Analysis Overview
Threat Level: Likely malicious
The file https://cdn.discordapp.com/attachments/1255925771663310981/1255927203800285347/E.exe?ex=667ee8db&is=667d975b&hm=0280d6ea2501467fd804b11df22f8210d289bac2611d99eaabe571beb85c8c3a& was found to be: Likely malicious.
Malicious Activity Summary
Manipulates Digital Signatures
Downloads MZ/PE file
VMProtect packed file
Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Modifies registry class
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 16:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 16:53
Reported
2024-06-27 16:59
Platform
win10v2004-20240611-en
Max time kernel
300s
Max time network
274s
Command Line
Signatures
Downloads MZ/PE file
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION" | C:\Windows\SysWOW64\certutil.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL" | C:\Windows\SysWOW64\certutil.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\E.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\E.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5552 set thread context of 0 | N/A | C:\Users\Admin\Downloads\E.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 402112.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\E.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\E.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1255925771663310981/1255927203800285347/E.exe?ex=667ee8db&is=667d975b&hm=0280d6ea2501467fd804b11df22f8210d289bac2611d99eaabe571beb85c8c3a&
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfb3746f8,0x7ffcfb374708,0x7ffcfb374718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5444 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6012 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\Downloads\E.exe
"C:\Users\Admin\Downloads\E.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\E.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\SysWOW64\certutil.exe
certutil -hashfile "C:\Users\Admin\Downloads\E.exe" MD5
C:\Windows\SysWOW64\find.exe
find /i /v "md5"
C:\Windows\SysWOW64\find.exe
find /i /v "certutil"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title EfsaneTakipci.com
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,1767800873334332305,14317210202250093063,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
C:\Users\Admin\Downloads\E.exe
"C:\Users\Admin\Downloads\E.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\E.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\SysWOW64\certutil.exe
certutil -hashfile "C:\Users\Admin\Downloads\E.exe" MD5
C:\Windows\SysWOW64\find.exe
find /i /v "md5"
C:\Windows\SysWOW64\find.exe
find /i /v "certutil"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c title EfsaneTakipci.com
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pvtauth.site | udp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:50991 | tcp | |
| N/A | 127.0.0.1:50993 | tcp | |
| US | 8.8.8.8:53 | 34.41.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:60663 | tcp | |
| N/A | 127.0.0.1:60665 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| US | 8.8.8.8:53 | efsanetakipci.com | udp |
| TR | 45.84.189.227:443 | efsanetakipci.com | tcp |
| N/A | 127.0.0.1:60668 | tcp | |
| N/A | 127.0.0.1:60670 | tcp | |
| US | 8.8.8.8:53 | 227.189.84.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.25.90.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:60690 | tcp | |
| N/A | 127.0.0.1:60692 | tcp | |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:60706 | tcp | |
| N/A | 127.0.0.1:60708 | tcp | |
| N/A | 127.0.0.1:60712 | tcp | |
| N/A | 127.0.0.1:60714 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:60717 | tcp | |
| N/A | 127.0.0.1:60719 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| TR | 45.84.189.227:443 | efsanetakipci.com | tcp |
| N/A | 127.0.0.1:60729 | tcp | |
| N/A | 127.0.0.1:60731 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:60734 | tcp | |
| N/A | 127.0.0.1:60736 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:60743 | tcp | |
| N/A | 127.0.0.1:60745 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:60749 | tcp | |
| N/A | 127.0.0.1:60751 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
| N/A | 127.0.0.1:60758 | tcp | |
| N/A | 127.0.0.1:60760 | tcp | |
| US | 104.21.41.34:443 | pvtauth.site | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3a09f853479af373691d131247040276 |
| SHA1 | 1b6f098e04da87e9cf2d3284943ec2144f36ac04 |
| SHA256 | a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f |
| SHA512 | 341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9081c34e133c32d02f593df88f047a |
| SHA1 | a0da007c14fd0591091924edc44bee90456700c6 |
| SHA256 | c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e |
| SHA512 | 12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744 |
\??\pipe\LOCAL\crashpad_1960_PFGNSVWEBVUVOSMZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b955d6e6ccb4c8c3d76aadb3dafeeb91 |
| SHA1 | bce67042dcf6e84c6eaed1f7a0f617c731f68846 |
| SHA256 | d618b7ac98f369f83db1d4741b665e797fcc161c8f6f0cce27ac582c606c309b |
| SHA512 | 68f1c3165d9faa04ff5d0bc7e5ac22a65882bad66823d97aed5ee36262406844f1ba68c17569ad58ed3a1273e4b19a2f1a90ea5e516da4c26644ca77009fa9f3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\Downloads\Unconfirmed 402112.crdownload
| MD5 | 9ef0bf973cc4f774babdf60db0fbe6ca |
| SHA1 | d3f40ac56b26c1d6ead9c5236b867cab30690fa1 |
| SHA256 | 6b8c098f01af5e1a692a8e5cff2682ce62071e79f40c6eecf3f3c541cf6890c9 |
| SHA512 | 5fc80ed74e43bc046c76d829363c1584d3273425efdb4136ad61da805985a0c9ed39a07b70fd3350ff30a2d524be8573f2ce4e44c8d9a620daecbbca7c56c852 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | db60ddf6d03f8e7de4307aa048919ea3 |
| SHA1 | 148cf6553f44fd7080c8e2112dbe045bb4226a02 |
| SHA256 | bbe4dda7f883b6917c78d3b609994f5d3c18a505909ec7c096860e32efaff8e7 |
| SHA512 | e5e8932c0a313d6b6d4c2835da56db32106211729a54412d3bc1cd0ca0fb61253c572f692be6c3fc1cc87b93a26fe65790fefee89b9556b737c7b4eb7d9a8d1f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b1fe27a3edb710826c344614af6e7cf2 |
| SHA1 | 4d90bb07dab76ab943f975e356f55a2a00a01b8d |
| SHA256 | 7802be215f3c4d876aa24ca97ac2b8f8be736ab758a0bfb9e4373fc288216234 |
| SHA512 | 0ab92b5ac6aa3fc90702aa92b67f643439f730597719a990ec014d2b5de0083ab0ec33a82f0390ee8f1300649a535035dc93c563f76b7ef04583da20d2e169f5 |
memory/5756-68-0x0000020FDAA70000-0x0000020FDAA71000-memory.dmp
memory/5756-69-0x0000020FDAA70000-0x0000020FDAA71000-memory.dmp
memory/5756-70-0x0000020FDAA70000-0x0000020FDAA71000-memory.dmp
memory/5756-80-0x0000020FDAA70000-0x0000020FDAA71000-memory.dmp
memory/5756-78-0x0000020FDAA70000-0x0000020FDAA71000-memory.dmp
memory/5756-79-0x0000020FDAA70000-0x0000020FDAA71000-memory.dmp
memory/5756-77-0x0000020FDAA70000-0x0000020FDAA71000-memory.dmp
memory/5756-76-0x0000020FDAA70000-0x0000020FDAA71000-memory.dmp
memory/5756-75-0x0000020FDAA70000-0x0000020FDAA71000-memory.dmp
memory/5756-74-0x0000020FDAA70000-0x0000020FDAA71000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 094ab275342c45551894b7940ae9ad0d |
| SHA1 | 2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e |
| SHA256 | ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3 |
| SHA512 | 19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d |
C:\Users\Admin\Downloads\module.dll
| MD5 | 15ac0f80f52c944415e65f182b9891b7 |
| SHA1 | 32c265ab320e47ad73eb8b0a8fe9524b62e0678c |
| SHA256 | cd07ab7ae92e78d942a82f133d93000ea238b7334d7ff7342cdac98725e337a7 |
| SHA512 | 19a513caf8b4b29f8c1ba5f3159fa275b397934da3c391c7ad45d6e391b9e9255f319d34628813afbb409c4191681e866248f93d6572cc621c2857573bdc777a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
| MD5 | 822467b728b7a66b081c91795373789a |
| SHA1 | d8f2f02e1eef62485a9feffd59ce837511749865 |
| SHA256 | af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9 |
| SHA512 | bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
| MD5 | 260cbc9fd624528fdf81f0edc310f933 |
| SHA1 | 506f8a0193357aa8506be9e267de18aaa313cdf7 |
| SHA256 | b7ec0274373c1ba4d6988283842ebe47ae732497cfe1b1401fa5dfab71fce4a4 |
| SHA512 | 2340e56e8a0623cdfcd52b1d228a472acc85e3ae64b586e240f8e64c81612c52d33121adf6ff50556fe30b6ab5f32bfdba493cf1c6a317b6061d154c338eebd2 |
C:\Users\Admin\Downloads\Helper.dll
| MD5 | de6e61eb81a84df1d6c2b56b920c3c23 |
| SHA1 | efaca46958ffaeb70c4b62f5d096519b0b7e6035 |
| SHA256 | 46b79d79a77a4e390383231c8761b7fd031965aed7e9db7fa9944f3011676bbd |
| SHA512 | 2237ef1cd9bf21c9efd5ab64c1638ea28c3302735dbd1dc5e7a2f4f156adb02947649c4ef29b0ac8436e6a1998e756912a1d8ae4530a40c5e5a7823a7506ede4 |
C:\Users\Admin\Downloads\module.dll
| MD5 | dcc3a12c1daea2fff2bd699cba54e5ad |
| SHA1 | af52ae76eb460027768d8c9cef7afac6e31e5d02 |
| SHA256 | 983369074900218fee0bda623bc3eb69c4007b0b5775f4e403fc9880be32fe1d |
| SHA512 | 13852e7ffd731eaa6b7fa25e4721342701898b82f68efd058f79d12cf5c244ce8c2d10b1d54b7559b6b19a82943eeb28f1b28a3f7a1f32fb794156228da73dec |
C:\Users\Admin\Downloads\Mapper.dll
| MD5 | eef2e264d11153b7f999f0f1e311b786 |
| SHA1 | 0a2191637a69f0938f5475c0d09e37d6abbb0270 |
| SHA256 | bda73870dda2ab199fd0928853617f9aefa82abe9b51137d2ea14b0117d909ba |
| SHA512 | 1194f95ceba56e819655c7398771134ece6275ffc22cfc95659c1fbb86a0c36c8e05f4c8f1821c0cbda377c968f534d5b1fcf2c74d643d92e139d21aecc5c59c |