Resubmissions
25-05-2024 07:32
240525-jcy6vsaf43 1025-05-2024 07:22
240525-h7ev2aad3w 1025-05-2024 07:15
240525-h3nx5sac5y 825-05-2024 07:05
240525-hwh4baab2t 7Analysis
-
max time kernel
189s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 07:15
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://pixeldrain.com/u/QEeXR3cT
Resource
win10v2004-20240426-en
General
-
Target
http://pixeldrain.com/u/QEeXR3cT
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
YouAreAnIdiot.exeTrololo.exepid process 2596 YouAreAnIdiot.exe 6044 Trololo.exe -
Loads dropped DLL 2 IoCs
Processes:
YouAreAnIdiot.exepid process 2596 YouAreAnIdiot.exe 2596 YouAreAnIdiot.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6048 2596 WerFault.exe YouAreAnIdiot.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 5712 taskkill.exe 1996 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 3688 msedge.exe 3688 msedge.exe 3376 msedge.exe 3376 msedge.exe 3648 identity_helper.exe 3648 identity_helper.exe 5256 msedge.exe 5256 msedge.exe 5744 msedge.exe 5744 msedge.exe 5744 msedge.exe 5744 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
7zFM.exetaskkill.exetaskkill.exeAUDIODG.EXEdescription pid process Token: SeRestorePrivilege 6000 7zFM.exe Token: 35 6000 7zFM.exe Token: SeSecurityPrivilege 6000 7zFM.exe Token: SeDebugPrivilege 5712 taskkill.exe Token: SeDebugPrivilege 1996 taskkill.exe Token: 33 4388 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4388 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 46 IoCs
Processes:
msedge.exe7zFM.exepid process 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 6000 7zFM.exe 6000 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
OpenWith.exepid process 5352 OpenWith.exe 5352 OpenWith.exe 5352 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3376 wrote to memory of 3664 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3664 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 2636 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3688 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3688 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe PID 3376 wrote to memory of 3392 3376 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pixeldrain.com/u/QEeXR3cT1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8b8946f8,0x7ffc8b894708,0x7ffc8b8947182⤵PID:3664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵PID:2636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3688 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵PID:3392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:4824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:3120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵PID:3172
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:82⤵PID:4112
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3648 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵PID:2476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:12⤵PID:4836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:3228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵PID:620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5908 /prefetch:82⤵PID:1608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵PID:696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5256 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,11510296352905001054,10743061587707768658,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5116 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5744
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2204
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2028
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5352
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5896
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\пездець1488.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6000
-
C:\Users\Admin\Desktop\пездець1488\Трояны\YouAreAnIdiot.exe"C:\Users\Admin\Desktop\пездець1488\Трояны\YouAreAnIdiot.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 15562⤵
- Program crash
PID:6048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2596 -ip 25961⤵PID:6016
-
C:\Users\Admin\Desktop\пездець1488\Шутки\Trololo\Trololo.exe"C:\Users\Admin\Desktop\пездець1488\Шутки\Trololo\Trololo.exe"1⤵
- Executes dropped EXE
PID:6044 -
C:\Windows\SYSTEM32\taskkill.exetaskkill.exe /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5712 -
C:\Windows\SYSTEM32\taskkill.exetaskkill.exe /f /im taskmgr.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x514 0x4fc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
96B
MD5c57b06e50114e54b44797ddca40afc5d
SHA143721693ead6b3304a5791a5e8389813659fc603
SHA2568d1bee0a5c1ecbbea13d8e8b92ab5802efda89334f76dbfc5bed7cd3cc724a44
SHA51239272b9fda490a1c838635ec8d83a111be034b4aa90cd5f56575620166f32f5cc8f155a42fbd3beff15b8cb59b606059c7208032c9cae1d4b05b4ab48e531a62
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
182B
MD59eb9d67f919ae153884991ffc5223fdb
SHA18ebbb1a763b529cc9bf2839b13f0564f10d10046
SHA25608e4c57ce93d9bce050befa4e516d8aca239010d22692f90ea30a39ba91a1d40
SHA5129aad23e77ff458c7b49381fec4e0c650172314e46cdae969744d948f67eabb8ee25e2d04f6d81d43bc97f2d704fabc43b4b63ece97a14f09fde78c59132a003b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5eacf7a4f078e6c92e7b6cc33e2762791
SHA1e0c4a4a3e6655a92e183917938cd00027ec732de
SHA256d27e7c6d430f582f487c3a8d5090816b411c865af0d63231db4cccac9c19a890
SHA5128cca4043639bd57bd0dd61564629075c4e8d92c4453add1a5ea533a00d6330b9382ed9f4c2b0dc295651323a6ed6b16c28009a653e651f426e3c171e36794c3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5089765a853a1e74fa06019170cf87bf0
SHA1d2d2ce0a54f904d7e6d88365eca778e7cfbfd92c
SHA256db0d93c839f52c9a69f50312bbc8a44d3a264d20caa3fa585b627f524cdf0682
SHA512ba972e25ba32ca17ab3e394f1ecd6313d17c326e9c3526c207a615e11f32fa39f6946e7df839f2099ffab5872fc19440eac27d3f26a1aa1ab009af9044884a14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57ca4926fabbf070f30f2893a680ef2d4
SHA143604ab2531272951c7f1c5ba78a9a4ca585dd04
SHA256e1cf98db0006d5f04546df6cbdd30b326f91cedc89cee57f06ff05b82ac66c29
SHA512eb2314f6e88e03129cb96c57f190a18fd7c7647e141fd032f77b1fd7c198b4fe87e3ea832facc2a66cf9c6031f42547cbe3101e8d6d4c5a6940ed3a345d42add
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ecae2f523db32b26f7e2758f280cc824
SHA1fe079d98196b00887d32fdb80be4eea443e7e4d6
SHA256b9fe4e85f89237620f7a776347db030c33da7ddc0890f63e36c8fef595a4767f
SHA5125f329a166c97591754f8b79a12a5bc20c7650085298433e9b6b92c4e4772de4aa9309596fd2a846c9d4bb8bc3c48beca59af85ccfb629503526ef9248a6dbcfe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
204B
MD57f9b05368d1b0b91de53dfc74be00358
SHA1b8ce844ffb9aeb82229e2cc6caf5b9d25f898c5d
SHA256784c7e05435a25ff151983d200712f1374753afdc706b1dc7c03c664a09af708
SHA51216c36d56ec32477a7dcfa2add9423dc55b7079b3572aafd231d166467f158cfbfdfe3ef4acf1a5426d725df33920db6d5eb9ad3d62d4cc7e0d12793983b6d731
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe578359.TMPFilesize
204B
MD50711950d36c7ace342c38c8b866694de
SHA1ce66bea7aebb069316b41f762d4ca26e882cb5d3
SHA25612fc78d023f9b3bb3162225e51daa210c646ad1497a7da0931ed46f2b11d7a1f
SHA5124cb38476f933e9286b890e0e54a6fbb2861595da0758c2bab167505ba4d62711411cb3e74c29b2760e8d43eae43cd247b4d9d8b6f9811ce468a2fa35fef61e7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5357645e5190a65fa8bafb4501d962e6a
SHA149c5593a08a8b65272cb4e0bc3d6884e7f226ba2
SHA256ba26a5bd33493790318a5d0b693dfa98f17667554e6d67fa82a0c7549b6399e6
SHA512ad3f8cf28e3ed60c6d03c4319cce9099dcf3d8cb35d90d70fe505191b02151b3476e1167d0cb588217612989015976223af33367df85afb81689af33279760ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5cfe61c66a048a556cab96f3b2deb4669
SHA1d91ec7e813ce5d69e9ba20db831f55474717f826
SHA25682b06902e37dcf7a576e73bd3fb5ec47c02c5b59b143bc9dd04644260b2e24bc
SHA512e09cc4c820766760c21c1db92cf2d8d922d53f87d88c77cc2fe01803d22d350fc86cfbf892b54bcadc87782f13443d56d326b7dac4019daaadec21216a365e1d
-
C:\Users\Admin\Desktop\пездець1488\Трояны\AxInterop.ShockwaveFlashObjects.dllFilesize
17KB
MD5451112d955af4fe3c0d00f303d811d20
SHA11619c35078ba891091de6444099a69ef364e0c10
SHA2560d57a706d4e10cca3aed49b341a651f29046f5ef1328878d616be93c3b4cbce9
SHA51235357d2c4b8229ef9927fa37d85e22f3ae26606f577c4c4655b2126f0ecea4c69dae03043927207ca426cc3cd54fc3e72124369418932e04733a368c9316cf87
-
C:\Users\Admin\Desktop\пездець1488\Трояны\YouAreAnIdiot.exeFilesize
424KB
MD5e263c5b306480143855655233f76dc5a
SHA1e7dcd6c23c72209ee5aa0890372de1ce52045815
SHA2561f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69
SHA512e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113
-
C:\Users\Admin\Desktop\пездець1488\Шутки\Trololo\Trololo.exeFilesize
3.0MB
MD5b6d61b516d41e209b207b41d91e3b90d
SHA1e50d4b7bf005075cb63d6bd9ad48c92a00ee9444
SHA2563d0efd55bde5fb7a73817940bac2a901d934b496738b7c5cab7ea0f6228e28fe
SHA5123217fc904e4c71b399dd273786634a6a6c19064a9bf96960df9b3357001c12b9547813412173149f6185eb5d300492d290342ec955a8347c6f9dcac338c136da
-
\??\pipe\LOCAL\crashpad_3376_CMLQCZBMGHDTZHQZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2596-329-0x0000000005610000-0x0000000005BB4000-memory.dmpFilesize
5.6MB
-
memory/2596-330-0x0000000005100000-0x0000000005192000-memory.dmpFilesize
584KB
-
memory/2596-331-0x00000000050A0000-0x00000000050AA000-memory.dmpFilesize
40KB
-
memory/2596-332-0x0000000005200000-0x0000000005256000-memory.dmpFilesize
344KB
-
memory/2596-328-0x0000000004FC0000-0x000000000505C000-memory.dmpFilesize
624KB
-
memory/2596-336-0x00000000051F0000-0x00000000051FA000-memory.dmpFilesize
40KB
-
memory/2596-327-0x00000000006D0000-0x0000000000742000-memory.dmpFilesize
456KB
-
memory/6044-339-0x000000001C040000-0x000000001C0E6000-memory.dmpFilesize
664KB
-
memory/6044-340-0x000000001C5C0000-0x000000001CA8E000-memory.dmpFilesize
4.8MB
-
memory/6044-341-0x000000001CB30000-0x000000001CBCC000-memory.dmpFilesize
624KB
-
memory/6044-342-0x00000000018A0000-0x00000000018A8000-memory.dmpFilesize
32KB
-
memory/6044-343-0x000000001CDB0000-0x000000001CDFC000-memory.dmpFilesize
304KB