Analysis Overview
SHA256
1d2851cb25ebbe6054a0de127ef44f384eab3820a51c85a94042a447b0303722
Threat Level: Shows suspicious behavior
The file efb5b4193206cbc0813e9c93f8432be3_JaffaCakes118 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Installs/modifies Browser Helper Object
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-14 22:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-14 22:58
Reported
2024-04-14 23:01
Platform
win7-20240220-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\For Public.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe" | C:\Windows\SysWOW64\bpk.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" | C:\Windows\SysWOW64\bpk.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\bpkwb.dll | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| File created | C:\Windows\SysWOW64\rinst.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pk.bin | C:\Windows\SysWOW64\bpk.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\Hand.cur | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| File created | C:\Windows\SysWOW64\bpk.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| File created | C:\Windows\SysWOW64\bpkhk.dll | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\web.dat | C:\Windows\SysWOW64\bpk.exe | N/A |
| File created | C:\Windows\SysWOW64\pk.bin | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| File created | C:\Windows\SysWOW64\inst.dat | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E6B4731-FAB2-11EE-852B-6265250A2D3F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "18" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "32" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E642311-FAB2-11EE-852B-6265250A2D3F} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "133" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\gopremiumaccount.blogspot.com\ = "133" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\gopremiumaccount.blogspot.com\ = "160" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10bff362bf8eda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419297397" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "178" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\gopremiumaccount.blogspot.com\ = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "18" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\blogspot.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\blogspot.com\Total = "133" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\gopremiumaccount.blogspot.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\blogspot.com\Total = "160" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\blogspot.com\Total = "32" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "160" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ = "WelchGIFviewer.ucAniGIF" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1\ = "147857" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX1\\GIFviewer.ocx" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "ucAniGIF" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid\ = "{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWOW64\\bpkwb.dll" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX1\\GIFviewer.ocx, 30000" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\ = "WelchGIFviewer" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR | C:\Windows\SysWOW64\bpk.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\efb5b4193206cbc0813e9c93f8432be3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efb5b4193206cbc0813e9c93f8432be3_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\For Public.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\For Public.exe"
C:\Windows\SysWOW64\bpk.exe
C:\Windows\system32\bpk.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://freepremiumdownload.com/
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://gopremiumaccount.blogspot.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:340993 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | freepremiumdownload.com | udp |
| US | 8.8.8.8:53 | gopremiumaccount.blogspot.com | udp |
| GB | 216.58.201.97:80 | gopremiumaccount.blogspot.com | tcp |
| GB | 216.58.201.97:80 | gopremiumaccount.blogspot.com | tcp |
| US | 8.8.8.8:53 | www.blogger.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| US | 8.8.8.8:53 | blogger.googleusercontent.com | udp |
| US | 8.8.8.8:53 | resources.blogblog.com | udp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 142.250.200.33:443 | blogger.googleusercontent.com | tcp |
| GB | 216.58.212.226:80 | pagead2.googlesyndication.com | tcp |
| GB | 216.58.212.226:80 | pagead2.googlesyndication.com | tcp |
| GB | 142.250.200.33:443 | blogger.googleusercontent.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.179.238:80 | www.google-analytics.com | tcp |
| GB | 142.250.179.238:80 | www.google-analytics.com | tcp |
| US | 8.8.8.8:53 | 2.bp.blogspot.com | udp |
| US | 8.8.8.8:53 | 1.bp.blogspot.com | udp |
| GB | 142.250.187.225:80 | 1.bp.blogspot.com | tcp |
| GB | 142.250.187.225:80 | 1.bp.blogspot.com | tcp |
| GB | 142.250.187.225:80 | 1.bp.blogspot.com | tcp |
| GB | 142.250.187.225:80 | 1.bp.blogspot.com | tcp |
| US | 8.8.8.8:53 | s10.histats.com | udp |
| US | 104.20.66.115:80 | s10.histats.com | tcp |
| US | 104.20.66.115:80 | s10.histats.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 108.177.96.84:443 | accounts.google.com | tcp |
| NL | 108.177.96.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | s4.histats.com | udp |
| CA | 142.4.219.198:443 | s4.histats.com | tcp |
| CA | 142.4.219.198:443 | s4.histats.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| GB | 142.250.200.33:443 | lh3.googleusercontent.com | tcp |
| GB | 142.250.200.33:443 | lh3.googleusercontent.com | tcp |
| GB | 142.250.200.33:443 | lh3.googleusercontent.com | tcp |
| GB | 142.250.200.33:443 | lh3.googleusercontent.com | tcp |
| GB | 142.250.200.33:443 | lh3.googleusercontent.com | tcp |
| GB | 142.250.200.33:443 | lh3.googleusercontent.com | tcp |
| GB | 142.250.200.33:443 | lh3.googleusercontent.com | tcp |
| US | 104.20.66.115:443 | s10.histats.com | tcp |
| US | 8.8.8.8:53 | e.dtscout.com | udp |
| DE | 141.101.120.11:80 | e.dtscout.com | tcp |
| DE | 141.101.120.11:80 | e.dtscout.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | t.dtscout.com | udp |
| NL | 23.63.101.170:80 | apps.identrust.com | tcp |
| DE | 141.101.120.11:443 | t.dtscout.com | tcp |
| DE | 141.101.120.11:443 | t.dtscout.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 2.21.17.29:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | tcp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | fe0.google.com | udp |
| CA | 142.4.219.198:443 | s4.histats.com | tcp |
| CA | 142.4.219.198:443 | s4.histats.com | tcp |
| US | 8.8.8.8:53 | smtp.aol.com | udp |
| IE | 87.248.97.31:25 | smtp.aol.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | smtp.aol.com | udp |
| IE | 87.248.97.31:25 | smtp.aol.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
| MD5 | a455ca431e66975d886f1a8cfee8cb9f |
| SHA1 | 95868529973c77199b76ec593a686d9b324dee8b |
| SHA256 | 6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056 |
| SHA512 | 53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat
| MD5 | 732cc5f54466282edfe6cecd8c675a02 |
| SHA1 | db203726cf309ba3107659358a94a78cc1cb754c |
| SHA256 | 636ac77e2f4403b6ea07f9c4e13e4346e9615c69374e4435f1b74fd0a65d0515 |
| SHA512 | d4e610c44148b63d6690c49548b91b15851aa2998a7ea8021b3e773192563d648b72103301f9efa50c55b04e7813cec090a77c7070e2fda178101132ad109bd4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\For Public.exe
| MD5 | 776a5cb5ce5136dde367ab157b8840cb |
| SHA1 | 217259e01fa2fbc7fe7d385dab105bd08b7ee3a8 |
| SHA256 | 62e95cfcc24f329d3866bf6d9207f28bf102bf466802c56535cad70f7e4aeb49 |
| SHA512 | ce4c35963d0a98405824f0490d78a862b9d35286b66d15899d6a8e16f4ca316d086876de7478e13713eb48eb345f3f57dfc07dca5b459675986b7b65182bbda5 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkwb.dll
| MD5 | b1c29e8a2a14db756b5d57ffae702e84 |
| SHA1 | bb80f638f5d35e0c5d608981c47b57ddf34f47ef |
| SHA256 | e1ff8e132ef73b54d4a0f7097873299fd917cdee3429f82026c84695e70e2f95 |
| SHA512 | 16e33dc454a53e7f71bb9da6abc32d5a6c6ea21b6a02f3fe62b4e34a7a304e9f2f4673a2e4a6b810a6a0672d24dc71ceaa24a82e7ab725cfc9210d244bb1fa32 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll
| MD5 | 2f8c71470cecca08811c2176327b96b0 |
| SHA1 | b9c814596906808e929fee64068b8bd5868e8345 |
| SHA256 | 47cc307947b09c158696afe0c5dec2e4b261fa8daa8aa42b8c85414853e8b57f |
| SHA512 | 7e7d175ebc42c7cdd29b1c04a08884ccf3a244ebfb02add43fec45d0177546832535b28c43f08ccabcb1960f9b23141a0971a77c10b6c684e77cec26e36c6c2d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe
| MD5 | 0a891898eac14c2aa9a48ab91490d68e |
| SHA1 | a49509969cbcfc335d9d2be918647f8b2c0799cb |
| SHA256 | 869baf78bc757f7a0bcf8608e363f6ed5e441ba5a59a03b5d03a0c85f6ffc079 |
| SHA512 | baba73ab0566125bfbabb8c64123de72afb65f02ff3934b781612dd8a0ffe3c7eae4d2970667dbd944556bc92fa2ac14e36c92ae2aefc0eaca52c30609908996 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin
| MD5 | aadb29c5e658b3b75bfee07971c28e53 |
| SHA1 | 0822574ac82c5a632d854343cb878799555f7672 |
| SHA256 | c4ba8594ad72a82dd18e8cbd2c6dfc76f590c0071428d95b1fc9a18cb387b7eb |
| SHA512 | 2d4fd67e29437a9a8f3abc667cdf9ac615fd1875e3c0b01bd09e4b83ce361eefbc9f24c7a0985833ecee0767b721bf33ea303ecf76619806a7c0ae5988b7a279 |
\Windows\SysWOW64\bpk.exe
| MD5 | bae0fb25bcf05a5da7fde8dce759ee0d |
| SHA1 | bc74b07d14a63ce572755c70ceb796136d129e20 |
| SHA256 | b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d |
| SHA512 | 74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929 |
C:\Windows\SysWOW64\pk.bin
| MD5 | e226c803bcf28b951504aec921aaa386 |
| SHA1 | 864573c800bc322e659fd8b5509d1e78b188abf2 |
| SHA256 | d1f0b8d3bbe246709c1cd3fd7c0daadfb2258e56f123d7b09fb17eb40534c296 |
| SHA512 | 6cacb96ccd7d3035283839adef9e967bfd5d421bfbc74bf0b5bd45827bb4e37d868bd8e7c057449a3a8a66af367ab1c7d4107d071f70f3a4cd6da150b9ebd7ed |
C:\Windows\SysWOW64\bpkwb.dll
| MD5 | 2e6016325548ab79e2d636640c6ec473 |
| SHA1 | 586e2b84d46ef00e26c1686033def28e8a9995a5 |
| SHA256 | 62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e |
| SHA512 | 1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86 |
\Windows\SysWOW64\bpkhk.dll
| MD5 | 58129986fa29f6dacd99ab45f60bcb3c |
| SHA1 | 7f21995794a060fc8629e0d113cf568de14c509e |
| SHA256 | 525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a |
| SHA512 | 62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a |
\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe
| MD5 | 716fbb0215215fcb3d6cdbf62423ec57 |
| SHA1 | 7e57f6b3268daaf04ba9b8270ee954733cf0eb85 |
| SHA256 | 040b98e976860c22feec7e8547bbca4599ce6f995489e69cf5630aaa5511f6d6 |
| SHA512 | eb3c2f70ac74386596b346d0fb4081e68e37c0aaa90e1c08c7b9239fd62d67947cc84b0c9006d4d727ab7240acfe8c2a45a535807a7e759ff367c046f572ac2e |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\GIFviewer.ocx
| MD5 | 73404435b36b8cb9ea68be6d4249488e |
| SHA1 | ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02 |
| SHA256 | 2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c |
| SHA512 | e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7 |
memory/2448-84-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2448-83-0x0000000004190000-0x0000000004C4A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8E642311-FAB2-11EE-852B-6265250A2D3F}.dat
| MD5 | 3d908b8e91cff6863833a65f74c840f2 |
| SHA1 | cb87dac5a786e2fda48dbf1b325b3d683f72029b |
| SHA256 | 59abafc07574f752c6b726d06e08f1ec531ba00a81b7eb38cc4889c73c02feb7 |
| SHA512 | 797dbb7d565405784fed8bc882042e97946e76daa3af1606d93107fb71bf69010f85d74d4826f10c0a80fa614c5064290df013e156c08364f4a4251bb6d3755a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 06e1ee65f377a305cd4350c0888bef4f |
| SHA1 | 5fb42caf3ec934526e3937224f5a78bfb5c40791 |
| SHA256 | 36da6e4a1f68107a5ca4fa6cd858c8cec5734203386303e978f330abf65b385e |
| SHA512 | 467d5d5c25b406480a79356acf71857c6a20d4d30377894d2f91c51d2e327f608d2f9d13878025b3d9c9cf21b30537ce9a08cc6cd660a25b30f203fa95eed126 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 9de4e85f2c4be87b5d37bcc1dc3b7b03 |
| SHA1 | 6fa6d0db4b94410f45beaf290d9b4ea0835d9dff |
| SHA256 | e406343d8e6dc70614d14c95dad5536e078debda854f686892fc6d3fa86757ab |
| SHA512 | cb7a42e6ee8ee2dd72c2482b65c276b38087047659e7711625e4edf6f5fa2e47599c2020c0fbea20a5f7b0a4d7953bcbe90549421a4f8c7e3d0d67d831a5a915 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 37617d7b06b74e23314eed679c854feb |
| SHA1 | 1fb1ed09b920567e71bdafd7f03627906a7e344f |
| SHA256 | 2b4162cf00185ab664ad645addfda54379f32b3d6bb733d95e82e335cd58f0d4 |
| SHA512 | 419339f1347b40f396069ec24584da2a21bc134f4bcf0486c3927a8a11a9207ca6e51a770b96b9961fa69a591c0ade014b35ec8fda4107c5daabffe57081ab51 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | ec1640cd5dcaf0b29856197909e0bbfb |
| SHA1 | f081476cfba037b1112515113b314d6f04bb1199 |
| SHA256 | 7723e492bac1eb9b7c0d4dacf05737eb97e6ef1cfb05b8e3ac38a470fa38f7fa |
| SHA512 | cae07433a08170b4c04659ffb0f1c3e8ef560a9a983ac40c4502c2dde812c03420098a69a27df826461134a2aea3b3cdfdf23b3896dee6e593cd3a37fe85d136 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | a42f5dfe0f2fb36caeef7aaf2597cf74 |
| SHA1 | d280f898185a3dd0978d8bb4447442a47955f84b |
| SHA256 | 34cbde058f7d768a1cda23fe3106964fa2af35c6f12a604c8d3eb51f0fffad51 |
| SHA512 | 11fdde0e7a91d6b2ce97a1cb725910988c5dca5fab781e7afaa054c774095210b21b217082f62065dc65fdbc6a7e59c96772a3c4743e6f9f7bad58278ba5039d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | ac89a852c2aaa3d389b2d2dd312ad367 |
| SHA1 | 8f421dd6493c61dbda6b839e2debb7b50a20c930 |
| SHA256 | 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45 |
| SHA512 | c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_E8E3383325EEA2650942AC0337608EEF
| MD5 | 21b35f41496fc6527993cae97211bff6 |
| SHA1 | 1e2ce4742abd0732ad4ea48cbfeb3ec442620d1a |
| SHA256 | fc4aa739f87484e3383108fd1b172351249dc6d42de9d3a3d210d624318b81c9 |
| SHA512 | fb695bef03dcbc4285ef43bb8adc53dd42da03317058460cc547100fdf0d5e96db6d3b7f42e6a9824c0358a6d7785debc3f52c8ea803f7456e81972a4563d99e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_E8E3383325EEA2650942AC0337608EEF
| MD5 | 5d013ac7b34f05ac62d7726379ae9026 |
| SHA1 | a30e75058c09bf8a74621c1199f00363e388a6bf |
| SHA256 | c2f98ea488cd282bc01be9e60c64f42588d954dd7d58ad1762297fb0768a624f |
| SHA512 | 9194cb41a0056ba645716e794056f3af1680e8c973ccc27273116a8aec2b969ceec54ceb86606bcb801a58ca252229ac2e5270261db7268198e60a9045c1d114 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_E8E3383325EEA2650942AC0337608EEF
| MD5 | b2f5e5719d60d30a2295b8eab463249d |
| SHA1 | 09be9a12b581cf317e2c7a36a4b4e98f4794807d |
| SHA256 | f17085e55808b43314b6250cb2e2dbee876bcd1d6b567166137cffa35073823f |
| SHA512 | 1057a0f7ab50cfb85cd4d83c99a53350706ee6e5f2a40e88954d2ad6a51736abfd65c4e78b3abb14da0f50c155f4383e19a345e02baf451f7cf35c5b91b919e5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\platform_gapi.iframes.style.common[1].js
| MD5 | f0d50a9a90ad59daa2f877eec130c234 |
| SHA1 | 7d06b084efb04f3ab882d07f70bc2cf15a80aa43 |
| SHA256 | 533e36742f3669952d3d943143d569f1681c0329f746f36f4364e73e0d5db5dc |
| SHA512 | db48d8f4852f27f8f21fab0a3f6bc685099ef943e63c746a2ee3c470dbddae85f5e38f0f37e69f7eaf52839e697dc5e8082084bafe6a01eaf5864de795223517 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\f[1].txt
| MD5 | 230857b7e0704e1cc406ba883deb5e73 |
| SHA1 | a5beda22f72a95130dd4b3f7299008af2105c0b2 |
| SHA256 | 68573f7229286e240d220eb2762ea30af52973897144472bb3bea383b2d3ca97 |
| SHA512 | e9d68bb32cb900cc73fb390142072625d1d255ada780de58c4b2f6c204e86f8cf1fc71218f647b504a2e74b0bfc3f4d11f8d96c0c647245f9f60b3243b22970e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\cb=gapi[1].js
| MD5 | dbd627c28e97cc5bbe7be0c7a75e386e |
| SHA1 | 7bb367b5d18dd59a643a8bd4122b37a8a33bb9e9 |
| SHA256 | 97c5e5f7f3c5a1b36449b765e533eab96dd3ee4bb806d0c42d33b2d1457958f2 |
| SHA512 | f09a05f7ea69e67124dc61acf324769c07e31bab781592988bce009e951480de0c7f310d4bdda3867f5900e91ffde031b48338552a47423d4e59622301bb354f |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\GGF84DR3\gopremiumaccount.blogspot[1].xml
| MD5 | c1ddea3ef6bbef3e7060a1a9ad89e4c5 |
| SHA1 | 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966 |
| SHA256 | b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db |
| SHA512 | 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\GGF84DR3\gopremiumaccount.blogspot[1].xml
| MD5 | 8e35c6b5fb0f6ca425e2b2994262233d |
| SHA1 | 3d94a7ee8ab640068f06176c05f174115aba7df8 |
| SHA256 | d88632a69f1b31687c5d27c58be5b1cd56592eb95ea1860a858d6e69c018b6a2 |
| SHA512 | 996ba4e44ff89d646785e409bd5cdcc68547f404135ca79c242c5e24f8e1dce7176f88c0ba5d55813290da4549bd2b6948827044dd1ab073bd81af4dd0565097 |
C:\Users\Admin\AppData\Local\Temp\Cab3B9C.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar3C8D.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6b493d85dd7292244cb277ab30e62761 |
| SHA1 | df6a54553ee95bd645c5b578b3cfdde9780f3493 |
| SHA256 | 0d357883e827dfb8f0a295f1946964a2eb48702ff9db9284a41571ad9755ca49 |
| SHA512 | 6e84bc739508878710ea5ba860efb70eff2e14508b5195858e62f81dae00ab1caa3363c812cda1c8d1228f9945d3fd01921e5d68c2a7ed8c5a49aca0a0a7c54d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\favicon[1].ico
| MD5 | 59a0c7b6e4848ccdabcea0636efda02b |
| SHA1 | 30ef5c54b8bbc3487ea2b4c45cd11ea2932e4340 |
| SHA256 | a1495da3cf3db37bf105a12658636ff628fee7b73975b9200049af7747e60b1f |
| SHA512 | bcfebb2ca5af53031c636d5485125a1405ca8414d0bc8a5d34dd3b3feb4c7425be02cf4848867d91cf6d021d08630294f47bdc69d6cd04a1051972735b0f04d4 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat
| MD5 | 9db2a1a34d8e4044c2f1b11f83254518 |
| SHA1 | b8d24e2fc76810fe940d950c4a218571b2c58d93 |
| SHA256 | 83166c3bb730c1a1ab63d37609a0cb21d82707f98b7d90440f63d440dd140666 |
| SHA512 | aaa2b02e56d3cdbe2006f61a0257bf0001b309e4de12127bce02d33512097e99a448e0d04d4fb9dce18fe7d63253e59d7fae3dff509bde45a00b6b70cfb90550 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\9VDQB70E\www.google[1].xml
| MD5 | aa3da430d6b4faa069e132e2b7308d0c |
| SHA1 | 5eb898e59ecfcb3042321a37749db42f23461b47 |
| SHA256 | 4cfa906478107e0aafc6d6212803a60e0df0fa601111f1f56060cb86b1ee0238 |
| SHA512 | 696d5426b2f7ff9d477439c64e487dd27c2634d908bd85ce5f0c4df16525c929997b9399232dae7ce70f4e21fda1347d0650afa8fd008747eedcc96dabd5a55d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 602890059e07ee5a1dbba243caba80e2 |
| SHA1 | 66807981da1029710d33a067cf6d2eb8d817aa7f |
| SHA256 | 91d870cdd1f1c542a564cf992c498349599bda446caa7ac4bca7d7fad78e0b2a |
| SHA512 | 13e1c42a7f3a7034e2e4709cdff4a6ec1b4462be9344f60937ebe4ebe3cc90303a81201d3ae0c9d0608b638978066ea898d77108a0cd148cf1445e3ded83f2d7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 629659b720705a01694164a9ad4a33ec |
| SHA1 | 025a5a0884bd587c27ad8c0fc73a747626479f16 |
| SHA256 | e9e6593c4b5daa923f4f653b815e504de911dc7711b62915717bd1d8b392f866 |
| SHA512 | 7a269df2d4336cf0130a294c58efdffed1cfb24d63a0b58f4017b1f6d6feccd4d5621c7dae5fea318a33bdf7660cb4d7435bfe4cfef8e0ec92e18a54677586b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e04f0a8ddedc4c53626f21b9fb6972b |
| SHA1 | 193b9ebc3f35d147a15db387310b8eb7005d70c5 |
| SHA256 | dde817d633e4376328904cd11c1dc81a116641dd8c1c364c1211278a8210d7fa |
| SHA512 | 78f0f4479e62ff9c3bc895235be46e8b7945199f8466962066d7b8a9f89583fa90e12e1e24364002ce57926db429c14cd89490a7750780d9854dd2ccf430b27b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6994efc5522be513be29599c51b0e033 |
| SHA1 | a5ed142f749d5ca6922c01cbb08ea82eca7f2858 |
| SHA256 | 0b9ff8626075839ce98d8088648f806ebf9b43593d5a4b32082e68b251f3438e |
| SHA512 | 591b802875f130b077ef0a89b17370dbf557c988dc258a08a2b4f07140ccfc1e24327f4c767ef68425d991eab3cafe9da929e7b5413275d63e816ee3f0bf67af |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5534b8ccab95a3c5fd6e535d968ac3aa |
| SHA1 | 77d0b3db3bd2c18cdbe9e5858dfc613f04d792f2 |
| SHA256 | 73f13a22f9289f0133b719e7a6728a8adfd2942f22b736caa96f113b76b4d9a0 |
| SHA512 | 6c8d53fc24ef1acdd5b9eb28c1c89d46c4aef4a8f41cac1e1eeb2be4cef19aee5fe25cbf7780730743bb876e6a586aeab4b603f818dcd6f68e8cf1403332795d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 65aa1749f341d068dd104b69bf78a115 |
| SHA1 | 2dcc61571551b5310c21f39a35485929d187880f |
| SHA256 | 0d0b2da1f3038d4f6a10a80974d05b12df7e1acf05611ae04d3e6c1d487c9858 |
| SHA512 | 493b22d90c3fb87bca0e51e0e8495ddbcae8c614e7eab853f3773a9b875edc77e5a092c24901cf75d53e77abff08602043820710784b78fde2f60d7189f75993 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18ce64977cd608c8c0eddf52872d05a2 |
| SHA1 | e2b7949013ba4d039e0d15a58a5f9278a7d9324c |
| SHA256 | 8fee38b58985b496858969a68f70fdccad219e5a550bde52d199151932f16ef0 |
| SHA512 | 246589a6fdff9732ef3313391e1f3ade6bd02216c2a6115a2f05f53dfd7784e423709f2f483d57bcf44e1e8e716a0e09fa85ba1b30ceb4e674cbc9a86e2fd37a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ddfbf33eaa77fc5b85d21bbf71ca38f8 |
| SHA1 | cfec60a02dda97995eea08581d580ba672200714 |
| SHA256 | d0b0f2cf0b7ee3deee8ba3e6b37ef5ca7ca3e4c1996a65fdde2370f0f826e5b2 |
| SHA512 | d53237f200b329654b08da448b40c0738fe51c5de58a9a893059813e399037403a9dfb39dcce7dae3e64afbb8754f557d3f061ffb11bb1c9af590546ce0e4fe7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3e5e1bd3f4470b471d270314814e5fb1 |
| SHA1 | d6884bb597455141e57a926252bd82f68bf0a80b |
| SHA256 | 9dcd7fc00caf861aeb7c3c8fe51829134b87582b8d166002fc254e9602f1632b |
| SHA512 | f90795e306eb797e863b6ba8b007c3ab5958b1355a731cc1c7cc60a42c2bbba04a481605a692c960a3630f7e9d6b8443fc1f7e5d8485a437e375ed7a56bc03ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f2c48c65ee1114fa306e44cb46122383 |
| SHA1 | dc863e80bddfd5d4eeb346cac4014e882d406763 |
| SHA256 | 714f15bb2c59c0767f9a10f022f4c876a075b967c7f0120fa6aa7226b5cb0b78 |
| SHA512 | 44a25ea4c16611497df67dd2c61a77be74e1ede265076513d4891181a91233cdc7a59d54c56ec985dfb4faed9cce4e87b8bfb706bfcad412ff78bcf835669a3c |
memory/2820-887-0x0000000000400000-0x0000000000413000-memory.dmp
memory/2448-916-0x0000000000260000-0x0000000000261000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\e[1].js
| MD5 | 20c4317df06918eb01577871257848eb |
| SHA1 | 4bab2a2fe08919be4bb1f231f56f3a9158792b24 |
| SHA256 | a9578b7b9a921eb03bdca64107746a4c4511797f86c3fa5a06f5c765fda9aee5 |
| SHA512 | 1e761b9881f225ac067b0087a49a82b8245825c513cd18463e62bc964e5f53b51c4d7ebe210d83ea8ef7dc19722dc76d0154fed3f6df255d5b5408be1ccca5bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8fad1c04f57eed8a550d1d3d07f09211 |
| SHA1 | c7ade9d2e5388036ae72fa3a9938de13181e7aa6 |
| SHA256 | 24386f8a1933e81aac5b9e047db8d4766d92ee53671a67424d4b876f3243358b |
| SHA512 | e531e4aabe287a943f7ba510ffb8b6c110705ea795ee7b39147e4f0c8fb47c1bca73082ee108a74b52d5bca34fa26161e43c9f6ce0024e26f6801494b18859a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | d196e2dcddba892f37538f53ec9e7230 |
| SHA1 | 4ef4de76753d5d8eadd9344f543f51a669fcf9df |
| SHA256 | c285c2f73b691027c74aea564d01c215aac4962647ee509807eb1b9f1cf747c4 |
| SHA512 | 44e9d3cea4b811e77ddd9f3a9106b57a6af274340b7bb3bdcb6fc108b96a62e00aacfdd595ad0fa2195bbbc2a374822cb755efef04545547d3be35ce46e7c747 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96a80b1e602a3308d5380599195da4e1 |
| SHA1 | 7fdd968da4bca27ffce862beaa47d50ff8c8f03f |
| SHA256 | 4acefd19b227f944db05b0aa0f67e7047ab037aaec83e60832d9be63e1ae1c10 |
| SHA512 | a9e38d38abaee1dc267df3ecffd9a17352527a554c3d7d96f0daf590665aed3c7cbbc69ef47bc08a87f808df2596b1b313ce57e609eca48fd5de53a2b83a4594 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c53752240a8f0b08711e6e0ae218fba7 |
| SHA1 | d112a112c1f0e5407fa142df0322f5808f7053b0 |
| SHA256 | ef7e29bf89746b5d9e6e7024a861b03717db361f88f9e39ac481fd22c207d6b4 |
| SHA512 | 5dae92fd64e5fb780513afaa22e20aaef99948b955577e0b4bbca39a8a19f2c1ef5f2f48d939bfaed060d5530be57c7ccf53f92933a0844fc19ddb263bdb112d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 444237d8eae51ef6c06022aec12f9ba3 |
| SHA1 | 8759277962e796bf2910bba0c03ff0ff8323f944 |
| SHA256 | fd4e67f5baa51f2eeaf5c4c2007e1504f881ba2908fde709532c0eb553b4c790 |
| SHA512 | b2632af67e970c411bac1e2b44f686ac06dabe462ccd9275eccd0cce6de639f79a315418090c8c6a47f4b60c21f61dc005348e18c8cfc57a6177ee871ae280f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 47e0d20b7125f67b9be95a8ba0c143aa |
| SHA1 | b9a9bf264f0032ef60b33f9deb900fefa66a3755 |
| SHA256 | 963ee322ed4d4e113e4f30d3c0023a2f6b47a6e8fc7ad4a5d81774bce4971ad4 |
| SHA512 | e30ccf69851fd67dae5c7edaacf8b9f3398b1363656acb2ad3925388f2600ddfa367a096145163f3bf0bc736cce661c44f2a380018dad9dc3308c1a01150f6f5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b911bd1a0506e8c811f0ea8ad9ccaee0 |
| SHA1 | 24e598e8cfb0fe7801b92f716390eb49a12e3ee0 |
| SHA256 | e9a5746bbe3eba4d52af12e023aaa0e639fbc91c0b85a99d1ba43ce3e3b615b5 |
| SHA512 | ef5ede4316c758f8aa56fd59544b27e7007bab1b2e40fdc6bda13b5ac920308a15df92b5e0cdaae0f88ae67945ea8ef1ee8e86908f7c587217366a8e467adfa8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 50bd78204ae47301649e5378f0379c4c |
| SHA1 | 73f656d744183db195987c50294b9b1828ddd1df |
| SHA256 | 75607c67e281bcfb07500b9165f80e8fa746619801a9d149990744fa45e773c2 |
| SHA512 | 2b631daf9ca21eef382956e49b55c70506ef4bc2184967e83d65c2caf752bc1a92f6bd4adc9fc28aac5b37d23bc985124aa07ab2c7a9bc76038453b86d50b16e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3aee95cd7e2cebe790faac221669f0cf |
| SHA1 | 412dcd1feaa444c0421f1217c82d9535ca8aee73 |
| SHA256 | d5ac48bd987685332c9f33677ca2d0570c7a49e1bb4299421e806f289cb060f9 |
| SHA512 | 5ccbc3e04a3c5cfff91a74d36f7c64fc8b863331d34906b16d00aaf3a8b3646cdd3df110b2b83f7ce55e4e1194cbe4088a9e8572b36adb602e82d3222121e3cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ccec208f8d60c598580412c4aa7784ed |
| SHA1 | 5b92848bf754097959c3618c016c38b30cd338c8 |
| SHA256 | 2d1c5148924be51d0e89b5b5c193f0b970735a218f75954a4f6ac0e170fe5b22 |
| SHA512 | d0e74e48218288260cbfbd038933bafb4fc4078d44cfe7bca6fe1e0b8d668d7217faaf79a504080465bcae3a3a5a189a2d1df9e64b21ccf779342ea319123cf1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 33941dc9ece23c91f9179e4025d73d2e |
| SHA1 | de4ae698f9cd1a5b2028796b0413b19302ed91f7 |
| SHA256 | b8c1bd99fd9f5801937fc7ee65374ab3514d826ed02b5a0f511bdff06ee4c3b2 |
| SHA512 | 322e8a199700bb54e428d62239f9157dfba98247ea2ba07ba7bb6f4b30106538cc2fbf0afc422650b12de479bacb5b090c591937ac1c8e5f1962cddc0391028c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0940dfd7eae2570b157d6712e974dcfb |
| SHA1 | e2252fe1afb7c6333491d67d61d2e7d09502757a |
| SHA256 | dacc20292edf067695dd8c4f70b80041237e2bdb5a0beb98fa3b701605a23f80 |
| SHA512 | 6bd52d885a9bd2c912457216e27f2f2048937535be209116524de34dce99c9ef1387fee2f7b2966a57a8e60ec3b040f7d0064c53e38e2e174abc2a6525fdea1b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-14 22:58
Reported
2024-04-14 23:01
Platform
win10v2004-20240412-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\efb5b4193206cbc0813e9c93f8432be3_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\For Public.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\For Public.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\For Public.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\efb5b4193206cbc0813e9c93f8432be3_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bpk = "C:\\Windows\\SysWOW64\\bpk.exe" | C:\Windows\SysWOW64\bpk.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" | C:\Windows\SysWOW64\bpk.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\inst.dat | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| File created | C:\Windows\SysWOW64\rinst.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pk.bin | C:\Windows\SysWOW64\bpk.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\Hand.cur | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| File created | C:\Windows\SysWOW64\pk.bin | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| File created | C:\Windows\SysWOW64\bpk.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| File created | C:\Windows\SysWOW64\bpkhk.dll | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
| File created | C:\Windows\SysWOW64\bpkwb.dll | C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS\ = "2" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\VERSION | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\bpkwb.dll" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "_ucAniGIF" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Control\ | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\ = "WelchGIFviewer" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ProgID | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ = "__ucAniGIF" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX1\\GIFviewer.ocx, 30000" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\MiscStatus\1\ = "147857" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\ = "WelchGIFviewer.ucAniGIF" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib | C:\Windows\SysWOW64\bpk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX1\\GIFviewer.ocx" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\TypeLib | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" | C:\Windows\SysWOW64\bpk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA} | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\TypeLib\ = "{3383D1F1-029B-43B1-8733-289322EA85FA}" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7D518439-D9BE-4A7E-A76B-2FB2A03369F0}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C40DE621-5879-4553-882A-EA3F1109E290}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WelchGIFviewer.ucAniGIF\Clsid | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08D24088-19F0-490A-93C8-84B68381D155}\ = "ucAniGIF" | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3383D1F1-029B-43B1-8733-289322EA85FA}\1.0 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\bpk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\efb5b4193206cbc0813e9c93f8432be3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\efb5b4193206cbc0813e9c93f8432be3_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\For Public.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\For Public.exe"
C:\Windows\SysWOW64\bpk.exe
C:\Windows\system32\bpk.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freepremiumdownload.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb5ed46f8,0x7ffeb5ed4708,0x7ffeb5ed4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://gopremiumaccount.blogspot.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeb5ed46f8,0x7ffeb5ed4708,0x7ffeb5ed4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,9900572077506040310,15002040249639134123,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,9900572077506040310,15002040249639134123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,16424309938745682469,6499068168979977998,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5140 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freepremiumdownload.com | udp |
| US | 8.8.8.8:53 | gopremiumaccount.blogspot.com | udp |
| GB | 216.58.201.97:80 | gopremiumaccount.blogspot.com | tcp |
| GB | 216.58.201.97:80 | gopremiumaccount.blogspot.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | www.blogger.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.9:443 | www.blogger.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 216.58.204.66:80 | pagead2.googlesyndication.com | tcp |
| GB | 142.250.200.9:443 | www.blogger.com | udp |
| US | 8.8.8.8:53 | resources.blogblog.com | udp |
| US | 8.8.8.8:53 | blogger.googleusercontent.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | udp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.200.9:443 | resources.blogblog.com | tcp |
| GB | 142.250.179.238:80 | www.google-analytics.com | tcp |
| GB | 142.250.200.33:443 | blogger.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | add.my.yahoo.com | udp |
| US | 8.8.8.8:53 | www.bloglines.com | udp |
| US | 8.8.8.8:53 | tinypaste.com | udp |
| US | 8.8.8.8:53 | 1.bp.blogspot.com | udp |
| US | 8.8.8.8:53 | 2.bp.blogspot.com | udp |
| US | 8.8.8.8:53 | s10.histats.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.netvibes.com | udp |
| US | 8.8.8.8:53 | www.newsgator.com | udp |
| US | 104.20.66.115:80 | s10.histats.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.225:80 | 2.bp.blogspot.com | tcp |
| GB | 142.250.187.225:80 | 2.bp.blogspot.com | tcp |
| GB | 142.250.187.225:80 | 2.bp.blogspot.com | tcp |
| GB | 142.250.200.34:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 108.177.96.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | s4.histats.com | udp |
| US | 8.8.8.8:53 | www.histats.com | udp |
| US | 8.8.8.8:53 | maincit.blogspot.com | udp |
| CA | 149.56.240.129:443 | s4.histats.com | tcp |
| GB | 142.250.200.34:443 | googleads.g.doubleclick.net | udp |
| US | 104.20.66.115:443 | www.histats.com | tcp |
| US | 8.8.8.8:53 | e.dtscout.com | udp |
| DE | 141.101.120.10:80 | e.dtscout.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.63.101.170:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| GB | 142.250.200.9:443 | resources.blogblog.com | udp |
| US | 8.8.8.8:53 | t.dtscout.com | udp |
| DE | 141.101.120.10:443 | t.dtscout.com | tcp |
| US | 8.8.8.8:53 | 115.66.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.96.177.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.240.56.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.120.101.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.101.63.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tpc.googlesyndication.com | udp |
| GB | 142.250.200.33:443 | tpc.googlesyndication.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| CA | 149.56.240.129:443 | s4.histats.com | tcp |
| US | 8.8.8.8:53 | smtp.aol.com | udp |
| IE | 87.248.97.31:25 | smtp.aol.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smtp.aol.com | udp |
| IE | 87.248.97.31:25 | smtp.aol.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe
| MD5 | a455ca431e66975d886f1a8cfee8cb9f |
| SHA1 | 95868529973c77199b76ec593a686d9b324dee8b |
| SHA256 | 6bba0b8d8bf03ba15828c53e72d83d766e44b3238b55ab75348d8ce93bfd0056 |
| SHA512 | 53e0c4edf9d91ebdea04bfb343c568190eaaeb066bc6742262f1e5943d2b27c375e1eca483419ae8753138dc2131c9d3c7742812c16863689c3bb266057c0531 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat
| MD5 | 732cc5f54466282edfe6cecd8c675a02 |
| SHA1 | db203726cf309ba3107659358a94a78cc1cb754c |
| SHA256 | 636ac77e2f4403b6ea07f9c4e13e4346e9615c69374e4435f1b74fd0a65d0515 |
| SHA512 | d4e610c44148b63d6690c49548b91b15851aa2998a7ea8021b3e773192563d648b72103301f9efa50c55b04e7813cec090a77c7070e2fda178101132ad109bd4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\For Public.exe
| MD5 | 776a5cb5ce5136dde367ab157b8840cb |
| SHA1 | 217259e01fa2fbc7fe7d385dab105bd08b7ee3a8 |
| SHA256 | 62e95cfcc24f329d3866bf6d9207f28bf102bf466802c56535cad70f7e4aeb49 |
| SHA512 | ce4c35963d0a98405824f0490d78a862b9d35286b66d15899d6a8e16f4ca316d086876de7478e13713eb48eb345f3f57dfc07dca5b459675986b7b65182bbda5 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin
| MD5 | aadb29c5e658b3b75bfee07971c28e53 |
| SHA1 | 0822574ac82c5a632d854343cb878799555f7672 |
| SHA256 | c4ba8594ad72a82dd18e8cbd2c6dfc76f590c0071428d95b1fc9a18cb387b7eb |
| SHA512 | 2d4fd67e29437a9a8f3abc667cdf9ac615fd1875e3c0b01bd09e4b83ce361eefbc9f24c7a0985833ecee0767b721bf33ea303ecf76619806a7c0ae5988b7a279 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpk.exe
| MD5 | 0a891898eac14c2aa9a48ab91490d68e |
| SHA1 | a49509969cbcfc335d9d2be918647f8b2c0799cb |
| SHA256 | 869baf78bc757f7a0bcf8608e363f6ed5e441ba5a59a03b5d03a0c85f6ffc079 |
| SHA512 | baba73ab0566125bfbabb8c64123de72afb65f02ff3934b781612dd8a0ffe3c7eae4d2970667dbd944556bc92fa2ac14e36c92ae2aefc0eaca52c30609908996 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkhk.dll
| MD5 | 2f8c71470cecca08811c2176327b96b0 |
| SHA1 | b9c814596906808e929fee64068b8bd5868e8345 |
| SHA256 | 47cc307947b09c158696afe0c5dec2e4b261fa8daa8aa42b8c85414853e8b57f |
| SHA512 | 7e7d175ebc42c7cdd29b1c04a08884ccf3a244ebfb02add43fec45d0177546832535b28c43f08ccabcb1960f9b23141a0971a77c10b6c684e77cec26e36c6c2d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bpkwb.dll
| MD5 | b1c29e8a2a14db756b5d57ffae702e84 |
| SHA1 | bb80f638f5d35e0c5d608981c47b57ddf34f47ef |
| SHA256 | e1ff8e132ef73b54d4a0f7097873299fd917cdee3429f82026c84695e70e2f95 |
| SHA512 | 16e33dc454a53e7f71bb9da6abc32d5a6c6ea21b6a02f3fe62b4e34a7a304e9f2f4673a2e4a6b810a6a0672d24dc71ceaa24a82e7ab725cfc9210d244bb1fa32 |
C:\Windows\SysWOW64\bpk.exe
| MD5 | bae0fb25bcf05a5da7fde8dce759ee0d |
| SHA1 | bc74b07d14a63ce572755c70ceb796136d129e20 |
| SHA256 | b966953b0a0e0bf648b1043b4e708445b52b020a0485921138bbf3be58d9995d |
| SHA512 | 74a61f7712df39194b2cb77186231d5960b8bfc5b37abdf20c357471a4e8dd8a8e648161cda7b1c8ee01d422926e3b30fd5ec9c6ebbf589a4feeaeba99ca2929 |
C:\Windows\SysWOW64\pk.bin
| MD5 | e226c803bcf28b951504aec921aaa386 |
| SHA1 | 864573c800bc322e659fd8b5509d1e78b188abf2 |
| SHA256 | d1f0b8d3bbe246709c1cd3fd7c0daadfb2258e56f123d7b09fb17eb40534c296 |
| SHA512 | 6cacb96ccd7d3035283839adef9e967bfd5d421bfbc74bf0b5bd45827bb4e37d868bd8e7c057449a3a8a66af367ab1c7d4107d071f70f3a4cd6da150b9ebd7ed |
C:\Windows\SysWOW64\bpkhk.dll
| MD5 | 58129986fa29f6dacd99ab45f60bcb3c |
| SHA1 | 7f21995794a060fc8629e0d113cf568de14c509e |
| SHA256 | 525414ffe5f797ebdd7de5620b75ff723de17bf8f399ffcd7ddec2d0b8a5dc4a |
| SHA512 | 62ade2d2eb41cd99dcd9f6d66e7966d129be20551faadcf827558e85d669f885ad144d10a87c3be7faed08103b86ab523fb6756b44f9e0ba77cdff586214701a |
C:\Windows\SysWOW64\bpkwb.dll
| MD5 | 2e6016325548ab79e2d636640c6ec473 |
| SHA1 | 586e2b84d46ef00e26c1686033def28e8a9995a5 |
| SHA256 | 62e2948c3e3857e8304a657b7e7da30cdcb6842f71bd4c678a1734ebbf17198e |
| SHA512 | 1dc89b9e15f5835dff3203e278f000df5c0d8d93cbef5059be3f1024ef1e16ae8087a4f8e1131b20b190942984e9dc6079dfe951a52de7f4d4ad7de8721a0e86 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\maincit.exe
| MD5 | 716fbb0215215fcb3d6cdbf62423ec57 |
| SHA1 | 7e57f6b3268daaf04ba9b8270ee954733cf0eb85 |
| SHA256 | 040b98e976860c22feec7e8547bbca4599ce6f995489e69cf5630aaa5511f6d6 |
| SHA512 | eb3c2f70ac74386596b346d0fb4081e68e37c0aaa90e1c08c7b9239fd62d67947cc84b0c9006d4d727ab7240acfe8c2a45a535807a7e759ff367c046f572ac2e |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\GIFviewer.ocx
| MD5 | 73404435b36b8cb9ea68be6d4249488e |
| SHA1 | ecd6f0e28c4f4ac6c1943a7647f42a5d91c14f02 |
| SHA256 | 2123cadad9f7da81601c5e09105a569fedda561b4b12e87f0c0f6b4afa286e5c |
| SHA512 | e260099024bdc4711ef068455e350cb400042f5fd5066b07b024e49b8a13b6c058347f2e4e68ff73704358b51db851e4e06c28cb2f3cd36b64d9023c748dcad7 |
memory/3608-71-0x0000000002AD0000-0x0000000002AD1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | dc629a750e345390344524fe0ea7dcd7 |
| SHA1 | 5f9f00a358caaef0321707c4f6f38d52bd7e0399 |
| SHA256 | 38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a |
| SHA512 | 2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | cff358b013d6f9f633bc1587f6f54ffa |
| SHA1 | 6cb7852e096be24695ff1bc213abde42d35bb376 |
| SHA256 | 39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9 |
| SHA512 | 8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259 |
\??\pipe\LOCAL\crashpad_1416_LMXGMDIONFKBXZQY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 60a02c3fd2d50a6faa8df41ce4c57c04 |
| SHA1 | 44c40af8852b39a8af538990add0fa78c92a9059 |
| SHA256 | f7ed212e13198a90dc2b58b746c339d9ecbb91d0fb4023ce0703961b5282811e |
| SHA512 | 4227efa2a720538a35012cd22fcbe0ce67f132e5a7239f0d7e3542563de26048cea5e9ae2f0ce4711ec22e82d85f2e7913a033bc2856c078ea6a09f3c965d225 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 77c413c5098f7c21eecff9470865050c |
| SHA1 | d087abf137af59373edf46a3cee52f2f29b45a3c |
| SHA256 | 1db5111140008880b951bab52cad692c3910220246d40ab7420c136aa4d2129b |
| SHA512 | ec6aa5816c771ad3efce2330dafd4d2af75a057c312e7b0556cc417e214294541e8ab28287174092e515cd8fdc33b723756fec0f07a933710275b984f3365ed2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
| MD5 | 0c537a82da568b1528a5b4c5db95f169 |
| SHA1 | cbce4bdcd79433b66466b9fe3c0fec730b1a5bb4 |
| SHA256 | 73279553e1043b5a1f12766aadf552ffdaeb0a22bff842e68a299dbb7af01ec8 |
| SHA512 | 76ed9ad0826f246c6a3b1b00215625e38437d477e1df4c57c2a56071a4c2d80465a62062b44e33de2ba58f90e664f0c9bdedc2b274ab54706209b812c0d95485 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b
| MD5 | 57ae46a87a9955c7c61ce5cfebde0bf6 |
| SHA1 | 2a9297a0e2ee5f4e0a9b1de88ffd2121d5d2ca77 |
| SHA256 | 891dc8b9999ba1b2d25c1a044b49330b66b86f986478282f4e5950b726e9878f |
| SHA512 | 34e51215e347df35ae4cf8420e2148420780f78123a37450682ed92841c6e1dd1635317cae1ef925a001bda733228db0f5de87faa0a10c36cb967e9b70691689 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/2408-194-0x0000000000400000-0x0000000000413000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e6f6ac4d950e9670a642197ffeb24e0d |
| SHA1 | 7b1a44bbb40b4ef8c8cfaad90d2103760b63ab49 |
| SHA256 | 615052517c6b567cfafa535c8fa943563a88ea68bc39a75530fbb8bfc640804e |
| SHA512 | b51199424bdac3db2a95e49291da1d9fce4a0d054eabd43fea3cdfc4cf32352cb102e9273cd99b241e251c0ec3d813df767c0ecba543dea99665f3a01f2a659f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | be63d89da56bb7dbd056c9edbc628147 |
| SHA1 | 744ed93abe0c3f755c6603d0a029499f03981655 |
| SHA256 | c7e92e2ca643dd102483b1e8726d6768d18f586da918f1d1ec8da6d029ce9e04 |
| SHA512 | 7f727bb93f21852787823ceae8107c20214f2f1c9b47a6dd9db52c76dd56fc9c97159848634c0588bc5f83d19408c9959cb60312a67218b74e87aa99208a5ad8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | fbe2fa8da27d044c436ab7859459da06 |
| SHA1 | f5eae5f2465c506465ba58114ff0ce7a38ac5d39 |
| SHA256 | 621e2f0f57ec5e84bc3113b064c07baf806f4088791b3995d3f8666a72a72d25 |
| SHA512 | 605f59bd004dedda0dab36f751dbc074b881cb79348235d5f48653e8eee39a4357e4b119e9382286c0d5acf2cddb492d1fc72034c84082bea3be65e78f1e9bfa |
memory/3608-228-0x0000000002AD0000-0x0000000002AD1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1d2539293afdda02ed083db13296cfae |
| SHA1 | 0c1eabc8ebdcf4b24b26d447b1c255dc6892a6ff |
| SHA256 | c8f415155dc44f2f4eb76666b2b4dc1a1f2fb8e555fa2ce1466fe85b7fe8ede7 |
| SHA512 | 960ada7459f57a82b788dce5d16a9cf933fc7df83d8ec7c2596141f5b69b067f4d576bd2c87fa1f99a813642528a20efd81b0e7ab43223f817e87cf1817fd857 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | cbc7af90ca11017f9a06b8529efd5d9e |
| SHA1 | 510e379c29d75c60289933cd62661bcc6d71ede8 |
| SHA256 | 1d48913b527f68edd6d222f0f8df7d0a838e5fda17fb5fbd7364146f175b8eb8 |
| SHA512 | a1970ce319952a73f3235a8140f7534e91a046891595d99d05a1f528f95a3680452f3f2b03c828139be3be75cd5beefd01348aca89478e91400a1886494e8f2e |