Malware Analysis Report

2024-08-06 16:14

Sample ID 240701-r1v34sxang
Target sample
SHA256 23c75e988d1579ade684b8fc3e9ebea0f2d62b955d190c974c4a47112681048a
Tags
bootkit persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

23c75e988d1579ade684b8fc3e9ebea0f2d62b955d190c974c4a47112681048a

Threat Level: Shows suspicious behavior

The file sample was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence upx

Executes dropped EXE

UPX packed file

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Kills process with taskkill

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies registry class

NTFS ADS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-01 14:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-01 14:40

Reported

2024-07-01 14:45

Platform

win11-20240419-en

Max time kernel

317s

Max time network

203s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\mbr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bytebeat1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\rgb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\sinewaves.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\Lines.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\patblt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\invmelter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\cubes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\rgb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bsod.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\24BF.tmp\mbr.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{3D6C3C24-A201-43CE-90F0-D07A607990D6} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\WinRGBDestructive.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bsod.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\WinRGBDestructive\WinRGBDestructive.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4732 wrote to memory of 4748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4480 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 4408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4732 wrote to memory of 2376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff842c53cb8,0x7ff842c53cc8,0x7ff842c53cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5624 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5136 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6564 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\WinRGBDestructive\WinRGBDestructive.exe

"C:\Users\Admin\Downloads\WinRGBDestructive\WinRGBDestructive.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\24BF.tmp\24C0.tmp\24C1.vbs //Nologo

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\mbr.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\mbr.exe"

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bytebeat1.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bytebeat1.exe"

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\rgb.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\rgb.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\sinewaves.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\sinewaves.exe"

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\Lines.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\Lines.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im Lines.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im sinewaves.exe

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im txtout.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im RGB.exe

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\patblt.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\patblt.exe"

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout2.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout2.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im patblt.exe

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im txtout2.exe

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\invmelter.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\invmelter.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im invmelter.exe

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\cubes.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\cubes.exe"

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\rgb.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\rgb.exe"

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /f /im txtout.exe

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout2.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout2.exe"

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bsod.exe

"C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bsod.exe"

Network

Country Destination Domain Proto
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
GB 216.58.204.74:445 fonts.googleapis.com tcp
GB 142.250.200.14:443 www.youtube.com udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 216.58.204.74:139 fonts.googleapis.com tcp
N/A 224.0.0.251:5353 udp
IE 209.85.203.84:443 accounts.google.com tcp
IE 209.85.203.84:443 accounts.google.com udp
US 173.194.141.9:443 rr4---sn-q4fl6ndl.googlevideo.com tcp
US 173.194.141.9:443 rr4---sn-q4fl6ndl.googlevideo.com tcp
US 173.194.141.9:443 rr4---sn-q4fl6ndl.googlevideo.com tcp
US 173.194.141.9:443 rr4---sn-q4fl6ndl.googlevideo.com tcp
US 173.194.141.9:443 rr4---sn-q4fl6ndl.googlevideo.com tcp
US 173.194.141.9:443 rr4---sn-q4fl6ndl.googlevideo.com tcp
GB 142.250.200.46:443 youtube.com tcp
GB 142.250.200.22:443 tcp
GB 172.217.169.46:443 www.youtube.com udp
GB 216.58.212.195:445 www.gstatic.com tcp
NL 23.62.61.155:443 www.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
FR 20.190.177.82:443 login.microsoftonline.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 140.82.113.22:443 collector.github.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 13.107.5.80:443 services.bingapis.com tcp
US 185.199.108.133:443 user-images.githubusercontent.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d0f84c55517d34a91f12cccf1d3af583
SHA1 52bd01e6ab1037d31106f8bf6e2552617c201cea
SHA256 9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c
SHA512 94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

\??\pipe\LOCAL\crashpad_4732_ENBSACYBAZJHNYEP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ade01a8cdbbf61f66497f88012a684d1
SHA1 9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f
SHA256 f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5
SHA512 fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 aef964b2bc3b6c84301b925e90b4f8c7
SHA1 3a266a47ef48c909c9182dd8381949b795d63ef5
SHA256 4c301c057320b3e894ff466705b0606750653a5f19b6cbd7a468a958a33dba4f
SHA512 f7aaa70152d40043f8d74a7f225919fa4118ae5aa811bd93bf86f175a9e3be234968a19d474995b802f2cb9f6eb1ec83aa66197a5c55a427300fbe93cd4c5518

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e9f161c7734414e377f414ab69d0f61e
SHA1 f9f2b1e6412c732865c9a91078bc462fd0df9f23
SHA256 7f1d4de6cfa366a5761275935f73e770d5b4be8e55f83a01b025f306477e42ca
SHA512 fca3c5ddf3f5b4818b6d092a893a50d51be7895b205da31a79a7c075cc8bd2bc9a79aa8ceec217c23ea0d0d3c294a97ad69ff2973bbb68a842d4c8ed1590effb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eb2b2a2ab23c17a394bbdb03563efaeb
SHA1 9833d8dbedf9bbbc75e095650a400b892da64d30
SHA256 2d53399d229d1ab829062589fe02ae16769221bc0a2f66958e57f56d8da8a127
SHA512 8b5a6965327a778e9ae50a3cf208797723197fe04bc2ea58d18eb79819cc713643a5dbeee1536d56fd30726bdebe4954b47ce853b058f3b8964981709f55cf51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

MD5 547d623575ba300fa6fc9f9c435a3d43
SHA1 e0703adc90a562fcfb42050dc6c8040f1c7527df
SHA256 ec1c15a58a1527f14ca3858fe24ce54c063de9ad986400ce665debc45639f07b
SHA512 d0cfd337d6b8d671d4136991e49c780861cbd37762f7e4f8645578abe67f0092a096e4d8ffd6db5479a0d5e6a6fd28499d352d1e16e11fcc696ef5d6fe21cf6e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

MD5 30cda24dc407cb86da6339b4582c7718
SHA1 e018b59d7e41a26c60a2c7a3b7261bd102bc39a7
SHA256 4415f79e3b04fce81f8dd775020d4a8128e1af888744ebfc24d380058df2d0e0
SHA512 70689abf1f37f41d66133381219cbf07390c491af3311fb2ed50e3074a9949ad643afe27b99288fa3cb9aedaf1cc94bdaec8476313263639a8795b64b28e2d44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

MD5 55676aff8699aa1be89268fd9b865c52
SHA1 ac2d169a6b4a6c6301d32b4aaaee11f6ccbda105
SHA256 258b52eaa22eb22f8931c5829653249f79dbc1ddb85b56060e0ff87552420c21
SHA512 87c8055efadc88ff7dbb6d56e2c97b95ea9ded519eda20e6b8e9fa63c7c8420a15ec4ab9e91f30bd8161a09db0f941c620f3e7bc1df903c011435fcc821d42a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 968440030dc4ef255ffc8fb6d4c427ed
SHA1 94f92a4f7830431ba6cfdbf210007b560b4f1399
SHA256 976085a2702deaca66ecf6048cbced39547688d47a233ef8bbff9da43dea8bea
SHA512 6ebcde2333515e7b70577140c3725d8f622ab81b90e6efb1ce282f85e4bd4981f5baa6dcbddc447a7aca5eb88619b53541d4294ce3f378baefefb0341a5521b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\fbcfddda-0647-471b-969c-a721ad1d9420\index-dir\the-real-index~RFe5826bd.TMP

MD5 096f070bbc4d82b68995401e79121723
SHA1 3076e39f623b8309a6caa10018e1d0a06e175824
SHA256 d19a63fe3656ab3fce31ef0f6f7e91ad5254f0c86e8f035f483e784f1ee4cbe5
SHA512 2fe296c6ba082e359857c23bbfcacf6a4f3b11eb0b14cf14493a044152e23e23e5562cafdd1fb7a2f76cb74deb42469f8d9fddde82929483c80277680ba591f1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\fbcfddda-0647-471b-969c-a721ad1d9420\index-dir\the-real-index

MD5 4ace4a91e7dca3f6e2c76f6f5df89dcc
SHA1 c1fe47e2aa13298d14e6d54f2b5b6c4a5755ac94
SHA256 8be1c137115c53fd143112e52708a8e6964ae92e3339a936f8e7f138fc2dbc94
SHA512 f807cc592e6c19906e381a10569d38dfa80d0422d8779dce33f3c1cabdf271713d334293c4a50ff95fa5f95000db8f1f09cb02aa9c857484744f9687e7df7f4a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

MD5 0407120ade3009769eeebffcf36389a3
SHA1 5c95d4b2658edfcbebb9c54b2f37ff14811a84de
SHA256 922af5a8454a2d2e63bcc3bdf98e6947fb294041e6f674a9153e7444fd857dbc
SHA512 166a434f55e3b6c736e781b9a3cbe874dc5a1432426322ca835e4d5e8624c62a740b8a273e0ef737d5b508874e1d7d26d2500c5f5538195c35162723aa85e232

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 0227acca84a98204d1845dbfcdb32919
SHA1 b6f1372ec60a4561fe558ba93431555c5f8769eb
SHA256 f7d36d8f7ccbaf5c66a6846c1f89b462da06945c00250c05e1c6333600adf729
SHA512 21e6efd4a02d50a719d36b20435a031d63eb0e331833ad59e3a55755d7aeed10393134b4ebefcbfc16c58097edadb53d5a02582f39fafcd424e6f93b2a368e3c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0190e85324d223a7802bf1363b598781
SHA1 63b64fa147d0fa9c8610d56357c74b4e83f9f24d
SHA256 ed933c21c73bef949c71e71411c9cf1e3929751da444134f6686d45e099958a0
SHA512 81b2feadbb76542444e5c9b6a253920f3666a390179ac1d7380110da66833834b8ab770729e25c43585cc75afae504fb68589cfe02253860f74628e065c60398

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9cdeb5f33703f16033d849a8e662d423
SHA1 05e36ea45ebb91bb039bb90fc3204c803fd94b0f
SHA256 763f5a72c9f15a0497f706da7377b894acea35f9728c9a1a243a32f10cdb90f3
SHA512 ac369418016e4544d664c036e67499ff8f08e0d194fd968c9529b8cf5ada7d90d88d248d7468109b7bc8cab4a4d89e268f377e01bd377e153a34bdf789196c5a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59d3a2.TMP

MD5 eb4433415451f4b4fc80335741e68e3c
SHA1 5c674af976cdc7e19bec8b4c3f0e039d25abf9b1
SHA256 e221273af477698bee6e33a80809171a809906c4be80c5c8e293283a919f2bd9
SHA512 1387b152f6e4fe88332424f21bb09a75d5ea865e1e17ee1d29f0dbc5635b20c5a882a819409e4b7ab73fc17856f53afd38a2b5d5ea42f441fddd60ccf52bed92

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0677faf7fd3d9ef977636bbc7d5ff76d
SHA1 9cf942b5fbf5b37689ab9ecae4c09b79f464b71e
SHA256 bbcfa1c53dd53cb446e584f341f39c901115999e05717047edf04956fd353c9f
SHA512 da51f1747dfbef4cb13e954c37bbf7a5c0b5b4eca0514700dd036ada5761f0a939b6a43dc2d403dabf6404e583562f3af00b2797c3ca8aabab5c94d775dbd319

C:\Users\Admin\Downloads\WinRGBDestructive.zip

MD5 2ccf48c0f0e4379e7fe1290008e9e27b
SHA1 4841ae2ef01eb9cf6046034ee605eb0082efcd48
SHA256 f14dc938825e26808ceb544d8dbdeea14a3e88ee299d9b07f60b851e4f4b188b
SHA512 ead74378f562cf24cd9b52917a0a6dac93659f7714f6b5477ded57e28fb9c93a67611fec4744b4c63cc95f634e3520724775ec263498fc8e0c5cb77719aa0671

C:\Users\Admin\Downloads\WinRGBDestructive.zip:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9108d29922cf4a3638b07e60e3078e6b
SHA1 699ce22268d72acdb9ba53923914a128ec6af5a4
SHA256 5c0ed90f1fa8b362b3174cb2b4c11dc6e718f1d3827c61afb3e12c5c077955f3
SHA512 6840f5357ccf308613300d9ef67ef25b491f4d7b72ef14f84c3f6bab0f81dc871b113694d34ecabfec71234a94352d6df837a8f37eee9b53c623db4203818afb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

MD5 abf599d57d81aa1a1fe327abe202f149
SHA1 9981a20c9d54d3fc66346095ea255e2be6042d4d
SHA256 f7e0927433e1d0c1e4a18856fdb614ca49f9ed93fbd57585fa5da4dfafd2830a
SHA512 4b9277288bd27d6bef04dc7abf42fd6bd6061c247653541cd3ce0da739964ae0abd59746083ee72abc7df5f51620ba994758755999aa275146a2a94fc5f408b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4faec26c-efa7-4504-8cc8-4a58748bfc4d.tmp

MD5 33b0ba2b6cdefb137f7262a7192b6138
SHA1 1e081b586781b88c54547d55c0182c6fe1579ebc
SHA256 17c9575275b5b8d5f991a4a3c5a72bd9403b91fc91dad8c8a87df07bc1151bcc
SHA512 ec5dd4dde81fbf977c583ca9713fb238655949b6b9854542215f11842cfbbef1caa882a2627029f020ee63b7b50c0fa7d60a161012656c4665d2d3cc0248600e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 727da89eb8dec9a098852819dbcc9211
SHA1 1c526f30571d6864740967fd5bfb6e5de78dac56
SHA256 9ea5719517c8f4a76836b96a6066d3e30a0f8a429ff9646c48f1bf4a69244375
SHA512 dd31ff5342ba48a60ab50c729437b4179c9c14d65e118ddc11dfb7e52f66b0a34e67aa5b8cf639da6d588f731d946f6705eaa331831562d3abceadaba6914793

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 3459ddf3de65f7b498855939c5891027
SHA1 4edc506602d61b8babf7cac9338d1127966fa083
SHA256 7bb859c4e70876b5ffc38feee2e5e6241ee9eab79d2b4dab7993d8b1e8c24b2e
SHA512 1680428b220a459018bc4204c9260ac9fc1de6d0619294161427458b5163be942273ee91c2e217a2e0e9d8f60e76b88e2481d06c853569bb7710dbe84dbca0a4

memory/3660-698-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\24C0.tmp\24C1.vbs

MD5 dbe460e73bc825119c6326250ac8f223
SHA1 191f599142390b486868a952f6c3df8eedc60ab2
SHA256 39ec4ede07d340f3ce319a28da8ebf3cdee86ae95241a53fa99fe729746aaef0
SHA512 f363475209e743e38b32078a24f99e89c93e18e7100a4c28d49d9054e981cbcaaef6960d434464af6f37789f76065d18671609e3a1b369ced34a8b14da1b06a3

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\mbr.exe

MD5 d1174d4066bc2b4c09059e7839651eac
SHA1 a2b326436cb9a61ab1a9c1daa0aa6e6d424dc878
SHA256 5000f70ff57cf2662d4b49c1c4ad275ac3f3d241f620988978e552c6f1c2d4fb
SHA512 7ddef5b623aaa5de346cafb51a88b527d98190f7dea747b8809cfe7e7fd869dd2a202385169896c84d77db76df3d68ecfdb7d7cbdec556d071028306fe7375bd

memory/1932-751-0x0000000000400000-0x0000000000495000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bytebeat1.exe

MD5 6b673ece600bcc8a665ebf251d7d926e
SHA1 64ef7c73a713bf3c55fb4ac4e5366a7a425f1b4e
SHA256 41ac58d922f32134e75e87898d2c179d478c81edaae0d9bc28e7ce7d6f422f8b
SHA512 feb18a1aa72de47fd67919e196abd200afdf22ad5a7e5dac20593252d8b2ca86982bb07c2fed3681ef06c9933c6d197590c1df65aa5df93cb6abafca5e53e9ff

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\rgb.exe

MD5 bfc9e8ab494313d6efb67fc8942f5ee9
SHA1 1b42cc97803221538e020cb90517cb808cf19381
SHA256 33cbdb6e00f3f42f58502af8a9150604a44bb9b26825c909aa0edb5c744a1f13
SHA512 2d01f92397b65eade1f6140f80e2cb626b3e53b112c7e77e84ea7f6092b07c05eacb9e5e9bcb4676c8bdd10fcfba4fe297f2a01eedffffa594af87839baae030

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bytebeat1.wav

MD5 09d2094f56d2d38aa64eac1d90c5a554
SHA1 c6268759b1eee9fdfafa0d605d62bbbf85defbca
SHA256 4599f6f06c7f491a50e3c4012a83cce9f3ee13ae209189cb8964f0b6ba14614c
SHA512 4ca756a06612c281ec03dd9f064b9ddaf6756b00a5d54dee62728f5cdd7ad3d928559b9857ed2f733b8b3e842b396fed94b212ef2a384265ac623433d67010f3

memory/3660-757-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\sinewaves.exe

MD5 e9534d452e7b06b5591e0509553f8d86
SHA1 2be1075e3ffe29c95fb0fcbed4dcf9fc54788a58
SHA256 edce21b4ec9b68e4e8a5232c1432d5de0865f1fded27fc69965a2d3d568de909
SHA512 21c40c98f9351676f9a105a733472b4b9145a2a2fe13a82b681fec1c73d893bd2be472938e2b84b70836875ed18d0e615a003b4af0f99d5d463f2031500b57c3

memory/1988-760-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3700-761-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\Lines.exe

MD5 6381e3e4b02204e1353218ee6ec45c2a
SHA1 a350d4432d2a1a8c7a34d5ea7214326ffc02c270
SHA256 df3cc9a807a80697cd8b72f8f17a365849146cb4e41b4340e42f78d1bc1722e1
SHA512 ac7f21c539667a77236b78006740c634b7d4c0a55dcb776872bb339501112c62e1990bbb73b8f3c4e5b065167b8102fe35aa4633248b19dca602606b68b15015

memory/1652-765-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2268-770-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout.exe

MD5 4fa1fa5d513c7fa461af0b0fcdedc2a0
SHA1 f9d0b9bbb95d8584050056a2a55541389d506566
SHA256 57f402713148807269c35f71eaa37b3f9309f259dc03a14a304fa7598f8acd4f
SHA512 8434b1f647ba903cb0d411f54d8566430bf7c1822e67d165b9e6f18cb906101be1c9566d8cc09741c9a629c9f45f774317112e4d20f3ac3ea1ad513b05cc90d1

memory/4192-783-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\patblt.exe

MD5 02a349c19fa0cef84bc88abf65f8bc2c
SHA1 65a1215867c12109150c10f3f831e997e411e131
SHA256 ad088fa2c014bb718c005149138f284b183c494dec633ccb88c6c14ef1935199
SHA512 33a1517cd1ef56429dc387fcec7e1b6f90438c5608deefb408d310239520a8e5b6c977b13b419d5795f7ba68c7ef03e951ff61534fd53fe6d36912a6fa93d06e

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout2.exe

MD5 21d90b4350b6c69d01174240997806c3
SHA1 ca6cdfe5f7f0a15ca177eabf7596d64bc284215c
SHA256 ecadb0f872cf2c112620e0bfdb9f657dd5ac25188c762b2ed7261f9612163757
SHA512 1e8089c7c6f1660652b29ab5a5ccac7a51dfa5fa2e28144df5a196b232b4ac489d5eee7e873144365004b76995ce8315d29f7af5ffc90130b61c38a06f1966a7

memory/2116-796-0x0000000000400000-0x000000000041D000-memory.dmp

memory/428-795-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\invmelter.exe

MD5 0928425141c06ebb894e50a54c2aa1f0
SHA1 5f27cdf914df73946a0d2e35bfa38ade93a16bd2
SHA256 229f07414798adb8f850697cb0ad12a1911443c8b31c0484c1b96a16efee9a02
SHA512 bb734885ce1e6a8ec2bf32bc0bdaf89298a419b25d6ac73362b850742f5bc11f4e6bf3cf03cc6d1bd025487140a778859211f70cbd2798fed1ea8fa57c957371

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\cubes.exe

MD5 ed695dac2b14ccad335e75f5ddd44139
SHA1 35f4fae272c9b8dc84ffdae9b4dbfa4ed32936eb
SHA256 2d3e7cdbf244704934afa447552c049a891a9ccbd6d4ab42ca2504ad0a99e803
SHA512 a028c258cc65e208303f458279035d430f8447c6ca950d2de9c345aa7c2a13cff3a36fefdeb9305f8caaffc7da91fff91e05ef8e52b9d3672f7a71b49bbf47d5

memory/4024-808-0x0000000000400000-0x000000000041D000-memory.dmp

memory/444-814-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4968-813-0x0000000000400000-0x000000000041D000-memory.dmp

memory/488-819-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3004-830-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bsod.exe

MD5 2c0970f41f80a89af6da46f72076a008
SHA1 0a5e3f7871a51bc6a37cbc910aabe9d25a823b32
SHA256 b1cb05d160f4469801cb993f76b2bbb7b077611973b4a914f50752b5852770d6
SHA512 d9123debc1c21351ef6403646acf3383ee2c9d8d71d173db6b62aeda1148f5a6af851e6ba8989812c601ebe6dd1e0541a9e2b653f536c371c274aaf3f828da32