Analysis Overview
SHA256
bb3d8ba65f4589ea9072d6b26ff12145c38d66c9e6cbd2743d2f66cb735d4f2a
Threat Level: Known bad
The file checkers.exe was found to be: Known bad.
Malicious Activity Summary
Gozi
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-15 15:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 15:49
Reported
2024-03-15 15:52
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Gozi
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\checkers.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\schdyovj.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\checkers.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Windows\Explorer.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ms-settings\shell\open | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 7c00b9b5f87f000000000000000000000000000000000000000000000000000010000100300036002f00320039002f00320030003200310020002000310037003a00300038003a003100380000000000000000000c000000000000004e006f004500730063006100700065002e006500780065000000000040f8bab50000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ms-settings | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = b40052004500470000000000000000000000000000000000000000000000000010000100300036002f00320039002f00320030003200310020002000310037003a00300037003a003200340000000000010000001b0000000d0000004e006f004500730063006100700065002e006500780065002d004c00610074006500730074002000560065007200730069006f006e0000004e006f004500730063006100700065002e006500780065002f000000b0352d0c0000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ms-settings\shell\open\command | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "4" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874385" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "3" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\ms-settings\shell | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 6e003200ad6fd8006f58797e20004e4f455343417e312e5a49500000520009000400efbe6f584f7e6f58797e2e00000000000000000000000000000000000000000000000000fad76c004e006f004500730063006100700065002e006500780065002e007a006900700000001c000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\checkers.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\schdyovj.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\checkers.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\checkers.exe
"C:\Users\Admin\AppData\Local\Temp\checkers.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c8fb46f8,0x7ff8c8fb4708,0x7ff8c8fb4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\japanpear4332125.vbs" /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C computerdefaults.exe
C:\Windows\SysWOW64\ComputerDefaults.exe
computerdefaults.exe
C:\Windows\SysWOW64\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\japanpear4332125.vbs
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C schtasks /Create /SC ONLOGON /TN UpdateFirefoxComponents_phFehpiq08w1HvqzO050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\phFehpiq08w1HvqzO050MX.exe" /RL HIGHEST /IT
C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC ONLOGON /TN UpdateFirefoxComponents_phFehpiq08w1HvqzO050MX /TR "C:\Users\Admin\AppData\Local\Microsoft\Windows\Notifications\wpnidm\phFehpiq08w1HvqzO050MX.exe" /RL HIGHEST /IT
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5516 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5584 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1360 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\schdyovj.exe
"C:\Users\Admin\AppData\Local\Temp\schdyovj.exe" explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,175717256700392078,13057728187291656713,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6628 /prefetch:2
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\NoEscape.exe-Latest Version\vc_redist.x86.exe
"C:\Users\Admin\Desktop\NoEscape.exe-Latest Version\vc_redist.x86.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | arc.srv.lan | udp |
| US | 8.8.8.8:53 | edge.msiserver.lan | udp |
| US | 8.8.8.8:53 | ntp.srv.lan | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | textpubshiers.top | udp |
| US | 172.67.146.76:443 | textpubshiers.top | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.146.67.172.in-addr.arpa | udp |
| GB | 92.123.128.140:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| GB | 92.123.128.140:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 140.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| GB | 92.123.128.180:443 | r.bing.com | tcp |
| GB | 92.123.128.180:443 | r.bing.com | tcp |
| GB | 92.123.128.180:443 | r.bing.com | tcp |
| GB | 92.123.128.180:443 | r.bing.com | tcp |
| GB | 92.123.128.180:443 | r.bing.com | tcp |
| GB | 92.123.128.180:443 | r.bing.com | tcp |
| GB | 92.123.128.184:443 | th.bing.com | tcp |
| GB | 92.123.128.184:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 180.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| IE | 40.126.31.67:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edge.msiserver.lan | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 5.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | edge.msiserver.lan | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| DE | 140.82.121.5:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 213.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5c6aef82e50d05ffc0cf52a6c6d69c91 |
| SHA1 | c203efe5b45b0630fee7bd364fe7d63b769e2351 |
| SHA256 | d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32 |
| SHA512 | 77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed |
memory/116-6-0x0000000000090000-0x000000000009C000-memory.dmp
memory/116-7-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/116-8-0x0000000005410000-0x000000000542A000-memory.dmp
memory/116-10-0x0000000005520000-0x0000000005530000-memory.dmp
memory/116-11-0x0000000005530000-0x00000000055C2000-memory.dmp
memory/116-9-0x0000000001470000-0x000000000147A000-memory.dmp
memory/116-12-0x0000000005B80000-0x0000000006124000-memory.dmp
\??\pipe\LOCAL\crashpad_2096_LWBCHSLTIRHSGYJU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7c6136bc98a5aedca2ea3004e9fbe67d |
| SHA1 | 74318d997f4c9c351eef86d040bc9b085ce1ad4f |
| SHA256 | 50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2 |
| SHA512 | 2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 33821c62474bebb361042d6fb432f967 |
| SHA1 | 15e7444b122bf84bb24ef80bc65bc0ea422fea37 |
| SHA256 | 8f8a108e160d88458c65b34460d7a046541fe91fb4fa118ce63617157513bb70 |
| SHA512 | 376f8ea6801ec61dc09cf1d99b49c236ef105af9d276764a6f4f7986c38258396108a6721b0f4c3471394c3b371adecb65e2fbc0ac2238364b4fdfabc27ef1e6 |
C:\Users\Admin\AppData\Local\Temp\japanpear4332125.vbs
| MD5 | a34267102c21aff46aecc85598924544 |
| SHA1 | 77268af47c6a4b9c6be7f7487b2c9b233d49d435 |
| SHA256 | eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44 |
| SHA512 | 5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 073ec513a4d8d2831b43de66740868a0 |
| SHA1 | dab1dff3c9d6854b02d24ac9c351507a4e925551 |
| SHA256 | 49e809674cc98c822bf3322a9a50b3ef5fb84775ba921bfc879830c520c54e91 |
| SHA512 | 62ced84b282c29f5e13576e52b69bad98e7195e506e49313b966e8eb8e66d30668a24b0959ec59ee7646f0ab1514455b0f02fffbac84e9b9eee556ac7d039522 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b37cc5462e131a821147ed36cde83b8b |
| SHA1 | 7ca5f0f17e6d9212f44458acca3e902059244599 |
| SHA256 | 7de7cfab1a2f89e95a1a71fd6185835cc56503c1e0c33ee2c27fa13a7bca196e |
| SHA512 | cbed2f0fe47e4a53585704d6d9d75f98ed623091b2a8db9c0adac7d095dfc968fb6657164e514ddabfb60f899cb6d83840d28877b06d8f50447201b326a561fe |
memory/116-66-0x000000000B2E0000-0x000000000BEE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bbd07e9e5bd0b9ee563dacbbe7d2a122 |
| SHA1 | 31074b78bcb7ab68aa0387e12bafb2f88a6a77fc |
| SHA256 | 7226537a6d860393599cd971a728e84563bbb264aa1ff7d9a84463e8ee7cc381 |
| SHA512 | 598308488760b54e1efbcbc9e595557fa2de3445e3bde81bb0e375c035fe3df5798d50cef50bd2c20f9ba41b02f98e57e8da50ad2d3225cda18f800143906671 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 807419ca9a4734feaf8d8563a003b048 |
| SHA1 | a723c7d60a65886ffa068711f1e900ccc85922a6 |
| SHA256 | aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631 |
| SHA512 | f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c |
memory/116-312-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/116-315-0x0000000005520000-0x0000000005530000-memory.dmp
memory/116-316-0x0000000013480000-0x0000000014122000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 7f586fc57ed4580845c28cb3678ff123 |
| SHA1 | 5788cc367d1d889196213395b3ff5ae3fc1780f8 |
| SHA256 | 4b0d2d2a9628b787f855892a61815cfbba49934aa133780f52aa05e56e1428c9 |
| SHA512 | d4759e0f1233614573112bbcfab796578806ae1836133768b437cd09acc886e75233e86b1cc1d5ec88b54b55571ec5d75513ea1b720e2ac663cb6ef9801b4817 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580f3d.TMP
| MD5 | 46669a0b5b4b31c15853f917cd37caec |
| SHA1 | d6855aea5424046665b081d114be0cbc8c431669 |
| SHA256 | d0e254f0b363991053022b6842104542f0333704ed5242bfbd5aa8300af6d741 |
| SHA512 | 2e535e4ae7c4eaa970dc003c2954297c8efa4d1904ca0ea1c40bf03a3ded4344f33369b5530a351f20e29a8b8b68ab9c762a47ab63d823cdcb4396c035cce1f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e404405ba4d35137ac8c6196fd0ea696 |
| SHA1 | 7a1cb245d8257dee1a7b66d3924ed1ade20681b2 |
| SHA256 | 9b5fe79125fa1d8b994ce39808cf69f6b8851b89fcf00b146e27e790d61b54a2 |
| SHA512 | 5ced374089daaf6f53f4893d8eda159d7c6ed4ad9d1214a6c1f529605cd4da3c7d943675adfa14f868c01bddc97efd566dd3935fb7cb6a39a4b1692799c6b4f1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 292e2c187ee230b6a61c52152a4f5eee |
| SHA1 | 3814a898ca542ed29f5649029ca99730b9d17dbd |
| SHA256 | b25b691b872ef9ff8c6ec810d1e0b7fd98a194c54ed1ac15a968aa6c0acda1b8 |
| SHA512 | 8268cc73c806ba55eda0fee31973919fece5b754035c1116f6c57848c39a493471e2d2d044a294ca05266662febdbf367b62f13c3217ae9a96c0300d174f399b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 99a21371533baf589c61c5bcd7db695f |
| SHA1 | b49a7c7dbfe1ababc6ab2dce0072ac37241cefb9 |
| SHA256 | e882d49019d0b8d83346a0536ec3836af4bb16bbb975c3ad95a89402418568fe |
| SHA512 | a946062bb46e000a9ca9b5870896335c65b87b6d835808b60a3844c4ecafdc92dafdfede787a8e3adf58349680b19ac9f95d014e38fdab8e760b8a73b30bef33 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6f857ca03aab313890210decd5140c5a |
| SHA1 | 257243c387d98f20295ae84a3d1acba0c7f3c46a |
| SHA256 | ae2b367360f126f2eb4738aa42fc4a88ff08f35273a4cc3e8fb37dacf38d80b2 |
| SHA512 | d07ad96c281a1ee81391311d3366fc4c64c4cd1278e7914369fcadd00a4572ab27619fece050e051514f265acc57229bd91b68b22ecb09ed62f676b556818035 |
C:\Users\Admin\AppData\Local\Temp\Costura\40BD99E3E2E3C109881E4ECA2DEDC617\32\sqlite.interop.dll
| MD5 | 6f2fdecc48e7d72ca1eb7f17a97e59ad |
| SHA1 | fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056 |
| SHA256 | 70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809 |
| SHA512 | fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9be1c6562122cf04731606c867afbab9 |
| SHA1 | 989b1c43d10aaeb3de6a451696cc4b2198e521ee |
| SHA256 | 3354f1ccc3731d04a3e397e81e35c22179ca3e419c21895f91a51a2e310b1b24 |
| SHA512 | ac720d0af550240a8a6728fda0f0eb1c48f52c227cc2db5d8cce0704dd9be9a91500503a77b2e1ace3dc6e8c29aa1f4d53247be44a1c4274453bc2b253d6a4aa |
C:\Users\Admin\AppData\Local\Temp\schdyovj.exe
| MD5 | e898826598a138f86f2aa80c0830707a |
| SHA1 | 1e912a5671f7786cc077f83146a0484e5a78729c |
| SHA256 | df443ccf551470b3f9f7d92faf51b3b85ae206dd08da3b6390ce9a6039b7253a |
| SHA512 | 6827068b8580822ded1fb8447bdb038d0e00633f5ef7f480a8cdeaab6928ac23022a0b7a925058e0926ce9b41a6c8c22a5692e074621b2fccdb7edd29a0d4cfb |
memory/3556-393-0x00000000072B0000-0x00000000072B8000-memory.dmp
memory/3556-395-0x00000000072B0000-0x00000000072B8000-memory.dmp
memory/3556-397-0x00000000072B0000-0x00000000072B8000-memory.dmp
memory/3556-394-0x0000000008090000-0x0000000008091000-memory.dmp
memory/3556-398-0x00000000072B0000-0x00000000072B8000-memory.dmp
memory/116-404-0x0000000006AA0000-0x0000000006AAA000-memory.dmp
memory/116-405-0x000000000AF70000-0x000000000AFD6000-memory.dmp
memory/116-406-0x0000000001380000-0x000000000138A000-memory.dmp
memory/116-408-0x00000000010F0000-0x00000000010FC000-memory.dmp
memory/116-409-0x00000000013D0000-0x00000000013D8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Gongle\aXLWCEKWYX\6m8kj4bi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
| MD5 | cd57a250f77d8355c48e4b8829877870 |
| SHA1 | b7a30c063678ab42fb5ae8fa692d9d94495d4995 |
| SHA256 | 1c08ce5b680bb3e2daaf37548447581f5f8c9f9f478051b8b494266e64157fd6 |
| SHA512 | 71925785555551c65603ab55da66bd06f481dc71486401d48870e5af7d7cc4dc483918e3aaee5a8f3964787e39fb0f350bcf48019fd271ed159bcbdca69fe692 |
C:\Users\Admin\AppData\Roaming\Gongle\aEKDGDD2S4\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Roaming\Gongle\aEKDGDD2S4\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Roaming\Gongle\aEKDGDD2S4\LOG
| MD5 | 514ab80b1e212fcc9ae2b0178841e3e2 |
| SHA1 | 32bc22901c42ef6dd991f4b44edff58a23adce31 |
| SHA256 | aad983ff75a571927562eac7e608f123eff3bce720520144e98caed7c7b4ff33 |
| SHA512 | d342b205881da0dd87acf61232ca46945ac57c142b515b44bc59c5b3e62ae63a10be21efd6f9cce49c84faa7338095914c0c6bf9502dedf695b37379129c143e |
C:\Users\Admin\AppData\Roaming\Gongle\aEKDGDD2S4\LOG.old
| MD5 | 0572cc8d2a4d3a84a553128294cefa83 |
| SHA1 | 3dd4b8c98d0964794572eccef397c915016a366e |
| SHA256 | e5e5939663b11991e48fbb125e62429381930f42b61f4a95e94431b611cdd7b5 |
| SHA512 | 741902a41f09c9d8932bf2ca41aee083326e3650aaec3c01e5d9d696189d45609a1126e413814508d62db27144703442aab7dc7501ab3f3786f772324b21e6e3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
| MD5 | 9896887afbef3d079a3f0b5c4bc22079 |
| SHA1 | 44820972039819c50040f29137b8e57f200936e2 |
| SHA256 | c02573084ff195a07bd85c5ae0a1f98a3a95ebfebb100665d447eb0c33f43800 |
| SHA512 | 7baac9ecdb9cca8019b52acde14890180aeb86756741af6caacb89cc58e9d5b5d954ade7bf6efd8cc281c363a25ca094ecebf547f619e007c1219c28e2da1f96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
| MD5 | a46baa86a72c5d5aaf7a8f5d5658c476 |
| SHA1 | 096429f29af3609679839eef2d2080febbe2b62d |
| SHA256 | 039b32552ea3ebce4c29241e2deef451aa486da9ef9c0c11150149a81a8b1659 |
| SHA512 | be4d1f52fa1355fa0793bdba893cb91853256cbffab6f21a7d01deca528b171e8011be49755222f2293552bf8228fb828cb1c87fa74a4a1290c8bf53446b429e |
C:\Users\Admin\AppData\Roaming\Gongle\aDMTSH87W4\LOG.old
| MD5 | bf5095a328ac005596cf4e7a1f2048b9 |
| SHA1 | 3fb37db6e283380e6a7255b3f920a8d4a4b7e435 |
| SHA256 | bf2f2af1be5b115452a0d3f5bb9c448f9658e06326efb6b2b28ff65238f16f27 |
| SHA512 | e82798592b446b7e51b3e46f29fc825372366c5ac4778d1b7ddcb48f8f0e7cbff0a1418473401d4aed1dfc1d7046040ecd9aa9e10bcc00e2be69f3757952e20a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3f66fa8b9a07959649d96999d2759f95 |
| SHA1 | 96552c227fa19f0c20b29c32796683d1bea4521d |
| SHA256 | 8b24a147bf912c09daf92aad79a1eeda9afc0d946656dfea1c5d502132cce7e9 |
| SHA512 | f977fd26c6edecfba095a9b9b432e5f9c6d3473c1c2144d021668257d3b0e345672ff776fef343e8699ef16c49c7f2813ac5b7332e450062d62bea0a05fb4430 |
memory/116-557-0x000000000A170000-0x000000000A222000-memory.dmp
memory/116-558-0x0000000007FE0000-0x0000000008002000-memory.dmp
memory/116-559-0x000000000A2A0000-0x000000000A316000-memory.dmp
memory/116-560-0x000000000A250000-0x000000000A26E000-memory.dmp
memory/116-561-0x000000000A370000-0x000000000A3C0000-memory.dmp
memory/116-562-0x000000000A3C0000-0x000000000A42A000-memory.dmp
memory/116-563-0x000000000CEE0000-0x000000000D234000-memory.dmp
memory/116-564-0x000000000A430000-0x000000000A47C000-memory.dmp
memory/116-568-0x000000000A500000-0x000000000A53C000-memory.dmp
memory/116-569-0x000000000A4C0000-0x000000000A4E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\079c6e9cfc794c41821acee3cab067bd
| MD5 | edf67f649faf6171a8c47d152a9357df |
| SHA1 | 4422a168e85129c628e1cbeaf2a7d37f14111ca0 |
| SHA256 | 9292d9cbdc37cd9e1c8590b58d1e839dc0f085290d6cf6f0e7de1175a5c2d673 |
| SHA512 | 954f44ec38e094e634052500aa7dfc896c4054c48d603da5267a7b95f094c969b0213378f560e8b674931bc908691787926cc4dd95b1154bbfb193d5197d32d9 |
C:\Users\Admin\AppData\Local\Temp\9f99e7524fa246d5a92f08f11c0e9e08
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
memory/116-584-0x000000000A570000-0x000000000A57A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a
| MD5 | bb65901c889f4a5f6185d6f36ae0a06d |
| SHA1 | 90b503414e2554bb7222fcd07bbdd6d33904b081 |
| SHA256 | f9d707edad00049b5bec3a3b63d2401f33b90c1f4abbcd460a347675ce6b9394 |
| SHA512 | 1849e6a4ad193b86a068cf74d7be2bd2f771c0d95fe1b15f7fa163fd11625c3cae5d1b9af512e0c319ad33c67e5df638a0b3f69f629ad222f33dfe8f5b6f8a65 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ead38410f8530b88c8852bb26a7b23b3 |
| SHA1 | 4da9e2b9c2a5c48a3e4920513cf25e47883234fc |
| SHA256 | 14fbfc7b9622f83ca1860e95cc2cf5df41b5376a959f0af2298e09ec6101b03e |
| SHA512 | feb9dab3da7cde8e08725909f5775c7ba4d1afca0ebda5d4d80d1e59ee02c6ecfdcd5e2d235656ff6f41c00a7c003981450e2cf10d88652f8a0a1f57d830ec06 |
C:\Users\Admin\Downloads\NoEscape.exe.zip
| MD5 | 1041ce8b0980ca32777b4ea0f3004810 |
| SHA1 | fb2e48999612b4b56a416dce723fba09e80ffc41 |
| SHA256 | 885fbf770bb82be8f85b736097a25a02a41d41bd9aeef1ab8ab87176d661c85c |
| SHA512 | 8340df820bd558ad8aaa636936c8078e88f89dfadfa022fb4dfc06a3cfae842be891861b417b849fc780879e88c1cd8f19202ea1cead03a836095c2f30cea7cf |
C:\Users\Admin\Desktop\NoEscape.exe-Latest Version\NoEscape.exe
| MD5 | 989ae3d195203b323aa2b3adf04e9833 |
| SHA1 | 31a45521bc672abcf64e50284ca5d4e6b3687dc8 |
| SHA256 | d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f |
| SHA512 | e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 18acd08a5da8615520aac0b305e4745b |
| SHA1 | 21d5bf58d167fa5b0675051cf2a16f875aab470d |
| SHA256 | 16297316cde7e60e41817abe61e72ef536756bf583c8bb17928c547562c7c61d |
| SHA512 | 2444fd5e229ddc138bf81d927b16127437560278438e8509e3970adeea2fd943291e6e2250c7d7231980deff6490310237b2880d403c857c9faa29a8c098d7e5 |
C:\Users\Admin\Desktop\NoEscape.exe-Latest Version\vc_redist.x86.exe
| MD5 | 3c02a4c9865cf2b3a10984841125506e |
| SHA1 | 01c07de317e71e724a0aa9d120a184316b3c53c2 |
| SHA256 | a7627eed83c6b6abe10a04d68925043b9797b46157cad9798c85b2daefe138d7 |
| SHA512 | d8224eb34ff9e21b6f605299a8bfcceb12ba567c3e33fe17df4c0f7a035566a0869ed896da7b0e84f336da7f82b3e3541d7f08848cfb7ff08bd85926ac02a0ac |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 87aa9e8497313526f204706cb9000817 |
| SHA1 | 69c1247030df21d9b4b79f12da81f7abb2f4268c |
| SHA256 | ce905eb477f8298d7390735ad2fb8822156f3583b5a53f285a2f0d0216bb7882 |
| SHA512 | b24f9d0675cf736bb6982bac871884be29350e97cd9a141362c2932001c95c439663bd5314f0623e80e4943b44dbcc79b0b6f7bd8c70bbe32cd191d1bb849683 |