Malware Analysis Report

2025-08-05 16:43

Sample ID 240204-yemceahdb4
Target 8ffcef8076920d374af454c1f3b406f9
SHA256 c18f66b20db148aff2ff1bc3e2b6634cc8f6f6ed6842fa17839ef435a4ec3d84
Tags
upx adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c18f66b20db148aff2ff1bc3e2b6634cc8f6f6ed6842fa17839ef435a4ec3d84

Threat Level: Shows suspicious behavior

The file 8ffcef8076920d374af454c1f3b406f9 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx adware stealer

UPX packed file

Checks computer location settings

Loads dropped DLL

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 19:42

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 19:42

Reported

2024-02-04 19:44

Platform

win7-20231215-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BDF6E57E-7330-40CB-8363-D82E9BFF223B} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\eyfwin.dll C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A
File created C:\Windows\SysWOW64\p.ico C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A
File created C:\Windows\SysWOW64\sf.ico C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A
File created C:\Windows\SysWOW64\c.ico C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A
File created C:\Windows\SysWOW64\m.ico C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A
File created C:\Windows\SysWOW64\m3.ico C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A
File created C:\Windows\SysWOW64\s.ico C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ios.dat C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d600000000020000000000106600000001000020000000cf8ac6bc8fa8769604a63ebe93d6118200f697d4b613160c3d89bf1d1645b0c5000000000e800000000200002000000002a985d210547b2a299733e6bd4d08a2e578b4e2741ce20bb519731f5dc4bf4e200000008d1d100079a736e85dd4272e362e24dfdb04ce326048c97092602d77823562ef40000000f0001a849e51b4be2201e502c56ab5160e1c93795a8c443e8b8bd10baa13cc8a6749e9b917dca9f4b1236977c4879d7396b00234a674747928efc5e07fd69182 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c0c14ea257da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7A4C9A01-C395-11EE-A5E0-76D8C56D161B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566b58630fb3a044b91770fce5e9b2d60000000002000000000010660000000100002000000066013b92cb645b8e58d970bfbda7db65bd4965b830ca5defbbd76f84e188c54c000000000e8000000002000020000000947229e943070f9016e9c5493de4034abc415b6f5b939427438a84e91bf6812690000000f6a7ff823b063452d904926e686099c8917569f62e66faffad948de214f51216d388f2de4ca2a586317d82de2a0e582fb29dca93c8cc1d9a2e575a12b5afd1dd9366e6e81a21d016dad8f53cde30e46caf02f38907ae5269444a8fbc5c96280122edcffde3f27839271d07af015ccf2582a82ba26b19fad9e3a2401e17dbb1199fb91624b739333b7b7c61dd78ac60f240000000840e64bc4167196f79b5e448b4fb28ca82b422956db00ef3617cbf2038d1b37b741e553b8fc769152a03c65038f87b7ebdd454a918192061aa4684e6626e5e48 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413237593" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ = "_Iffgd3cEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32\ = "C:\\Windows\\SysWow64\\eyfwin.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\ = "TrumanBar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ = "TrumanBar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ = "_Iffgd3cEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CurVer\ = "Ho4ydomoj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\CLSID\ = "{BDF6E57E-7330-40CB-8363-D82E9BFF223B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CLSID\ = "{BDF6E57E-7330-40CB-8363-D82E9BFF223B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "ddf457 Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ = "Iffgd3c" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ = "Iffgd3c" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\ = "TrumanBar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ProgID\ = "Ho4ydomoj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\VersionIndependentProgID\ = "Ho4ydomoj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\eyfwin.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2372 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2372 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2780 wrote to memory of 2824 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2780 wrote to memory of 2824 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2780 wrote to memory of 2824 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2780 wrote to memory of 2824 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe

"C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\eyfwin.dll

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://configupdatestart.com/bind2.php?id=3913842

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 configupdatestart.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2372-0-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Windows\SysWOW64\eyfwin.dll

MD5 732cadeaf934ac1edc47f1a577eca711
SHA1 444f18e24d9c48e99b142c85ba6e65cba693988f
SHA256 e232ef1159527f8ef57f480dcf0399d9b718354e90449545b1a3b7ea30015871
SHA512 9b8a8e36b8e7292915a99a47796cd89dab6af4a506bf956093cbcefc24a4b7d3864f26c50d4b4326c38d03a8aca8c4be822e1702b436e9a97b1e084c6e9c0e5f

memory/2372-29-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab320B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar328B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94948acb994187ba726976dbc15668d1
SHA1 d2f4cd38a7fdc8f60d6996c1852d436e9a09cea3
SHA256 b30927ca399098e196bb7783fcff5731e799647189c97a9aa821f6e52ee0dfec
SHA512 1bc78a410bfe0674b1400adacea3ea8e30e4395ada83d4d0d6c6d11fb90b980b79cbfbec0af033475ddf2f1423309e589e6b55ce82775bae88874177acb91ec4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30e4cdc2d137eebcae046057c2733c9b
SHA1 600cff8ea458649196055d8cb410b010b8948f27
SHA256 0294f464c7aa4b5a882515a9922f7f836d407c809a261743f85fdb319cb0cb82
SHA512 abf1ec370543e9b149a25d567a42b60cbd982f5392b7b8f0a102852ea75c297dcb9528ec90fe9d206b2e090719d0c0bbf036dc60826cfe4a5d264df879fec768

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e459c8be50281da4046a613507d365a6
SHA1 9eac1bf278cb9a6ee5ee9450af3aa56a13973fbd
SHA256 9c9b3993c57f2710594712029d10adb8b3f5a8208a1824f937734cf67f341f63
SHA512 7927966bee9705450ca5ccadb91117beb5458e210ae832a29c7a90cef40b6cf5881ee76d494507b9e00d640f189bf3efc18c7a697e328798d05e69f124c8c414

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8974dafe9683042fb749ef1c95728ad8
SHA1 f342973a9fe0bb83d50f5256edeba0cd3fdb1c9c
SHA256 9f82fff5e9e551c5f06c23c1c1602538afd772d53b930bb8b57a704ae1021902
SHA512 498b15100ad69a9fff85b80bf95cd68a6528916e69ee93d543a94d7cd42615e41a2e25d49054854e3b526ab819aa1b83f063b0da77c026a6d0d0b0c40cdd0700

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 876ab6fd75b174455e3d8ef78e3125cf
SHA1 4e25c5cbcb6a07889111644261c2097b7746e5ea
SHA256 785a61294b47e5f11561bd3399ed8fb457211cb1a7420a9e849773cc8519be17
SHA512 10e13a795525cba53f0bef5b5a4cba65ea86d9661c77c7f8ce7f1d8ca4c8e7b7b976815bee29504d6bd9d5e4c7533aa19930c40630df6061d6f4d6841ce38d05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f129a7584bfca49ca9d542a5dec1d270
SHA1 78ad5b9f686911cb83b41977f8b63b9f526ed3b1
SHA256 7cb25e74916977abcb0c63ee1f2f53504b32373ec961464f0170f8f617652b3c
SHA512 8d36431ae0669ebc016a03adebc4e7bac7ff4f04f43db178c220074893bbbc3effc70ceea82734a58f8162a8bc050ea6baa3edb311a483c64779da7d29a615c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f2c1b0824ace765fe2baefece1fe768
SHA1 d4f283e8e7605390023c8e55ae557cc8e836bbff
SHA256 5b10db8df1e642bb38294a19da61e0feefc423ceddd3d80290c8578fdb0264ea
SHA512 c82f9874bd50ddbb4b73473eb9f63417d024abd9e088554c4e5a0dc4e0a7f07c531fb43d681e7ad1b49d3309fed5ea1023f53f4a5ac4a332084a746ede1a7016

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f438fcc6a9b10da54c4ced3d64658886
SHA1 322b91aef090ab2728f8c06d7a647f5d28716be7
SHA256 6a876a12207b0ea806aaaa94d57d9534d7ada7c1b27a94491307eccd539c5113
SHA512 2ecd425176e24d645272be0952d6bb967a1d3e7f7875d5c06d15459a46f6928a8d92ca45d410ea520db12d697b7a2c1283034dc052b637e7aa5d6ae9969e138c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69ec01c27e22686a553e3c94f5394c72
SHA1 657383be1ec860a1b2fd59e68b4341d86277cbdf
SHA256 d9f33e3e21f1d6da032fc772c3e3f7be2fd7b8bedc07b1debbe058ed7ba00497
SHA512 ed4acc5c8769da913b42bfa46975eca30b521aaafe07b8a2a494dfbbaf9db2438b4dd976a1f505c20fca2fb2756985f1f0ef885ff1b1886a5ffac8bd6608fa2a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c0e4d35acbd2ef05abd322ecaa5eb15
SHA1 3531d7f99f710c5126dfbdcbe6473d81bdaa9dce
SHA256 7a8d9df8f43910b2411700ef7db64cdb42b55b9c05ef663d6d73060b0d69ad56
SHA512 64ac5bca35374326a77f00f6681905a77fdbe8e27578bf85b5d7d99a3a46c590226e502d46bdea96afd0095ff4107af7e2c8e389fe5733d9da1aa3d5f961885b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 367dcef0fe9c67c55f15fa21ad09f6f2
SHA1 c2731ce226fc9ee50f3cda95aaadbced646aaf2d
SHA256 7df5755d36adc33dc04f354458037a3649dbf82daf028bef17d2119bf2ea28da
SHA512 88b74696754baf1d141923fb88e97f1e48fb620c4b643fda598b1d60d9394880dc8bfe1e112d8e61956c1670d264342c5413fd712b2982dc469bd0bb32c04634

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e789ed7acaf0e3e374abad0065bdecef
SHA1 cd69cfa42c3596ff1c587a9ab60c78840ca20d03
SHA256 fd2bf820088e8fd91d11b9a6971e1c606d3d5eb9ebb2d2fd8c1cae93ad395e78
SHA512 951e218aa89060704b688f9c6f378640262f079c7774c9d11e5ce7b895f886970504aa29649a6f36587a574ae3f1bf4418b3e3acc5b04324e05fca8bd170b531

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2904ab405bdb5dfa9101408416dda90a
SHA1 7a135cc0b54d97253249d8305998d049a4d55d77
SHA256 3a003280243da33f36001ddd202c7c35ae4ca75ac25aab5876a730be4590f8b5
SHA512 7f8d9219d841d6d82c036435e89051425f652bb10b08c9ef9c75cdb24798cf9f6e28bdcc78d3004f8b96721b6958cd92e85a700dc9ec9058e1970ba487c5f686

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60c27e4ea9787f7c6005e81c87cc6277
SHA1 b7fdda940467090d520d1cfdbe56cc704fa293a8
SHA256 4a96c801e20ae70ea980f98ca2937637cc2f1175c6d7faa11b97f9de263c2e64
SHA512 8ff28c92d8841a3ff87bfca5d2460d4a2c89c8f4bccd2911a645e5df3017e83e008df8b3502922e3356134b5e0ea784a5a87f17c935cbba0c3de0556ea39cce6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 409fc0a781e38a9e0b3a61bc34e95797
SHA1 1e0dce5555658d89115017d0432818f9e10d8da6
SHA256 6e185d3b59a23df9c9abab59059a240f84e5b0ee238a37977a19f92328877905
SHA512 4fd486113829c7c9dbd2b7127373c0b7e9b869ba6e1115a9f44ed6f51d8b963bbb7cc1af930c0fb586c98d731e1c268a128e1a124e76f009c36e90d245c6dec2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16a0408b7e50caebd1e9b1be56136b38
SHA1 c566cb32813b099ad62d7ccbc58dfc450eee5e06
SHA256 7564baaac54af7922e37bb659aa523e27dee836f144e30b76f684833999839ee
SHA512 f7f6aba1adf2dabdc6278a70a6b9e25c9dfaac0e7bc2240b3cc6f0375ff6de79c59f29c373ac32ce011c831050a236195b8d209ef8d26786af79bc7cba8a0c34

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e8bcd45deff100a048e93cca379d40c4
SHA1 27efe2a3eb4f4a66056868ca31fca79fc85c5646
SHA256 125068523483e7fd9fc4bd3480220a276dea43d554e4fe91b5cc33e72d1de960
SHA512 1161c13910981d65beba088733f2770c069609e278d3a52a279bfa2658d184c5d79158deaf77b127a3e2301bad8038dad0431a67142abce2bf65ec85be3aee7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29091c8dc162630c302427dca5182657
SHA1 2d4cb12ac55365bf40b8fe5bc1a9db5ded2eb9a1
SHA256 b27344e52bd4279c35b74d743e949767e474c5f17aad84dd7b4544f95b141589
SHA512 7cb720c94f3934c32fdc4eab4cd3f90b632a82e90d321706dd8d836202ab96371c6096bb08735552987a7ae686a6cd80025d9b14fda8c03a52f8d355f8a99bdf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60b047687e7c5636d62a2ea31ca18fba
SHA1 b10e06c6a43efb87691bf320eedcbf69b4870f31
SHA256 f910bc4a3faadadc608a10b2cfb33ea5e67a301b1fc1b2c24574c6f2cc279c15
SHA512 96638dc420a69ef1e5eab6f9c89d131c78eb4170319cf1d4f49dd68a52285e363f21316b406a111ab696830a79aa71d18ad37d55a689cceca5a97851ea511445

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35bf63c2f10f6b4d70baa538f7f70c4c
SHA1 e9dd9e51adf2469cf5221281722e608bcd8101fd
SHA256 41cf0e30302a32f0981358fe41a3d4dfdf9b962ca5542914766fc010c5de61b8
SHA512 3673616152a7c407b7ad7e44ddbb5c0b01618e2ad055e3db375cb1d506ed1265e0836422abd30b3e49e216b263c4064ae91efd52a30be2c7cc34fcf7aa0bc491

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 19:42

Reported

2024-02-04 19:44

Platform

win10v2004-20231222-en

Max time kernel

146s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF6E57E-7330-40CB-8363-D82E9BFF223B} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sf.ico C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A
File created C:\Windows\SysWOW64\c.ico C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A
File created C:\Windows\SysWOW64\m.ico C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A
File created C:\Windows\SysWOW64\m3.ico C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A
File created C:\Windows\SysWOW64\s.ico C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A
File created C:\Windows\SysWOW64\eyfwin.dll C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A
File created C:\Windows\SysWOW64\p.ico C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ios.dat C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ = "Iffgd3c" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\ = "TrumanBar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\ = "TrumanBar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32\ = "C:\\Windows\\SysWow64\\eyfwin.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ProgID\ = "Ho4ydomoj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\VersionIndependentProgID\ = "Ho4ydomoj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ = "Iffgd3c" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\ = "TrumanBar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "ddf457 Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CurVer\ = "Ho4ydomoj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ = "_Iffgd3cEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\eyfwin.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj\CLSID\ = "{BDF6E57E-7330-40CB-8363-D82E9BFF223B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDF6E57E-7330-40CB-8363-D82E9BFF223B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ = "_Iffgd3cEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1\CLSID\ = "{BDF6E57E-7330-40CB-8363-D82E9BFF223B}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{685EDF73-6BF2-45EA-A1C1-1C4C0C044307}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Ho4ydomoj.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9EFB101A-EA9A-4065-B8A4-8963FC57C446}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2096 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2096 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2096 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2096 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 4912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 4912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 3908 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5116 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe

"C:\Users\Admin\AppData\Local\Temp\8ffcef8076920d374af454c1f3b406f9.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\eyfwin.dll

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://configupdatestart.com/bind2.php?id=3913842

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf99546f8,0x7ffcf9954708,0x7ffcf9954718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1722660150891342615,9099823534265754620,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 configupdatestart.com udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 configupdatestart.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 configupdatestart.com udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 configupdatestart.com udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/2096-0-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Windows\SysWOW64\eyfwin.dll

MD5 732cadeaf934ac1edc47f1a577eca711
SHA1 444f18e24d9c48e99b142c85ba6e65cba693988f
SHA256 e232ef1159527f8ef57f480dcf0399d9b718354e90449545b1a3b7ea30015871
SHA512 9b8a8e36b8e7292915a99a47796cd89dab6af4a506bf956093cbcefc24a4b7d3864f26c50d4b4326c38d03a8aca8c4be822e1702b436e9a97b1e084c6e9c0e5f

memory/2096-29-0x0000000000400000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1386433ecc349475d39fb1e4f9e149a0
SHA1 f04f71ac77cb30f1d04fd16d42852322a8b2680f
SHA256 a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc
SHA512 fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

\??\pipe\LOCAL\crashpad_5116_NKYUNPLPEKLHMVSD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b09b1e217ce2b60ba6be793c23caafa3
SHA1 d6debfe5d552293ab8781e8d45dee4a2cfb5635e
SHA256 e9713de62aa928411d91507c5bf05e9cc6bd1ab1f494b48703f039876e986193
SHA512 ec21be7c597502648e8d74207a9371d3fde762bc853c62263f02ce70fa7be073a2caa364c3ae5390d2e8704e741d0769a6116e14f4be9b629a92f8a6d718e1c8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\60d0e30b-3aae-4d4c-a160-9dec8624c188.tmp

MD5 7a742df440dfce965bc943b3d52043b3
SHA1 b36169f5a8b66c4faee010583872c67b65df04b4
SHA256 eea4a0179cf1c166c0509f6caede3bd57b4fe9ff07f62e25b9be1b083366c465
SHA512 6868cd6eb7b50cbe0fae51def840761d1003d2193e77d512449113c7fa728cf08cb201a962ec9b2503efd76df5a56252e7cea00a0d2db6b7c6d69ec0c3048be2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0591379cac5973852be77ad276026495
SHA1 81f458db4ef0484e520e660f37306234a267614e
SHA256 c0079cbd1beac2a5588e5f3d4b59ba5237661d9944315bdba32581a6260da4f9
SHA512 1d3b61279e0649d5310ad08e4074f312c3baf8b580cedcf85f4d56f51467b4383b8e981e6aa3de021e7178aa41d0c8e935d8a67c06fbb47824171ea83d1701be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 e664066e3aa135f185ed1c194b9fa1f8
SHA1 358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5
SHA256 86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617
SHA512 58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e