Analysis Overview
Threat Level: Shows suspicious behavior
The file https://github.com/pankoza2-pl/malwaredatabase-old/blob/main/ß.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
UPX packed file
Checks computer location settings
Writes to the Master Boot Record (MBR)
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 01:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 01:57
Reported
2024-05-09 01:59
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
135s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\mbr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\gl1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\snd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\ms.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\1690.tmp\mbr.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Windows\SysWOW64\mspaint.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings | C:\Windows\SysWOW64\explorer.exe | N/A |
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old/blob/main/ß.zip
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb324046f8,0x7ffb32404708,0x7ffb32404718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5484 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\ß\ß.exe
"C:\Users\Admin\Downloads\ß\ß.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1690.tmp\b.cmd""
C:\Users\Admin\AppData\Local\Temp\1690.tmp\mbr.exe
mbr.exe
C:\Users\Admin\AppData\Local\Temp\1690.tmp\gl1.exe
gl1.exe
C:\Users\Admin\AppData\Local\Temp\1690.tmp\snd.exe
snd.exe
C:\Users\Admin\AppData\Local\Temp\1690.tmp\ms.exe
ms.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x344 0x304
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K s.bat
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe
bomb.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe
bomb.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe
bomb.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe
bomb.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe
bomb.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe
bomb.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,14508746918937660861,17589473948886956669,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3016 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe
bomb.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe
bomb.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\explorer.exe
explorer.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs"
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe
bomb.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\cmd.exe
cmd.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
C:\Windows\SysWOW64\notepad.exe
notepad.exe
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 22.112.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.196.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| BE | 2.17.196.137:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ea98e583ad99df195d29aa066204ab56 |
| SHA1 | f89398664af0179641aa0138b337097b617cb2db |
| SHA256 | a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6 |
| SHA512 | e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f |
\??\pipe\LOCAL\crashpad_5016_WXWIZIZJGORKBVQG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4f7152bc5a1a715ef481e37d1c791959 |
| SHA1 | c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7 |
| SHA256 | 704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc |
| SHA512 | 2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | aa9887896ba81ff38f252c6b6d117e8c |
| SHA1 | 8920e2dec90b2d5ed6fa2fbc8c2997b22fcf72d5 |
| SHA256 | b6111168d201f2f64d0e58b83afaba6e115d659d3801a1106f236bc1351fc52c |
| SHA512 | daef41a855d88316573b6b3447228ecac7b3964136afafb869e3054fb59f422e5847552f484a1e115d0fb98c959e3052b4173263dc6fe56753799754e032aaf6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f4c70c9a01b6f2df2714ea1d1a378242 |
| SHA1 | 78a0d2da324f192edfb7a678b4a06397cf8d5ca1 |
| SHA256 | 0320054fbe868ba058d4d594f91bd3ac82b8fc73f0417a2c5e0b28264cc6754e |
| SHA512 | 3c1d384d44f58f246dd092e3b3e8f774abba3ac9e1fdc6f5e564affa90883b070ab71fc4759fb157f9651f0a2e512e7b0ac2942e167ae04823c1959548004e5e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 81a637aafc80b3ddd7cdc104dfebd9b8 |
| SHA1 | 8e10a2a782566c441cde12f17114da370e1e8cf5 |
| SHA256 | fe0a5c99393725dd9b6dae49eb7e833499636a61f36f3b8f69cfe6a1e12f67fe |
| SHA512 | 9dec473599cc28e89d4abb48b3f40992e702db99d17e47404ec944b2d1cdf917ef146aefd2fc89c1cde794f1b292df8828d63ed2a38fad5f593279fd954d9254 |
C:\Users\Admin\Downloads\ß.zip
| MD5 | 5c19f6795f6b88dec99c97a16521a314 |
| SHA1 | bb0b93dd41a9a4e8af31f7dff90752c620d227ec |
| SHA256 | 27e9d27d879bbc5b0e8def3bea868187914643bad76e1e7be6c2968f9ef69415 |
| SHA512 | 98d70eb859015e6645f0b6d8c687c83b1abe35e1bbc0bd97b5814cacb8b202704c56e4bcbe14933dfa689f9399e17bb264e8e84a22ce94300fbd0ea10fbb8419 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | eea2ee504a303daf4faf1ce47d4ffc22 |
| SHA1 | 09be72f60d1f1843847308a0ef2a2ea48afabe38 |
| SHA256 | d5ce6b76d1609095c7a6020cbdb1aaa47dfb146f5fcbc766b60c4c1695546756 |
| SHA512 | 1dd4b983b835a479bf089f86a552d8e95071c0cb7dea676974445c2c4dbee4d68ffa37b56c5ad5edad0b7a5c922da3e207d5ea1917491695e145d02b3a3e4534 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | a57dfbb093c1d37db6bed04ccc3e582c |
| SHA1 | bb1df0126cac7b5211ead4c2e4ef1e2ecb3e1551 |
| SHA256 | c02256af18ededf9836e5c260a279d5b059987aa0da92dbe7ca28a6468f5b257 |
| SHA512 | ef391ca82c34f1b072d3bf38459bcb05f4f6ea39cc49bb1604fcca873518bbee190fd0aa5191b202ad19f97d670051be1182c6bf6ab81ae7831cb1ec34018651 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d2e0.TMP
| MD5 | 9ebe75c8b2d87ef712fb132c9daa1540 |
| SHA1 | fb86ea5f612bb9c2b7dba8b21c60d1e5c0c52a42 |
| SHA256 | f8bba7d7ddca46d5f8cee8dbd40289d154e3066a4325a6ad44e58dfb2cce0e37 |
| SHA512 | e2615e4a383cc6a38cebaf7c63933b90b9fd6d2a72ad406da0f9d9faec038bae28201a3fa03df6503fa2cae64bc1f6fea4a5f286c93ea24f03f5141fd4fcc0e0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 64f26faa274d4d6df3ed44f758da19a8 |
| SHA1 | d4aa547ec096d77e83084f6ac581c16d1967b2de |
| SHA256 | 1ca2a27134d549b4f0c272152e16e721b24964ac0a7d599b7242b5be5dc33bdc |
| SHA512 | 47e4659109252e8560ce27483647b4443f063ba0da67041e7bba166466cd93f044671b31a52d5823a66e0bcfa1ee5196efa03794ac31d195c00ea21d2cef081a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3406b9192799145f7015e9f32593cc81 |
| SHA1 | a2b88a4484ca24ead67a089dd7868547229b173b |
| SHA256 | ed342393b6d69a166de154be8b0204f977706203c787ee1d7223c94add327c30 |
| SHA512 | 242ccfe2b358b5411c95cc166067703ab23101190889c034188e3a9ce4a5672b5d4d4651baa74e2b32b143f9ae035257c0a9bf0b162c80bd3cc66722ff8d4b44 |
memory/3396-206-0x0000000000400000-0x00000000006C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1690.tmp\b.cmd
| MD5 | 7767b841856bb8e51080abd912f8c090 |
| SHA1 | 79d401dd0b42aee9a13f517e98393f39019f36a7 |
| SHA256 | e369286a0f1d7e59c79bafb9a94b3adbf32aa10ba25ce76bc7645fea47a083d6 |
| SHA512 | 55b872ef28df84db544567d4da09217d27467995af5f936d508c507c59ab5282fd35be171ea12282767548e1dcf988a991f9a5b9362752e303918ca4948efb4d |
memory/3396-243-0x0000000000400000-0x00000000006C5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\21038447-2a7e-435f-883d-fdb2af1d1501.tmp
| MD5 | 7a81f45d472251741b5bc6f76f32f43f |
| SHA1 | 253a7dbeb234b1445c2cc09c4db63d7107021cc2 |
| SHA256 | 8e67b42a9bb606b4245679a28a064e210fe82cfd561fb7ceb3c6f9dbcfe114f4 |
| SHA512 | c5cd04bf14e03e599d60855ab7472b86c2988540c2c358794df1fc0c4fb6bc17b8de1550dd9977411e41cf74b11e45e3dff6959f7d856791894be95eab171119 |
C:\Users\Admin\AppData\Local\Temp\1690.tmp\mbr.exe
| MD5 | 6b84af847832248cef36e03b4132453f |
| SHA1 | 2fbb12aba732147cc9381aa0979391632fb1401f |
| SHA256 | d99a0361d5548a7dbd6ea3309783e4cb2df3c31c8d6ce361f6d4b48e918733f8 |
| SHA512 | d640e9b371c877b35214c9dc01cd77275415080fd1cf395c7be1e877d985372ef3a85b654606b0cbb559554bf196bf4991cd4fa9a1aee47abe2a13c8f070fd19 |
C:\Users\Admin\AppData\Local\Temp\1690.tmp\snd.exe
| MD5 | 7baad7b6dcd387183540a1a771e1b8d5 |
| SHA1 | 8fb4bc170b6e3050135e0c7b651441dbe963d7fc |
| SHA256 | 57e598fa7a93d50258afb6e563266521ae0bd35e6f80b247eb24a31a56a32461 |
| SHA512 | cfb85b10af70cc053a7c31a5d64741286b64eebd8ac9f3a97e6ed9989e81c629041808ce337d7b8c590f069da9a05e38e9b8dcf89b70e561362bff010732800b |
memory/644-282-0x0000000000400000-0x00000000004D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1690.tmp\noise.wav
| MD5 | a99000b0aedace2b4841d4b01e6fe48b |
| SHA1 | 372c50410d5a4e472a75ec39b4d38ae0e4e151a9 |
| SHA256 | 9d46682f2f64ba992c1e29d0806578c883e48f9135f03265b7115b06d028c3ce |
| SHA512 | 5c06f4e4a8cbf5dcade1ec0df3a6a0200f0cc6b44dfb74bce84026a56b399db15e6e21f486039a887ac74fcd08369e920c25a24d2226a529081e16ed13f8e167 |
C:\Users\Admin\AppData\Local\Temp\1690.tmp\gl1.exe
| MD5 | ac0cdb57f020158a4f356f0f819ac9a8 |
| SHA1 | 2fa07803943314ff4ff9a6ece448caccf327db54 |
| SHA256 | a47b0210f10011d86c59f19f929a860eaa2bd363ec1e01927c4edad404656b4b |
| SHA512 | a12a7441a107df43682bfe581d56891910bf8906b18a4049e822828c5d6d376e32ee69fc7f983afe98e9c1067e2962fa2895b643e4699568c4e053d89ca7b1eb |
C:\Users\Admin\AppData\Local\Temp\1690.tmp\ms.exe
| MD5 | 463105e9dfbd6ee7c77dc9f132cd2e18 |
| SHA1 | 745c72dae5f2e6c87dcdd38494cc06a97f098fdc |
| SHA256 | 28062fa9ca886c24946e4065e584b692ee4867a06fce1d47902763b697283a2b |
| SHA512 | f34bb490737a73ab4f1b5e4e02664dfd645d0e65049f0bebbbcda084514d8cd7dbe530978dea590110db1bf4c3dc9681b63d499866c2263f6091b801a44e8174 |
memory/3396-288-0x0000000000400000-0x00000000006C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1690.tmp\s.bat
| MD5 | ce20abe08536b3192e81357b30e038fa |
| SHA1 | 66a3eba276d5c5269036d8610ae3084a40023023 |
| SHA256 | b8474c600fd8b10214fb2c209b2e62c41fff572af34e74cd4c2a56cb719fbcc0 |
| SHA512 | fa796570adc57724671037e66d37aced6acef23322144307b5b1d673764cfc9064ffea1ef8b3d0a8a9ed08380fea281ac2f485dc596576ce5cb27ab6edc1857c |
C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs
| MD5 | 798884d2853d71b9f68f3070069b0f93 |
| SHA1 | bd2acdcbb4bf498e58c2e6916ab436f166b8c8f2 |
| SHA256 | e455d1b3f576e1c5652c53436ffe048aed426534d2077810e1724456687375ff |
| SHA512 | 47932f2b611e3acb8156b7f5e14c4532f11b9c57168eb8b4c77c4dfd37f4b73ec11542c207a92183b87061e3f915d4d2c3440f7430838e8d6ed4502007ee0214 |
C:\Users\Admin\AppData\Local\Temp\1690.tmp\bomb.exe
| MD5 | 05ad3f85b73e5ff86504f8dcc55b5d42 |
| SHA1 | 927d4554328cc6d767a566c3c6cb54c16d58857a |
| SHA256 | 124cf5ca90e7aaede685fe0cda72b6a63b80583d2d5ec04d5baeb4a1851c48af |
| SHA512 | 6fda7808e0b96caf3a1ff35734fec63f1e78cca6ae0abaa54fd5dd7bca6299a587b8f2c455b9385d7cf9b9cd9b74edbab1e37d8f98e8777059b3c3e2964feb18 |
C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs
| MD5 | 33f3ede0ae5cd4c85718fd504babfced |
| SHA1 | 4fc24ad6bec5962245437097046b5b53b639cbec |
| SHA256 | 2019bf184b4a97e0f6d53c67aeb44f794738e1d77b6d0b71a4d73525d6121f9d |
| SHA512 | 076e1a2e8b1326b43394653ad794c68a467bcf06c5da06aa7ec527c91eb97c674a0e5c682d1d4f99997fadcaca1221e2a406091f48d40c51d4dfc93f04716cd7 |
memory/676-306-0x0000000000400000-0x000000000041D000-memory.dmp
memory/4036-305-0x0000000000400000-0x000000000041D000-memory.dmp
memory/2080-304-0x0000000000400000-0x000000000041D000-memory.dmp
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | 7c8c997f9370b74cb2eba7152cc850cf |
| SHA1 | 5a9f903c66817db24220156a33e60c5768daefb7 |
| SHA256 | a930c9a7d1ff451026a7a62c93280cdc313c57cff35166a13a4eeaa0c54ee979 |
| SHA512 | c88defd811bb21afc9c479e5a7f061cbcef7cb981a65d248230ba7a11e5e6c3d7b4359dc8908459527f98b203924e0bd8b8e5ac8b1f39ff73e4824b36046f085 |
memory/4552-308-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs
| MD5 | 521b228f69b44b9e6ccdee7e2fd758ae |
| SHA1 | 57de35cdc32bc8ec3ccb6a8343eb21084d6bd19f |
| SHA256 | 5f0cbbae0d5b040c08d30792a949fe20e4b8104eac188fd55d9832b071129784 |
| SHA512 | e75a0aec27585e59b65457a9304a6e616981a7e5ddcd58c909cfaa5409675570fdbc7c35d4d945381d61cfeff637b9aadce00bc5e45b382b1e0c1a1e233f7966 |
memory/4872-315-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5464-316-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4552-317-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | 9fc445551f4b69bcb5ef55e8a756a5b4 |
| SHA1 | 62fb9472f4f94999cb8c5877b434b0abea9ac3b0 |
| SHA256 | f51d9f5cfe46cec2e1a56cd65ba6b1abf6deae294156e043ad94600a7201f702 |
| SHA512 | b92140b52bc865097361cdc70f2a6d60422f782549c9103ab252f8a01337e9e5d0c440957a4592f4a63c3d005754d334d81383f3b848564b10cc72d5e2f1a18a |
C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs
| MD5 | 5fc40e9ea2aed98ce72fd9a44197a386 |
| SHA1 | d06e3fd0b2a4a74b880a4fb1de6402f88805f46d |
| SHA256 | ae50c80424eb58c46da52b5b83ea0186512d0dcf196346fb33168a772222beba |
| SHA512 | f4be9ab72f004774b4e99971bc5392f916b6aab31295fa8a0dfc15465a18163930b2f242b2c09821482281b96d4fdfeed228e94b7cdbd0a2ef830a5dc6b08f07 |
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | 2367d9f5e9c0fc1ad728d7c8acd6f4f1 |
| SHA1 | c41a40811c2d899ec6b0854651b38f05a15f51e8 |
| SHA256 | 38a6b436f60094d52cf9b25bdff8f2a03d4fff5263ba326c994e59bb192359ce |
| SHA512 | 503e28113ddb501a31f85c372438d191c1dc72e6f435eee326e5c5f04b2250719431ea3eccb2b85a4aa22aa24b7c689c7601b9ab1867f33da8d659372d68273b |
C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs
| MD5 | c8d2c63ad39d23580e3b69faacc3d381 |
| SHA1 | 8c1cf8ec23e7fa8301d77191c6b60844c4b041ed |
| SHA256 | 48fcdeff00c61ac2312dbbaaac22aafbfe3bddb798db835fe6e3015fab8c6208 |
| SHA512 | 289a55442efdb9ad73b27560ebcde240654da316eae3993ecc59302e665bc9cca57902aa692412ad87a71d9e213693ffc151d58b3c4399219d58fe8aa7332df7 |
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | 0626788ac9710ce23d8f68f9744022f8 |
| SHA1 | 036f1914824ddab076868c11d3fe69ae54c34173 |
| SHA256 | 77bbdbfc83c1c0ac3de92aa67bc884e7711f8398ddaa57310c8bbf9d0ac57df6 |
| SHA512 | b560748c3886e13cafb7dc76ab6a4caf24255730d43ec808bc38173f64086baa79e17967a5e5052ac35c2197e6a92cccbb2c3630fb794928f80c7379cfcf8be7 |
memory/6056-339-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6064-344-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs
| MD5 | 8f213aefb058fc938c9c2139041dfb50 |
| SHA1 | 817924a2690cdd3a20ae87555bc447330382451c |
| SHA256 | dbc95802af1724f921fbb0a82ffc2573acc75d99f191d78c7db5405d19f5f50a |
| SHA512 | 35853696dec2889bd34af7b1da1f1a6afcfc5435a8d80c6baab7eb6ed3e142f313841804266e515a797bda41a62682b30757b38271c5b4a660a8dee477ef612a |
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | f7b91fd20836acd7a729ce619d19f389 |
| SHA1 | 3dccca8ea5285182f321e5a09a90ade464caded1 |
| SHA256 | a3ce1bf7e4ec25bb89739e624a60346e57ca7f83735f69335873036246ff78b5 |
| SHA512 | 1ee3eddc0cff5f5b3c5003164aa90f9f93c95eb0058390aa92391d8e0b38789a1480c836ff00c4eb450eb55c9b65a470a8d9ccb637e2e1068f82162dfec9e305 |
C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs
| MD5 | a32b150dac9dfa10c57900e18661fc3e |
| SHA1 | 5953cb83c30af087ad60a7a3ab130db1987f2aa9 |
| SHA256 | ce4efe9997453c3d7fbca3778f87753d4396e256510d09a2e59b2ca2de9ba69a |
| SHA512 | 28df1eedf6d5d0bbfb2df7ac42d87d718f3e4b86425520d4e4e8d612b18850aac7a51aad46ff708b515ab4ff5403c59e8da1eb7476228874249f3ecfb4008eff |
memory/5628-363-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | 247d1b41727bd5af1ef7e3daa8692e8e |
| SHA1 | 39becc3aca8e0e68f2e937caec54468db3b10fd1 |
| SHA256 | 9332c493803a6b1748f3a2b1e04b6e2d1292363382ca5f1b0e8b1cf741866b26 |
| SHA512 | fbe710e0f52efb12cb56b7a4118f2272ebf5d5a5e33ed5e10a26d13d43cc63f731441f4e7e40ca6755565c778acf9388c5de639387ab2dab7553eb960d65f358 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 863e4e54d492304a49ae159e9659bbf0 |
| SHA1 | 1276ee7781608299bba99d1f194766137168cc5a |
| SHA256 | 154e4fa013442e111db3490c650ccd5473797e98ae67ea5b27ed930d02fbfa25 |
| SHA512 | a0b81c48ca366abcf65a598d02a134b21f91d983caa2df10654065fe9d0813ed9083f853ebb2ed6e6019e8accae458fcaf07f2a71d7839576d282630e1161a2e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9cee161665b00d8665d8f89296ba1e9b |
| SHA1 | 862966ad124846de47bfb63d81c289cc4c748b63 |
| SHA256 | 3c611282d0b4314b22cb5b80d64be277a0ea2ffa55db82cd02a6f5e2e086e4a0 |
| SHA512 | dd03184c12d421eef084993bfdf680c05d8b6b70fbdb24951ea417fddd32f8d2d0213b5bcee6d51dc7fc301fea361ed371e57a5b84fd84f6751f68896ee2ccfb |
C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs
| MD5 | b8da7c065c6cf60a8bb87ae2c08ecbde |
| SHA1 | 4cae9a4af4100700f2a27c0ae2277e4c723917c2 |
| SHA256 | dfe116c55437ce858201ca6bbe3270726ddfd98c567352d1ec6a55ee0ec58576 |
| SHA512 | e03673c7198a5255867c9ef03bad8a00079a40fa6994148e58f53c5c58f3687c2929f170ebcbf1bcda0e191a7ef9afaa4d316b4d5442ca8d789fcdd145cdba28 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c97747d19d7949149c06d7b05d4396ac |
| SHA1 | 3f6c0ff8e2b8367ebcd0c0fc2fc7b4af2f47a7e2 |
| SHA256 | 4ee8d5b522de09115cd3f84220a1dc683a809a049c1f2b1c225d12b9df2af773 |
| SHA512 | 01a6b897e1ca6dfc882b7247267149ef9f6ed4dd9bb41b676223c66c8697f374deb3021f1184fbec84bcbe0c68c381d0dbe8a8edcdc76745f788922f4a76d7bf |
memory/4864-398-0x0000000000400000-0x000000000043E000-memory.dmp
memory/6056-402-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\Debug\WIA\wiatrace.log
| MD5 | 691821e7fffb12e0f2764deb4560b8cc |
| SHA1 | cef5f8d24de2cfea9fb86ec2ce8f4bc9f5f3702f |
| SHA256 | a701365eda3d93383944d9de316f4d73c0b7753ccc10478d175067c958793b8c |
| SHA512 | ce57406de9d6439545eae0d3a41102df887b28151cdf3286e9110822997cca157d949b8bd21b3312b470ed56f9d7792fb3cf4e17ea2d6b45f04c6855abb0f160 |
memory/6056-406-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1690.tmp\x.vbs
| MD5 | e60e18316982f812bd11223845d78bd5 |
| SHA1 | 5252460b412b17069a257246a47e8ea897611048 |
| SHA256 | 607091b470d1d6d1efd00c38f1c8772a112c78b91a295293a48fc32d4211f317 |
| SHA512 | 9c18fb27c2056d687dc8c702a1489888e9bbfe3fb01c80a3c91aea29bdecda33c71308e66b286b42dd2dcf6170810668d36802152f194c3218338987a5202352 |