Malware Analysis Report

2025-08-05 21:25

Sample ID 231222-l8es7sffdk
Target 83fd23ee476175c0b0f0a46200598ee4
SHA256 3279ee666821ef28cf1776a074111119c97a07ad57a8816437eeac5ff937605e
Tags
vmprotect evasion spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

3279ee666821ef28cf1776a074111119c97a07ad57a8816437eeac5ff937605e

Threat Level: Likely malicious

The file 83fd23ee476175c0b0f0a46200598ee4 was found to be: Likely malicious.

Malicious Activity Summary

vmprotect evasion spyware stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

VMProtect packed file

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 10:11

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 10:11

Reported

2023-12-22 10:57

Platform

win7-20231215-en

Max time kernel

151s

Max time network

172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\235.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe

"C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe"

C:\Users\Admin\AppData\Local\Temp\235.exe

"C:\Users\Admin\AppData\Local\Temp\235.exe"

C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe

"C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 c0dpro.zzz.com.ua udp
NL 5.79.66.145:80 c0dpro.zzz.com.ua tcp
US 8.8.8.8:53 cs06684.tmweb.ru udp
RU 92.53.96.106:80 cs06684.tmweb.ru tcp
US 8.8.8.8:53 vh410.timeweb.ru udp
RU 92.53.96.106:443 vh410.timeweb.ru tcp
RU 92.53.96.106:443 vh410.timeweb.ru tcp
US 8.8.8.8:53 co61466.tmweb.ru udp
RU 92.53.96.244:80 co61466.tmweb.ru tcp
US 8.8.8.8:53 vh398.timeweb.ru udp
RU 92.53.96.244:443 vh398.timeweb.ru tcp
NL 5.79.66.145:80 c0dpro.zzz.com.ua tcp
NL 5.79.66.145:80 c0dpro.zzz.com.ua tcp
NL 5.79.66.145:80 c0dpro.zzz.com.ua tcp
NL 5.79.66.145:80 c0dpro.zzz.com.ua tcp

Files

memory/2428-0-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2428-1-0x0000000077A10000-0x0000000077A11000-memory.dmp

memory/2428-4-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2428-3-0x0000000077A10000-0x0000000077A11000-memory.dmp

memory/2428-8-0x0000000075F50000-0x0000000075F51000-memory.dmp

memory/2428-10-0x0000000077A10000-0x0000000077A11000-memory.dmp

\Users\Admin\AppData\Local\Temp\235.exe

MD5 a73ddbba903795042140f10a6dba68b7
SHA1 91ef79f8ecf27826064548effb4f37f935130623
SHA256 99cb31e7bc0268d8b698945cb1d31554c1aed2eff1e2b398c8a5997617933d60
SHA512 3901b898f9ba3ab9821506913f3d0ea3de7995e6f0e03f2c467c8964c13d8138ce5b4531e8954b5275e07497f1ce7a248f29a758bfd9d09f94278462297597b1

C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe

MD5 aca3f223e86e15567b7a866e941e70fa
SHA1 c7eac467191e3bab76f1f5d36a004b214ce2b3ce
SHA256 56ed9a24187b984e21dc07aab53d563c3473b205b2ec7e9a961531f8d11877af
SHA512 dfc6127d56702d0f3171194c0ebc5e11d98360837bf217dc0d47d17aff1c85729b86b2cbebda7dfdd1e153cbcb1a82d06c3aff368dde4246f38af0926a32161a

C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe

MD5 c39fa7da50869fbc10b5853782b568a0
SHA1 51d271a8d5ee9b63cb9daa01684d9439ed2717d8
SHA256 b7ccf2ca00efb52ea6eca4fb67f5aea829da67e5526ab2192aa78652d9075541
SHA512 253b485ce74eeaeb00eb6bcf236d7666c46ddb81c0f4cc9439f22c66d7e425aa1319e378dc511858c630391463806ee584728f84d5314a59be7091feded08dd5

memory/2428-25-0x0000000003590000-0x0000000003B2D000-memory.dmp

\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe

MD5 83129d2fd38c810b2812d3bc7e1f47f3
SHA1 7788c1e95dd9da2988a62b1eef3400bd74b41870
SHA256 cfbd544d0c231330e27f80766d48790b494ab48d5dc9822c1a8dfd618a2127e3
SHA512 c98975c947f864687d9a9655b6de02e86bed42e05787794cdac1f8fb4a2eeb71369b6a0c362fd585c487aaeaf81ee0ffa14fcbbcca815e6fe237d5814d7ece19

memory/2428-26-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/2988-27-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-28-0x0000000077890000-0x0000000077892000-memory.dmp

memory/2988-33-0x0000000000820000-0x0000000000821000-memory.dmp

memory/2988-32-0x0000000000A80000-0x0000000000A82000-memory.dmp

memory/2988-31-0x0000000000920000-0x0000000000921000-memory.dmp

memory/2988-34-0x0000000000670000-0x0000000000671000-memory.dmp

memory/2988-30-0x0000000000970000-0x0000000000971000-memory.dmp

memory/2988-35-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/2988-37-0x0000000000830000-0x0000000000831000-memory.dmp

memory/2988-36-0x0000000000900000-0x0000000000901000-memory.dmp

memory/2988-29-0x0000000001040000-0x00000000015DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabAF25.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarAF48.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2988-416-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-417-0x0000000000880000-0x0000000000882000-memory.dmp

memory/2988-418-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-419-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-420-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-421-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-422-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-423-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-424-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-425-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-426-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-427-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-428-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-429-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-430-0x0000000001040000-0x00000000015DD000-memory.dmp

memory/2988-431-0x0000000001040000-0x00000000015DD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 10:11

Reported

2023-12-22 10:58

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\235.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A

Reads user/profile data of web browsers

spyware stealer

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3260 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe C:\Users\Admin\AppData\Local\Temp\235.exe
PID 3260 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe C:\Users\Admin\AppData\Local\Temp\235.exe
PID 3260 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe C:\Users\Admin\AppData\Local\Temp\235.exe
PID 3260 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe
PID 3260 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe
PID 3260 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe
PID 4968 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4968 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1208 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4272 wrote to memory of 1108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe

"C:\Users\Admin\AppData\Local\Temp\83fd23ee476175c0b0f0a46200598ee4.exe"

C:\Users\Admin\AppData\Local\Temp\235.exe

"C:\Users\Admin\AppData\Local\Temp\235.exe"

C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe

"C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9597846f8,0x7ff959784708,0x7ff959784718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://co61466.tmweb.ru/Cheats/CSGO/upd.php

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,14181211789737563692,3815342948967582034,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4920 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 c0dpro.zzz.com.ua udp
NL 5.79.66.145:80 c0dpro.zzz.com.ua tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 145.66.79.5.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 cs06684.tmweb.ru udp
RU 92.53.96.106:80 cs06684.tmweb.ru tcp
US 8.8.8.8:53 vh410.timeweb.ru udp
RU 92.53.96.106:443 vh410.timeweb.ru tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 106.96.53.92.in-addr.arpa udp
US 8.8.8.8:53 co61466.tmweb.ru udp
RU 92.53.96.244:80 co61466.tmweb.ru tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 vh398.timeweb.ru udp
RU 92.53.96.244:443 vh398.timeweb.ru tcp
US 8.8.8.8:53 244.96.53.92.in-addr.arpa udp
US 8.8.8.8:53 co61466.tmweb.ru udp
RU 92.53.96.244:80 co61466.tmweb.ru tcp
RU 92.53.96.244:80 co61466.tmweb.ru tcp
US 8.8.8.8:53 vh398.timeweb.ru udp
RU 92.53.96.244:443 vh398.timeweb.ru tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 yandex.ru udp
GB 142.250.200.4:443 www.google.com tcp
RU 77.88.55.88:443 yandex.ru tcp
RU 87.250.251.119:443 tcp
RU 92.53.96.244:443 vh398.timeweb.ru tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
GB 88.221.135.217:80 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 178.154.131.216:443 tcp
RU 77.88.21.179:443 tcp
RU 178.154.131.216:443 tcp
RU 87.250.251.119:443 tcp
RU 87.250.247.182:443 tcp
NL 5.79.66.145:80 c0dpro.zzz.com.ua tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
NL 5.79.66.145:80 c0dpro.zzz.com.ua tcp
NL 5.79.66.145:80 c0dpro.zzz.com.ua tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 178.154.131.216:443 tcp
RU 178.154.131.216:443 tcp
RU 178.154.131.216:443 tcp
RU 178.154.131.216:443 tcp
RU 178.154.131.216:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 5.79.66.145:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/3260-0-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/3260-1-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/3260-2-0x00000000773D0000-0x00000000773D1000-memory.dmp

memory/3260-5-0x00000000769A0000-0x00000000769A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\235.exe

MD5 a35adb21af3aa253fd52a15645be56b1
SHA1 1204fc4200c3f25c72888989022d36ef0629e81b
SHA256 5cca2c4ddbebcccbb4234ed614a407e98bc8f54e0b24e6183d22e4c741f876da
SHA512 2407888723f6c4a4c041cdb3b1cfc69ba88e927476e9a4fa10a949faf78683a4dc83ac8dcb04df1c64ed4f8b09c1e5477df5214c9937c0c2c891cda55cf9f1ea

C:\Users\Admin\AppData\Local\Temp\235.exe

MD5 7d8723dad9c3722c346373240bf7717e
SHA1 5cd3c2ad37ae3f919d036c8ff87b9a7422532d1f
SHA256 c73e4eec1d7ebdaec7cfe2876e15739a9a9dd96f40d1bfee7adb208e169aebad
SHA512 cece7b93ba17c41373898f3e4caf8ffae842deef5e5bb9084df6ad3163c82de4598a722950bfb4519f66245f88969408257f96ee386301f87cd827bcba43093f

C:\Users\Admin\AppData\Local\Temp\235.exe

MD5 e37db8d8e7bd4e85e5a17311be07677d
SHA1 d5c4ba2d880427162ecd50da9e5704012661bd74
SHA256 4f73765981c2c721d033f24b0b08466f34c343682025bcd21fa4604285a9ec4d
SHA512 9677fe4e36682df057aea8fe600c71c1a7df730e9a8660d651f82b6189a6124464ae52f005cf37ac8d5a7d44984daaf1a7ad62bf41c519beb5bdf8154fd989b6

C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe

MD5 b800461242d01d1d396a5f8c2173c69e
SHA1 1ca8d13c48a804816df088a80a964d39fe7be6d1
SHA256 17c6797d58518db70e9c61875f10c387ff30cb7b365e82246c997756a2b84d9c
SHA512 953c915b8f3e1dfc67267e3810b1fd9356b2920e946326e298d790ff626bc081a8761285ae840841626021a9d9630126e8a83532f4543749fa6e41c6703cf72c

C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe

MD5 8eb43e220e2ae3ad029e4143e06b5968
SHA1 c1d5e406c002698a8c9cab14a013d1032b71373c
SHA256 8f5aaf31ea62d1e297ee2c6c934c85e934ade0a5aa6dcf64ee46b9212b5174e9
SHA512 5bd2cfe2f8c350caff1bd63f6d65cd632c5d8c9bfb5ecd3db0b96dffdffa335b10cd137de3c6292d8b8e83d542bad12aefd15e9778fc4084c25c1672d2aa7b3e

memory/3260-21-0x0000000000400000-0x0000000000D43000-memory.dmp

memory/4968-22-0x0000000000880000-0x0000000000E1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ExtrimHack[11.04.2018].exe

MD5 ef470a1d7169c7254c55bf2fafa89c58
SHA1 37f2b1341963327c13298e9af5d4b590e78a2c89
SHA256 d4cee767e083e5e2eb0c8fa0e2dafe24b9b3b06eb33e5bd4bf32985227060f0e
SHA512 e650ae10c692d5813df1a4a544ffeea4e09563d6cfbb368d16f75930ad93de2457c20e47a1095ad231b4dcc7f67a2c5a7e40a3c0d6cf306dbef495924dba56e1

memory/4968-24-0x0000000077294000-0x0000000077296000-memory.dmp

memory/4968-29-0x0000000005700000-0x0000000005701000-memory.dmp

memory/4968-28-0x0000000005720000-0x0000000005721000-memory.dmp

memory/4968-27-0x00000000056C0000-0x00000000056C1000-memory.dmp

memory/4968-26-0x0000000005710000-0x0000000005711000-memory.dmp

memory/4968-25-0x0000000000880000-0x0000000000E1D000-memory.dmp

C:\Users\Admin\AppData\Roamingcptbr.exe

MD5 4553f7ca28f38a02f2bf2791a9e37e48
SHA1 a165dd270ae44a853d642c3661017b3facde8863
SHA256 33ef3c8886d10a648a9543330dbca2a2bf6b70aa569fbcdc08f76782cc245aef
SHA512 dcd318e78b6077e07ad04325f659dfe89b41c74a9935b52393eeda35ff1eb312826a629aee666571d361034794a188236decdd82022644846a918d976ae0e291

memory/4968-62-0x0000000000880000-0x0000000000E1D000-memory.dmp

\??\pipe\LOCAL\crashpad_4272_YSNWAOMDRRFKDZSR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7543b4103f4ccf0545078ab506e46f43
SHA1 d5e48859bebc2f2caeda13d839f6eed783bcba16
SHA256 094dfee1b84db9d0800f752404fbcd184ccca00e6f068dd2923655cf5b35ff3b
SHA512 39b73bac9d475ef4741b308423d81bb24793f4bf98c10ea2baf2a9e42255675c37163d4f1e0f324b8cd66e9a7c2b6ceb931934b060d41280a50d33e25258b322

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f246cc2c0e84109806d24fcf52bd0672
SHA1 8725d2b2477efe4f66c60e0f2028bf79d8b88e4e
SHA256 0c1014ae07c2077dd55d7386cc9cf9e0551be1d67fe05a6006957427ae09fec5
SHA512 dcf31357eb39a05213550a879941e2c039ec0ba41e4867d5d630807420f070289552d56d9f16c6d11edcdb0f9448bf51e7d2e460e88aa9c55a5bfe5d8d331640

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DD76941B08ECB69B450D4C1AE579DB94_477A2C5BDEB15E052745F2DCC6341294

MD5 63d5e973571f581e27febfa8e69ba8d8
SHA1 4f4aaa29e860ab553b2e4a35395525eaf6408988
SHA256 9cf1015cd229cbcf48669c30df94336aa09234e89f55ca13785a9e35505da6a0
SHA512 6746c6537f22f81d687c4cee5c98fc038251f41fa44ad6c8ddb6af3caecf1cbafa74213f5d42b6f329a6142b868af569e58eb7b45c5154d09234706a15cc7b9f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DD76941B08ECB69B450D4C1AE579DB94_477A2C5BDEB15E052745F2DCC6341294

MD5 fec6b6b26bddfd27fcea54b14a88fa9b
SHA1 abdef4d016cffc2086aa39ef9d354350b12d641e
SHA256 12ed0ef48b32b176246911b9ecb2696d85e52b26e422009df784bcb34cb9c92d
SHA512 387e182dfa9b14440fb82b2437b6750e9747fca1d103f789a69ec1997a848e66f52f44b0b3a4c6b10f30ac9253a6e9708f5a81d84502454cfdb19ab318d0b539

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_005284E085E122BD76B51F33745F7753

MD5 10e556cea0d4ddb14054679b508a8afb
SHA1 c6be4e7ad969c17941cb00f41585517c8ad360f6
SHA256 55863d7113de4f61723ba028aee05f459010b7e9573285f220861cb01ed7eff2
SHA512 a00301d690e98ee23b02ae5fb2a2582ee551cbc87d99e3eca0cac2e72aa21f20d42f2c64040b62db1bdf97b1fa2076048f675d593b6b66ab393b99b1ecc10b7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_005284E085E122BD76B51F33745F7753

MD5 251ff142b6d01ab3edef0e6445ae8d1d
SHA1 f97ddbd253f6b0199a1b193639701f5687ddb1af
SHA256 e2497b07da2a1dc5464bfed3a7604dffae2b0af89962210d41bda50e60636cf3
SHA512 ed8a3b18fc5dc64ddda211b83d849e707526a69d75d6c2cf40d7a4cdb43086e5eb64eeaf8191aa48a932fa366f86468c50233751c303aed269e2fd3706f1c807

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7e89caeb3dea5978a0e94d1f37f54860
SHA1 6ffd9b348ad9b477a7d48f77b3bc03c5cf6c28c4
SHA256 480bb4ef8edbb96a13cd20b0d33ffd7fbd12787ffa376ef3cd5d35b73fb214af
SHA512 16076cb4e98d0268231e311313f53aee4b95bba67cd680adbe2360079962c01d79b358f7ce1b8b1f2634aab93f23162fb27b5ed91bf1a4779d946d238a29a535

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 30093188518a7eafda4a6cdaf4a3811c
SHA1 dffccfcda0741c4fbe3bebd78ec5b8a829388522
SHA256 9b070e15e80cac0568b890f0ab38c01bcd54cceb5cd52a93d21d7042655337d4
SHA512 3ee4269aea1bf38f21e0fdb48c4edc1494ddf64cfb5b71cebedf2d80ee9fccddbc8074b1e71364aa87d435a327fb5f1597c79ae376ab7fd7b4c9d285b695bdb7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 5e62a6848f50c5ca5f19380c1ea38156
SHA1 1f5e7db8c292a93ae4a94a912dd93fe899f1ea6a
SHA256 23b683118f90c909ce86f9be9123ff6ac1355adb098ffbb09b9e5ec18fc2b488
SHA512 ce00590890ed908c18c3ec56df5f79c6c800e3bea2ad4629b9788b19bd1d9e94215fb991275e6ec5a58ac31b193e1c0b9cbaa52ff534319a5e76ec4fc8d3ba54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 74524ce365d3128083064b4abf57eb4f
SHA1 2ed3e3e4da7a0ae3d916274d61b1d0be7159fffb
SHA256 b36e23e64ec2d2a9a716efe4f96fcbe21aefb7d586143c4e383da9ba03fef9b5
SHA512 e30a6ea19b145497cc68c912b35ff748710bdd517ae4850e9cb713950dcad68b5d54ffbf74dcb2e4e74d13640f5654646480347154fbb9e41e8746e211413daa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 7dc6f39d2f27bdef00e23261eb8593ff
SHA1 fcf1c61e08a4bf83fabb5c8a3fcf0204354d4495
SHA256 2c8a84ebb32eb9bf496e3d2c636be8873e844759be19c8f35295a9acda25a1f2
SHA512 1577384d91886bcae45a10ba6d104327b4b5506c0d3d845cf78512099e3016b5e140d8b6de4a944a91c6272e11b2f7f09a32e288416b9bd1b634702460cb30b6