Analysis
-
max time kernel
14s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
21-02-2023 22:30
General
-
Target
kujik.exe
-
Size
32.9MB
-
MD5
a96513026d7c3abdeb5f31abb91dc86f
-
SHA1
85a0327efaa990584591029f61ee9cb8d2eebd84
-
SHA256
c9f747866b3808056c29656c2ed8dc9c74364e09604fe77a1984bd1247605842
-
SHA512
d426a4437a12636c8abb833d870ded636cc4bc332a724558fc0773d856ff101099c28fa5bbe40bf46dfc91052b650fabe18c5988fbf322bac05cf1241f7f81ed
-
SSDEEP
786432:uhNBs1A4fLzRgQCwhcdiUOSqq+vcG9DQSEfrJ7VllwjEcBSZo/Ed0kVNZMTUo:uzQTL6xdiPSqq+v3Ef/llDc0Gy0kVNIZ
Malware Config
Extracted
quasar
1.4.0
kijuk
76t7hh-51153.portmap.host:51153
craciton.duckdns.org:7771
1cfe7ed6-9001-490c-9121-6234ae195f28
-
encryption_key
2C0C62BDD42E42BC77F98F8E1EE713B43F791267
-
install_name
SiHost64.exe
-
log_directory
MicrosoftWindows32
-
reconnect_delay
69
-
startup_key
Microsoft Helper
-
subdirectory
WindowsHTR
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 3 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 3 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\kujik.exe"C:\Users\Admin\AppData\Local\Temp\kujik.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\runneddown.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsHardExtention.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsHardExtention.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\run345.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\WindowsFileOcso.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\WindowsFileOcso.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX2\ru4n.vbs"6⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\svchost.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\svchost.exe"7⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Microsoft Helper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\RarSFX2\svchost.exe" /rl HIGHEST /f8⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\WindowsViser.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\WindowsViser.exe"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All6⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile7⤵
-
C:\Windows\SysWOW64\findstr.exefindstr All7⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key6⤵
-
C:\Windows\SysWOW64\findstr.exefindstr Key7⤵
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile name=65001 key=clear7⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650017⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\WindowsBase.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\WindowsBase.exe"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 22526⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\KujikTools2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\KujikTools2.exe"5⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.5&gui=true6⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffe742746f8,0x7ffe74274708,0x7ffe742747187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:27⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:37⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5264 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6480 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7056 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings7⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6729a5460,0x7ff6729a5470,0x7ff6729a54808⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7056 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,9034935320215424064,15596838980156518574,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5420 /prefetch:27⤵
-
C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.14-win-x64.exe"C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.14-win-x64.exe"7⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 3476 -ip 34761⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5cd4f5fe0fc0ab6b6df866b9bfb9dd762
SHA1a6aaed363cd5a7b6910e9b3296c0093b0ac94759
SHA2563b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81
SHA5127072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51d40312629d09d2420e992fdb8a78c1c
SHA1903950d5ba9d64ec21c9f51264272ca8dfae9540
SHA2561e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac
SHA512a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD5562a210ad8b9d00c9ef9f9c66c858462
SHA161230be8f10b96ba039a481c2997c9153fdfe476
SHA256e7b78ecc301ed52b2849ec693cb8a6a93bd4dcd09f03c688039ea2e45412297c
SHA512a9e877e59014a8d2eac6715f4cc6cc399ac9c6e1ebb9644d8ee79529960f289f5557290d48e283ae1af6230eb6a1298a8e2378af419d27952f1efd593fcd9375
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
384B
MD5213b2d6319305dc1eae262430c76d86b
SHA12e401905627e428dc8571f9c218eaa4572102dc9
SHA256c1b51bccd8c82149bcb8b4090f764873a6c224e35d9c672cc364b872246dbc3f
SHA512cf162b74503e79bdf000998deb10ea59839c69fee1f2f2bede16b8eb7b8c8d34553ed80a5d07c7463c37cf12f4fa53c37b6b795d2281ea60ad6d2982b403f4d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD56bcb100f4986a90448747a578dcb4f20
SHA198ed6943a8615298bc8049be386ff5b1b2950dbc
SHA256492a77db12a90a04eb0ece0b1b4ef646ea766c26dc7d0106c254d01c91e03e6f
SHA512a0e46ab69046fef586baf636f18d6fe3e36e8689b765f1624d1784bb00b1cab3a9dc690692332485afc2dc2faae42c2608a07e85eab8d8aee4017a92536e009a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD596d3c6011bc02bdd934f3606644b5665
SHA141dc2f8014b9ce3dfaa8c189de506083460a2b21
SHA2568008e2468de69e447b7701ebcf4ff371ca3f87169fc53e196e64fad2052888ce
SHA5126b3596b8b0e5e91006f1ea834f6e4526ca1c9f97ec55926461bf560015e8c72c266ac868589ccb7b86079a3f8da22d47d712c472783867de210aae96ddb882f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD59864dd8c09f26620333587100f90e7bc
SHA10ad818d3aec5e308a5bd7f4c3d362e4d752a5517
SHA2564b7a4e37af2a39790a263c8d9adecb3f0c1ab2e5b37bb0520ed76d494a0d73a6
SHA5128a7e3a423c8141b90a27426bbdbe2570ed90d7587058f4ceee4b8094bd2968a411ce2c89b93dfa598de2316c276c9d1fe8da3232332515b49101d1a6ed4af0f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5d8cb4463f8f287c06e059a125a082cf8
SHA147890349125f1d4fbd20e8bb2205e2f2f2f6f19d
SHA256c35836a76cc55949abd45795bb4a9e52d81a8d3da708260faf813c97c02e0bc9
SHA512e80c3a252f1e7d80dc30b15404d7101183499178b8f2b3afe0dda6233d02d28714bdde18a3b1498bedcee252b7dcf3ac0c5c5137bcee775c6be0e2a16b2e4404
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f11be66e39735dbe948b6d2cda966901
SHA165dec1714151efd31eb931501c5e5c987a9ce378
SHA256f9dd5dfce1435e0d41c176c32c9f01b32cfe3fc9d4b2b208ce9bdb6d42a0dd12
SHA5127c62e1ec65c0e8eaaa9674ae9ad646a2bf26bac253eb1a14bc96114677aaa2df27cb49f77025ca796473ab12eb9ab7add0e1d3a1461875f9a9abeab66ef1ae75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b5eb5f58570d0df7e1d28d106bf97c32
SHA144480ebb1562b0b4e49603d6b4085b382718ffa6
SHA256f4dd8c0e37c820aaf1822568a8dae4630a57f3336cdfabfd04c139fc074422ac
SHA51257176c3f1fae9f5455851d5f03ccb8fe1589dbe00ee327ba4142f1481553aa79915eb5e3653f36cb6985e9d5b7fb893716bf8d8b9f4072e595f4901057369179
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5f385eb8ca656bc897e0bf77562f246b0
SHA1d683f77fb204d3f2d9e93655a586e14d48a257cb
SHA256c634da450f774122858d9e92dd33ae632413f1d60e416d6342c953508f703413
SHA51245041bf8c5e8bd2596a0ce8d8ca524bf5fffeeaf3f2727c13bb978b6e7e927036fdaf9bfcdefef7c43f7ef8502dcf87e17995024214905727f157690e4d0a67d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD51463bf2a54e759c40d9ad64228bf7bec
SHA12286d0ac3cfa9f9ca6c0df60699af7c49008a41f
SHA2569b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df
SHA51233e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
705B
MD5ff0994b0782d76dff7750b002cfb24bd
SHA18b872e5223d048d2de6c70d5760c146d6f6f1e2b
SHA256f55a3c0647f72ffdc4fa8e3497143a9d2668b57ec054b7caddf8d9e283968a77
SHA5120213bdc26151c55886b49e6ebc4e3779bb805b725bfc5104be936242c36a77eda57418e32ffd8f1b312ecd5839887c2b2a3074e8c136b098f5ac5e316338a7ba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
705B
MD5ff0554552d316be214256c55fb501f2f
SHA1ca396f8329915f1300da20e8a7efadd946c65c2a
SHA256ed114360990e826764a259cb3164b6d726b04c2abf303fa502d6be75cc6c0999
SHA5121de89b46a640090fd0b9cdb18cf63542dc801c667cce80e9642cfc1ed686807cb7d345d6a7cc74a3a42e0f69388bb81c2d2174e81909e4e11d79a1020fb2061f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57aa3a.TMPFilesize
537B
MD57cd4f9ed8bc9f4364e055cca98da9630
SHA134bf77838ed42eafd8f18e70af724b3ba122db3a
SHA256a1851d989b8d90a6efdecae22478f870152384c8a8b589c7ab621b767cfbe353
SHA512ab32b7b5c44b3a68f05e2a746a28e2e47bbace61d5b232f6b3993e44d84fe9364ba388d39b7811f385549c3cbf34ccd9446f7bed3c3beaae2ff25fac0f279c3f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
3KB
MD5857fd65ae59ecb0c838249ab24c70111
SHA194d2a370c1ff4c01e99455720e746e45d4fb8d14
SHA25614004fc056eae54447acb2e2a53a2131ef635a87eb327405ae0a8ee15b04e4e0
SHA512de4033c3e67453c44d74924494a654d5e94c285247faeb92fff9db9bf2e86775bfab9486d06123a7b61214520df93fd5cc5c53d6eac32969595953a42acd7e8e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD55b3fc573a2957e41141ae9922be1e15a
SHA1685f1452cb4eb5cd908bac0963a9e9b3091b7abb
SHA256a49f2d6d442d8249f7bd733e87854a1f5fc269280ad670ec7873d46756354047
SHA512a1edbf274ff0ffcab8d7d4ee9e9fa604e08c8d79ecae564f2f8bf52c287d155a1139f43c567b6357740f864d0a5e1cb29ef2adf3c9680252f48ef8bb1228a17c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD5704f255bf18c7d920bda6632789e46fe
SHA1d84863aadf2bd910840bb656bb5c9c28dd6e8dbe
SHA256f5b11e99fe8b5d2b32b7d7c897d2da00a239b7df6943aaa22c4be972c466f1bf
SHA5128ea9c63d877428526fdc94cc9dc45afcc0019cf875ace723f1a469b602f686653d512226bccd8de56d50bb21706ec9032131c87df6011b10e46994cbb812b90b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsHardExtention.exeFilesize
32.6MB
MD5845bca1210228f0d220d2fda0fc0a77b
SHA1c9198fc01340d9016b41484c169c65985145c131
SHA2561ff2458549bdc52765f17ccc1e361c9cc7062ddca3876fc73ff75d40e33ca9e5
SHA5128e0abb1141bbb5cfe5a85194cefe616a34bff26fd1147416cb8efdd5dfc1a577344ab297c9a0d94561e6c7ddcb27dc8a308550cb88f39def0cf879813c540d4b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WindowsHardExtention.exeFilesize
32.6MB
MD5845bca1210228f0d220d2fda0fc0a77b
SHA1c9198fc01340d9016b41484c169c65985145c131
SHA2561ff2458549bdc52765f17ccc1e361c9cc7062ddca3876fc73ff75d40e33ca9e5
SHA5128e0abb1141bbb5cfe5a85194cefe616a34bff26fd1147416cb8efdd5dfc1a577344ab297c9a0d94561e6c7ddcb27dc8a308550cb88f39def0cf879813c540d4b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\runneddown.vbsFilesize
81B
MD5dbad7d4e9d9126be4738124cf089778c
SHA1bf3bfba2741dea9c9f313e4f5e1e28d6cea1220c
SHA256b0604b4cfb8999edf573b0ec22bd3ab183fc08262b8f018009d925abf4a1aca9
SHA5120aa8e6f1d5238f0c2ba421238ceaa3ac846d9459868095044af4e0d1c703a735058abf7f171c5b659644b8e5b506caf459b5978a159176fb7b7b7141f3440b55
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\KujikTools2.exeFilesize
145KB
MD59f7507ac5ef726428b199e593414b9a8
SHA10eb0e7522234fe1b4ff4aeb3286cd8cf0ef9a26e
SHA2568ab1a57a5ce541b2f1c0afa9f7d8e6f32b9337e6a218fb362f8ff04824ad9a92
SHA5123662138681273ce478f37dd40b8be6264c5565a86a1651a23618d5a0c689ee760bd6b4ce6063a91481fec3a0ead40ea3d186c43b2381bd96c19ac11cd871d54a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\KujikTools2.exeFilesize
145KB
MD59f7507ac5ef726428b199e593414b9a8
SHA10eb0e7522234fe1b4ff4aeb3286cd8cf0ef9a26e
SHA2568ab1a57a5ce541b2f1c0afa9f7d8e6f32b9337e6a218fb362f8ff04824ad9a92
SHA5123662138681273ce478f37dd40b8be6264c5565a86a1651a23618d5a0c689ee760bd6b4ce6063a91481fec3a0ead40ea3d186c43b2381bd96c19ac11cd871d54a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\WindowsBase.exeFilesize
16.7MB
MD5de4a2cd63f51b7d701d57e4c54814112
SHA1cdddbc177c2516241d9e3eda8fa706db41f248ea
SHA2562ce45222d181048140c7c234c25e70b2ce82809ffa89f8bd8e6ea244b220cc73
SHA512e9f5f5d9a462307ba71de9111af839a000d73eb7d183bbb59926b0b4b8bc2eca26744b6f3842d64b56d6ab40d13fd855f8891f83026b8e8f6e4e8bf649d92e75
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\WindowsBase.exeFilesize
16.7MB
MD5de4a2cd63f51b7d701d57e4c54814112
SHA1cdddbc177c2516241d9e3eda8fa706db41f248ea
SHA2562ce45222d181048140c7c234c25e70b2ce82809ffa89f8bd8e6ea244b220cc73
SHA512e9f5f5d9a462307ba71de9111af839a000d73eb7d183bbb59926b0b4b8bc2eca26744b6f3842d64b56d6ab40d13fd855f8891f83026b8e8f6e4e8bf649d92e75
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\WindowsFileOcso.exeFilesize
530KB
MD5976dbe4a4a89ba100c9a266a817baf3a
SHA1715713bf5167697430e5816b4e9d08b1ab5c919a
SHA25642f754809540c9cadb9f8788a6743cb5517655b96a55b4a26601e56b3570aa7a
SHA512f083109445150bf940c9a084b5342399ac8388aac6cd6c81bfed5ce7151362d3cbfe88d1fe1388ecacfeb29b3becda162c29658193fc943108b553946be377d4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\WindowsFileOcso.exeFilesize
530KB
MD5976dbe4a4a89ba100c9a266a817baf3a
SHA1715713bf5167697430e5816b4e9d08b1ab5c919a
SHA25642f754809540c9cadb9f8788a6743cb5517655b96a55b4a26601e56b3570aa7a
SHA512f083109445150bf940c9a084b5342399ac8388aac6cd6c81bfed5ce7151362d3cbfe88d1fe1388ecacfeb29b3becda162c29658193fc943108b553946be377d4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\WindowsViser.exeFilesize
15.4MB
MD593fdf80b25fddc0e088882ad702883db
SHA1f25897b3e935a47c5753d5ec0e024b764893c16e
SHA2564caa22c581aa4d9c841d1cea1804ac84f6699da89f829994d7ee2305e6c22f66
SHA512516e19d14554dc87bfd783f9999ed60bc52ef4e75b3864f393e7863d199d059cb93d5b2bf58ce16cb06fcaa5f5a173ed53705fc40f81f0c7dec7b047c1230c8b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\WindowsViser.exeFilesize
15.4MB
MD593fdf80b25fddc0e088882ad702883db
SHA1f25897b3e935a47c5753d5ec0e024b764893c16e
SHA2564caa22c581aa4d9c841d1cea1804ac84f6699da89f829994d7ee2305e6c22f66
SHA512516e19d14554dc87bfd783f9999ed60bc52ef4e75b3864f393e7863d199d059cb93d5b2bf58ce16cb06fcaa5f5a173ed53705fc40f81f0c7dec7b047c1230c8b
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\run345.vbsFilesize
305B
MD5111e76b8cbae9ee0bc9bae3f3de137f3
SHA141ffe731394616c7cef01f073cdf096754a0ae4f
SHA256f4cd5a7a1184c052ef2196508c843ccf2c8a8534c5beec9cc9ec1d22e6f48f99
SHA51206010c3090b671c4bd9af0f829869341b20c57f68187f3daf78d1c99d88e99ccdbe273e13014088269290a67973b7d1d617029dfdab68b110eee976ac8d4620a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\ru4n.vbsFilesize
68B
MD59746f45b35aadaa49fa87122ed999e84
SHA15f9a0e166069b2c626607c1c8b761b0ab4d7bd1e
SHA256973610f5040c00cb3443ed87e13ded7661e704a97549781b16ceeec70e80d534
SHA51298bb558a3addb08ded8d19e52086f6844de54d58e0cb51a2e0d37186697c9811b03ab853e431dc8dfe8f32be438c10f52e8e46d263a5d758d1cfd935c69f0531
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\svchost.exeFilesize
597.3MB
MD53abc93b79e4d053cb6e35f356c58338b
SHA197408feee960c4e4914d7a410137f51a9248e96d
SHA2566a5f2d8b6c584780131113ab8379e7aab4d9df8d312d68cbf57188c53fd9a4ca
SHA512af4facef9900283708e6445e5c372794c1125fbdf035ecde9c8f794d130ad1581b4d2350fa6de611f8bfe8c37c5b94a714dcf39d1d8409ba9c04db1000ef7492
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\svchost.exeFilesize
477.4MB
MD51e4e5ba8f87544b0ccb477744405f310
SHA105378b35d52cbc0c08dd72036cb9c2591875a756
SHA256affb20c67899df50f92a8a86d95758b6543dbfcba9ae98566daed60e24b778dd
SHA51291e2d04e7adeee112eee8026b8e4737b38ad26ea5950334b32eabbdd22dd166dd6f430cae077723d4eecefdfe8137ca63b85fed2b5e3ed77baad565f2516a2d9
-
C:\Users\Admin\AppData\Local\Temp\passwords.txtFilesize
1B
MD568b329da9893e34099c7d8ad5cb9c940
SHA1adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA25601ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5b9ea86f81c4d1ace4875df67b0bd3ec5
SHA19fbc983eb17e82ebd3dd475b06c3bc053a92d6ae
SHA25605bd0b1723e1c667443e45c4b50caa3fe399e53fd8c9279aedb697be99b17982
SHA512b8f44c80f05cc3c49db8292f8de872a6a404d44666746564a47fd86869e9408646b51861c6563e9836614df890c068d289ad7d7fdea6fb0ea37272eb7f757109
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD52b59c32abed1a112282d958370f20051
SHA128d3e14390076e9f7ec91690d20bf00a56d970e7
SHA25609c5e696570474af389c815bec06ba01c42886d7b76d4bac1b80960be61c2640
SHA5122d86f80a383ba928886de0e327b2643a4d2e74643e1b80eac068833ae7176c4cdfcb498181da5c9d9055a6359602a6ac5ddc882369590dac4054f07add992045
-
C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.14-win-x64.exeFilesize
54.7MB
MD544ee5a4f2be46250c18921ce1059de32
SHA1c145fa89888b1afbb53d008baff83c2cdd54a728
SHA256b3373b3c382534c5873d05961d40998f99819e6153437824e71453aeeed28fd6
SHA5125281e817571afa6c5d848ed9a3fec4cb568ad8c05633cbd97e65e52f4a929d9947c390b9b3a72da6464c89450576d318b253d190776bd357327fc27031c7acdf
-
\??\pipe\LOCAL\crashpad_708_SBHNXAQKLVAKWQFTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1920-221-0x00007FFE90820000-0x00007FFE90821000-memory.dmpFilesize
4KB
-
memory/3188-439-0x00007FFE91E80000-0x00007FFE91E81000-memory.dmpFilesize
4KB
-
memory/3188-440-0x00007FFE92070000-0x00007FFE92071000-memory.dmpFilesize
4KB
-
memory/3312-196-0x0000000007B30000-0x0000000007B40000-memory.dmpFilesize
64KB
-
memory/3312-241-0x0000000000B60000-0x0000000003054000-memory.dmpFilesize
37.0MB
-
memory/3312-173-0x0000000000B60000-0x0000000003054000-memory.dmpFilesize
37.0MB
-
memory/3312-187-0x0000000008340000-0x00000000083A6000-memory.dmpFilesize
408KB
-
memory/3312-182-0x0000000000B60000-0x0000000003054000-memory.dmpFilesize
37.0MB
-
memory/3312-499-0x0000000009ED0000-0x0000000009EE2000-memory.dmpFilesize
72KB
-
memory/3312-500-0x0000000009F30000-0x0000000009F6C000-memory.dmpFilesize
240KB
-
memory/3312-503-0x0000000000B60000-0x0000000003054000-memory.dmpFilesize
37.0MB
-
memory/3312-185-0x0000000000B60000-0x0000000003054000-memory.dmpFilesize
37.0MB
-
memory/3312-186-0x00000000082B0000-0x00000000082CA000-memory.dmpFilesize
104KB
-
memory/3312-408-0x0000000007B30000-0x0000000007B40000-memory.dmpFilesize
64KB
-
memory/3312-351-0x00000000080E0000-0x0000000008172000-memory.dmpFilesize
584KB
-
memory/3476-332-0x0000000000C10000-0x0000000003650000-memory.dmpFilesize
42.2MB
-
memory/3476-407-0x0000000007A60000-0x0000000007A70000-memory.dmpFilesize
64KB
-
memory/3476-514-0x0000000000C10000-0x0000000003650000-memory.dmpFilesize
42.2MB
-
memory/3476-184-0x0000000007FE0000-0x0000000008584000-memory.dmpFilesize
5.6MB
-
memory/3476-183-0x0000000000C10000-0x0000000003650000-memory.dmpFilesize
42.2MB
-
memory/3476-180-0x0000000000C10000-0x0000000003650000-memory.dmpFilesize
42.2MB
-
memory/3476-174-0x0000000000C10000-0x0000000003650000-memory.dmpFilesize
42.2MB
-
memory/3476-195-0x0000000007A60000-0x0000000007A70000-memory.dmpFilesize
64KB
-
memory/3556-534-0x00000000002E0000-0x0000000000364000-memory.dmpFilesize
528KB