd87a7b |
| SHA1 | 9e213afb4f6397c8e64c2bcb8cd36931845a0474 |
| SHA256 | ac58d2d4beb00dc62fb0a5b50cac02d2529cb51733065ca5f1763bd810371c3c |
| SHA512 | 5f402598e4533d1a25e802353387725753ce54c7638515f91d80db2eed13ee9a676ae401e47ab424f57bdd5f3d6b75e577027fee10ded7cea0d99cbbd3c0c937 |
\??\pipe\LOCAL\crashpad_4596_IPMLCMIGJKECWCQJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e77abac3d03f5b27ca6d587bff7cfce4 |
| SHA1 | 2398274b1f425b428b6860d225d691ccd6cac355 |
| SHA256 | eb56f6b62d68039ebff870d1968be6d2499c3ef9046555c20b1623eaeadf5c03 |
| SHA512 | bfb7aa7973e3ef57df95a42c7ce0e7ec1fa4afe0276802f38f3791e4a4d2aa9af300887fbca7297b75276415ecae7cc7ac0c413a3c95345e7b3354407c770a7f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9c9de85b592b9e5aae7cdd90f5f14606 |
| SHA1 | 15929d08bd724d9827b851fa58ad1daa1c19e3c9 |
| SHA256 | 2a0c3150f8961ebbcea9a887756920393e0a7d20d0b6865a7b56d1752771d786 |
| SHA512 | 7906352119097f6e81a762acc88e336371fd4f0e46098e7990f842984185decaf3585dee1f534cce43a8727636748471dcae4c3c7c1c7e4d0b1e94af9ba98736 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1ed2d1e0e39233177d68a3a959403d14 |
| SHA1 | 1173f39dace903d7b5bca7090188436ed54cec66 |
| SHA256 | 3cf218c9b05a4f20083c444d94f4e0fde93f0fee60e7e6a13db794730b8f0f2b |
| SHA512 | db73c56e6748bc21096eaad350f0762e0810fa873543b50b5e6744d37feba3521fbc6f300a739979dbf326962c814b14d2cdf4f16cbd6bf9c1d6400bff388993 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 36caa19562badac74485c85eb83710cb |
| SHA1 | a7ee194d80e433d0864c5a8f83c5fe611924e49d |
| SHA256 | 3caa83d391209a2a7072630be27e9eef7de4eab88d7b8e3ee920d54fd3430fb2 |
| SHA512 | d162fcb7f510f6f1cc4a0232c5fecf3b8db18556cc439c19d41687ec21a32b5bae036b9fbfd9059d78c7bacd549102cfe4187cfc02e3a5f324795f0ce0904c40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 4b1e7acd32825c7f744f494e7081e758 |
| SHA1 | eed26dc816512e0fa20db9c7d3fe946a2d7fe516 |
| SHA256 | 253253417e3ebff861efe55924d12a6508f7a322b2c0cfa79fb8ec635cef9ffb |
| SHA512 | d8c055b43d75b029908d10cb2d5310f99fdfaa741a406bd9cb2c6a7d606eaa1373dc8ae256403572ef9dbf60315505134fc668c9525cf76638c895a5d2f083c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 8ab1b6afc898c123f8fad493260381f8 |
| SHA1 | 22fc7a234c1121e8e3521e0a6c81dd930cc64f6d |
| SHA256 | 8a47618c1e4e0afed1802bbb6d7176c5b02798b7b67309d8c035c7e4aca4619a |
| SHA512 | a22d61a8dd192b28427a9298776c97bddc35fb955f10dbc661a473d3ae6ce0127eb8c2e62b0ce346ffdc54ebc7d7e59e45f1b8c4142a43e885a10211ec9c4314 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f8d90d4275158d072b50db4e0afeb933 |
| SHA1 | 61b5e3125fc641445d06efe3657d089016b5b595 |
| SHA256 | 01d6155c9c3c339150ff6ff99b171c65847bd492fe0e7dd00fc729007df79a11 |
| SHA512 | d28c8986267a7e62b5941416db0a8cd238cc28ab30926ca7936a42b6814c3aed76167955819f3bf7eb63db147b6d3e0b41e7e4cbbbe1fb4fb961d1286235b527 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58341b.TMP
| MD5 | dfd1abf2e9a05e3c8142c761c884a0b7 |
| SHA1 | fede2cd363613844dcca4b9d85303093c30a4c57 |
| SHA256 | 4c0e4a5d62f2b6352bfd717a19c06ec74315dec4d532895af067f2743e5ad5fe |
| SHA512 | dc7649de0c9f6d3ab3d0f5d11198c7c4e48727c9c286d7bc7866c2cd1b0d6ce6f8ddffd04228c90ffc0a7dd53845e3c23c2c0f4abbce5e851549d82fee0a15d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 93d20fbbfe8c1b8d9c18f0dcbf5b4b7a |
| SHA1 | 1555bdf60ac1442e6f47c941b310cf111cb81c51 |
| SHA256 | 9ca01765bf3388d3889908f0b214ae4ef1d1e44f4dcf1d3a369bf12de74f9d62 |
| SHA512 | 7c50d19db80fb62090cf7243050fbe7a0013e9acbbfd3e9cc213e71baae9f1c4b854e6ef5dc8039b52831e868fba319eabbb558006e16e6bafda42ef1e47a4b8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2ecba00f54d23d49fc84487e2a844c33 |
| SHA1 | dc92fb2ddd172b306a6958ee7d63bf57b79b1265 |
| SHA256 | e96d02d5bc1c35860b48f793d49ee7a1a9b7dca17e7275fb185a043e9a3cead7 |
| SHA512 | 9dbe01bd1bbeddbc88b7fe02180bf9e06e67a467dc945e635c5b63a1378592c275ac30ca1efa41931800ff4404da2d8408420b7a83625170dd69e451f69481f1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 46662349d932e6bbf394cefd34625313 |
| SHA1 | 02cb7a8c13414fdae7fe38c3067865dea6e2b5c9 |
| SHA256 | b16d3ba230943ec5c32cb09d330cc623cd0a6da16a5e0e2efa8d0a5d066925dd |
| SHA512 | 928d190fb0617ebfd7ef0f0fa2e5fe3ce176a161f3aa16be60dda5b6943b794e51be33ba118bde3a21f41c7a8e2281d80183947f89a1852c8971da316c78e2c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | f2e3b3759e901cf29aa428fb0ee1b27e |
| SHA1 | ef1a6b020648ea39acb8eb703208155917609998 |
| SHA256 | 1a40d46aaab4b8cde6dad9b34bf41b90c1b36a62761c62c405e3ae36b7cd1b16 |
| SHA512 | 54373b6847a12dc0d1c7272c55541b63b80e905016025fd3fbb2cbb1e69282aaf5b4c502269ce473bc49f6da832b3ffcbd2f236686df1de952b4c3e15e3e8033 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f1cef90d56bed0b9d9b0fe7f9b945b0a |
| SHA1 | 3677b8f7a8b503569d2b918bf503e219379c9f8e |
| SHA256 | 5752df09882d8f130744ab450cbb0b302af1cb7eb1213a6bd6bf0e39cf539d6e |
| SHA512 | 719b28852e9cd8f72ad9ecf4ab4961e6b7944205bbd5054da4f73b186877d6e741fe22031ae1c5343ad9bfeca8cd5478b670ede45bb8dbf5c3a533ba065ea440 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 445605bad3259cd60c8becb2621317de |
| SHA1 | 354cbcf374982338addf969e4661415808306861 |
| SHA256 | 4d8dadae68d2248e58eefb740f64cb4ae4d576540ba718ee85453cc47aaf7aa5 |
| SHA512 | 54e040d265261f98dd625ca7097db1105b0c0511b11a7320ab7dbd347e799b0e58be3e1d1e79cb3c32783680d25e7bd39d161da70ab6d7cdbda5d1c782113cfe |
C:\Users\Admin\Downloads\Unconfirmed 824397.crdownload
| MD5 | eb9324121994e5e41f1738b5af8944b1 |
| SHA1 | aa63c521b64602fa9c3a73dadd412fdaf181b690 |
| SHA256 | 2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a |
| SHA512 | 7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | cadd7f8ab04dc7bfc713d9e6a347ed76 |
| SHA1 | 4189add575694dc7d8c57bdc430763a4ab476dd1 |
| SHA256 | 0d21aaaf4e13f95cf6066762be5d366ec2df77828554b105151b74aaa4f5b1c1 |
| SHA512 | 20fa18fa483d888609cb8561a364581f9ca5d3278f12edec72b7961d8ff946417cf88fcde204a595c5a0d871e65b6a60a0271e5d9f8ceebc9a2d20f6c2ef6a96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1b02d8fd607c830d707a79992a9dbec3 |
| SHA1 | 3fce9fef4ae7b669e90cd31f206aa82ccbe7181c |
| SHA256 | 9e3db50eee40ece88ad5ed7bbf1c19ec2fe016cbb9a13b005ef7b3f0f6d38d95 |
| SHA512 | 9a96afd74aaeb07b2ae5e7b07f79463cfcc9931683ffec9de2e95c24842fb475b6a719839200b8e7a95105107e99ff9306a5a2557c0c681240c7128403784efe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | a05cb3928cd3cabd9e2565354d48061f |
| SHA1 | 05a49b93a36caedb76bb24ca82ee550992611276 |
| SHA256 | 2b835278d78e43c0af6786111b269a5d4f9fd5dafe387501166aacd81d7cb556 |
| SHA512 | 73f82a8571ecfd9891fddb66573d95a36f3d85ad658469880593aeb6d439c52a978f5a6de763ad4b2aa36b8007f72573b92ac4a91afc46961801cff3898ad282 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e142c3b734913df8d0062bce3ac59e61 |
| SHA1 | a7f718484e714a958b9adb46cc642d9c87a62365 |
| SHA256 | 1df2421e96712549436037ca55de642d2859dd9ac7a79bc9459ec11f2f442798 |
| SHA512 | 7b60d3b5cf89fda5f55d3926060f38b550239fa126abd8f380e82acc23e7279d3e8ccfeda37cfc8a5cb8b883b781af3bd717f5d573c5347cd60b69f3aa6b31ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | e34f48cd64d8d6567de389b865c08ab4 |
| SHA1 | aa641eba2201862624a67a164fd4d86f0d177b36 |
| SHA256 | 3c3d82f3ae116d082333ff9763ab5a86f70ba0aded2c7757e4a673fa7298e1f3 |
| SHA512 | 7bc0ef8d964be59270a1333135e42c18a7cea0aee360b1a472e29aedf9bfbfeabbf2b1999ecc37203521d77ef60494599d996d6eb3e9c9b7396b27b3921318aa |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | a3e71ed2351160ec7f94ce3313af6368 |
| SHA1 | bca0b8926acab49e85c4aaae563e18b01789f08c |
| SHA256 | 575e8d9543eaec14c91e5f6ed806aef99c14cd1e9c811cdddb2b5e755e1c7b58 |
| SHA512 | c6dfff2671f34390ec502d6844d7a280d994c042a06c6dfaa1ffa58b813e6a4fdbffc6640a9f5cdc3efb43aefc5d3930bb6b6906f1362f327e42a31bbaa6098b |
C:\Users\Admin\Downloads\Unconfirmed 875959.crdownload
| MD5 | 055d1462f66a350d9886542d4d79bc2b |
| SHA1 | f1086d2f667d807dbb1aa362a7a809ea119f2565 |
| SHA256 | dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0 |
| SHA512 | 2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6fd316f591a41942f2baed8d4d85db04 |
| SHA1 | d1f56176a00eec0a59fc39f0cac916ccfa332fc3 |
| SHA256 | 9a25d9c08fca0c7a3891614bce0389962429a5a1931787aeb781b0b097d5f20c |
| SHA512 | b502220d63a4c4f9020abeacf72e2f06c15229d4a05c2fdfa6e3128a608feda2126eaf8455cbcb8e743717a1d2c51e8f7ae40e2f0a6eb9d18982d43ba270865c |
memory/672-684-0x0000000000400000-0x000000000056F000-memory.dmp
memory/672-695-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-CFBE28CC.[[email protected]].ncov
| MD5 | dbb5f2e6ca632421d7b3cacc9139a387 |
| SHA1 | 1a959935ce53b69dca9c1d0177a1dc062e1aa3b4 |
| SHA256 | 0fdca5867517a704efde058714016bbd29afc6134e36d78a94e73c19fa0ffdd4 |
| SHA512 | bccfbfbc805c407beb80d10c060d7f661e1e9dfb32f6f81e48a7925d20acbcd4a4c00a6765c0fcfb02096347710d9cb5b9d43fa68c52c81e863c372a7c1a0505 |
memory/672-5120-0x0000000000400000-0x000000000056F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5b11dbbd6385cb4b2ced2ccc2e31f276 |
| SHA1 | 57be4ef8a13f8eb775b0d162d5f32d9b0924e0df |
| SHA256 | 7592696e8725fd7aba176aec3a9babf04ceee5b8a9d54e8242e9826440b652cf |
| SHA512 | bf7fe41ac30420aca5beec7bb68d4968b44773761fa3dfa8a9273923d4f62b1b3d1f79b9d6eb771cc9f7e9716dd158c525d4e23fef70aaddcbcbc972db8aeeb6 |
C:\Users\Admin\Downloads\Unconfirmed 6192.crdownload
| MD5 | 04fb36199787f2e3e2135611a38321eb |
| SHA1 | 65559245709fe98052eb284577f1fd61c01ad20d |
| SHA256 | d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9 |
| SHA512 | 533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
| MD5 | 9e02552124890dc7e040ce55841d75a4 |
| SHA1 | f4179e9e3c00378fa4ad61c94527602c70aa0ad9 |
| SHA256 | 7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77 |
| SHA512 | 3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 864a32b7df99ec7f27a325772b746063 |
| SHA1 | dd54385b07b8fb820238cc2e4bba4cc36fe57efc |
| SHA256 | 7df482d421d73a96a15d4273e16c5a3b246975f0763d7de3cf809d407fac7d8d |
| SHA512 | f538b00bef08f3142b24fef95cede1e3f1df3d1fd7663ae1a5f56b7164e57ad3e4a6f195c8dd525a161cb7fe2f47041b4ca4849c2e5664b968e82debe7f27b3d |
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
| MD5 | ad8536c7440638d40156e883ac25086e |
| SHA1 | fa9e8b7fb10473a01b8925c4c5b0888924a1147c |
| SHA256 | 73d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a |
| SHA512 | b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
| MD5 | a46af05a14bf13c4d2dfdad802c8fedb |
| SHA1 | 6bc23c26addb2ff9b8552084bbcd5736c8e969e6 |
| SHA256 | 73741cd0fb61b93351dd78c11279fee0dbdccbfa534776657c82f50e6e85a4a7 |
| SHA512 | e7e3bc56bc39719758867144a6d3a34d3747e014cb4c39c2ac19cd4dfea3e8b4410ca7dc9083b515c199263daee4aa54d21cd2099258d1b2e65076b4ff0c7670 |
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe:SmartScreen
| MD5 | 4047530ecbc0170039e76fe1657bdb01 |
| SHA1 | 32db7d5e662ebccdd1d71de285f907e3a1c68ac5 |
| SHA256 | 82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750 |
| SHA512 | 8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e |
C:\Users\Admin\Downloads\Unconfirmed 825095.crdownload
| MD5 | 7d80230df68ccba871815d68f016c282 |
| SHA1 | e10874c6108a26ceedfc84f50881824462b5b6b6 |
| SHA256 | f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b |
| SHA512 | 64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e548fc097ea01736aad089c97c4a5d7c |
| SHA1 | c9efb9cd3a62c8398b639a88c9347b828fcdd4d7 |
| SHA256 | bddf2d64bfe2577a3934ccc83cfc9b6f70c13dab7c05de9819d27274767bec77 |
| SHA512 | f48769bc19f4f21215e2bff77b7f06cc86fc375c12d5498771ad93a297489414f1d631ce1c886d97e67906c812ea6c39f30cfebf38864f0633d0f1d4d1436bc4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State~RFe5c0dd3.TMP
| MD5 | c1e43af33a4fc9205fd395fa16170405 |
| SHA1 | 663434bc707fc40277bc0ff41fcfbb08e096e309 |
| SHA256 | 305bfbd97e4e7c211ea1a20548d24e45886d20013d135a3801d164343375986b |
| SHA512 | 1072a29b99aa4da1d752f561bc3c81a8c70389a77a030f4d895ad8daade8a4388671df0f67177aaa5b76b27357470153b80a7edc7ad2f26e41aac9c8b7c81962 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 46398eecf5e3631fe22aaa53de125e1a |
| SHA1 | 69219b71f2b1242779005312f029a6714182213e |
| SHA256 | a6d533a823195a6cca2408b5c005c27e7097d2eaa4e21003145075517cada93d |
| SHA512 | f235bdf7defb3e318bcd5535c4ef4f1fa142aff0c7e77a6c3dbf5cb534234365bb9495ed7253c4db565091791754cea2f7b96b7fd6b18cc659ca406b8b624211 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c0eec.TMP
| MD5 | 8435987c74db87c0b10eb2d612c53b73 |
| SHA1 | 4181000905e82889892387b44846ffe0f48e8b55 |
| SHA256 | d9d419251e9af5c3eda8a69bfb3fc267ca1c27b21d37fbd73c4f6c22ccfb2dca |
| SHA512 | e80f5826261e23602020f09a1ccf38165b64a55cb1e72c746e71cc78b9f0aca7cb8138fb57d060b28e5765b995291e935c33a2382dcd1e1338de351ffe9bee48 |
memory/20532-27045-0x0000000002310000-0x0000000002342000-memory.dmp
memory/20532-27046-0x0000000002340000-0x0000000002372000-memory.dmp
memory/20532-27047-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27058-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27100-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27098-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27171-0x0000000004C50000-0x00000000051F4000-memory.dmp
memory/20532-27172-0x0000000004B70000-0x0000000004C02000-memory.dmp
memory/20532-27095-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27092-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27091-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27088-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27087-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27084-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27082-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27081-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27078-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27076-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27074-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27072-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27070-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27068-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27067-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27064-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27062-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27060-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27056-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27054-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27052-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27050-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27048-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27096-0x0000000002340000-0x000000000236B000-memory.dmp
memory/20532-27173-0x0000000005270000-0x000000000527A000-memory.dmp
memory/17412-27183-0x00000000023A0000-0x00000000023D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0b3081ae26ff7fc568c0ab612822b67f |
| SHA1 | 8427ddbae1f3c1a0de0827e8843fe1aa336e5c54 |
| SHA256 | d4bb59e5c982fa4af0c20aaf2fd4557bea466d5561920089363505d4d90f0ad3 |
| SHA512 | e9273f018ebb16097efb74da2bf7ae0d0a23a732cda67c7a767ced4a769d521278a5c843adcf04abc68d6c4d3dd25abc57a9556159867356fdf367364980cb90 |
C:\Users\Admin\Downloads\Zloader.xlsm
| MD5 | b36a0543b28f4ad61d0f64b729b2511b |
| SHA1 | bf62dc338b1dd50a3f7410371bc3f2206350ebea |
| SHA256 | 90c03a8ca35c33aad5e77488625598da6deeb08794e6efc9f1ddbe486df33e0c |
| SHA512 | cf691e088f9852a3850ee458ef56406ead4aea539a46f8f90eb8e300bc06612a66dfa6c9dee8dcb801e7edf7fb4ed35226a5684f4164eaad073b9511189af037 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 316f0a39cd9f34a0da9ce476fb8b2451 |
| SHA1 | e3d1d4dec88ea2c2f87ed45f1fa4e20c9624bdc7 |
| SHA256 | b40043c367008e735e454a7f85958da71d914e599dbc3415f8d14c499241ea1f |
| SHA512 | 7539ec8034d3f982b8ec621a35c3d5629f0f6a89ef52e6423bd16aed8113228b1a5e4f806a573d72ca564028366ed9ea9208788770c278265f59a20c5bb3689b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c304509a2cddeaea0437dafefbe48857 |
| SHA1 | 248ee27f338a6c4aa71d3117467cfc2474469e47 |
| SHA256 | 3fe8db5c6b61bd7156e8a56d22f9654afed1a07130ee9e77dde8e0b99232232c |
| SHA512 | d4169fd486c626e85ffe50b6f371851a924a23d23d91816e76f239e0f4c232cab5a3c1db184c20f4bb6f449f0ea80c1cb7cca4a3851dabf7263ac4dc32b3743b |
memory/20532-27383-0x0000000005560000-0x000000000556E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
| MD5 | fec89e9d2784b4c015fed6f5ae558e08 |
| SHA1 | 581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2 |
| SHA256 | 489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065 |
| SHA512 | e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24 |
memory/16260-27393-0x00000000004F0000-0x00000000004FC000-memory.dmp
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
| MD5 | e0c0ae085b19cd92757a8c5d6c4c2890 |
| SHA1 | 54b10bfc7a1280dd11c270fb8ad740150a098024 |
| SHA256 | a392652ed8ef9095dd6da4fff470eb79fa04b537c2f2cbe5424c6c0e866cfe2a |
| SHA512 | fc5e39a5d812626f6f40fa4492c6fe2a7543526ffec92cd477c29d5dbc42caf3b3c73e594569b6eecf8b2e7fcc186c3f11b1e8599c4b97a037b4dfc2d62dc8d8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 142784187c95167a36fb9f7241de773a |
| SHA1 | 19c5a3784f6fae9250bcee63f31092c87179c287 |
| SHA256 | 8b01c118adcc2c61ab3f0c84ccf3776c29a74541e375269e64b91df3cc5af473 |
| SHA512 | a9d9c553f709667cc589a4eea0a020649760b85465d12668fa7a0ddddaa3e8c3fed5ad01c4f32250f5e39df555d7e54f87a1c444d20cf27e33775f85606ae309 |
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
| MD5 | 13f393b8a71942a781d642de9b6b920a |
| SHA1 | 3ef9d0b5c31343cabd5ab658b453c68b8ebd8757 |
| SHA256 | f6ce199375771793763f4ebdaa7f7dd2bdcd7863084ce4ec127fb2fa32e8ca9d |
| SHA512 | d7f468a53de53bb9e007bbd81c8c4609b2cdcf115a0ab62c54c54490d10c4c178d2002136ffb8b23c33226293a526644da32bd627e33dcb9333cf1933481873e |