Analysis Overview
Threat Level: Known bad
The file http://portalintranetgrupobbva.com was found to be: Known bad.
Malicious Activity Summary
Remcos
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-20 08:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-20 08:27
Reported
2024-07-20 08:28
Platform
win10v2004-20240704-en
Max time kernel
68s
Max time network
65s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5748 set thread context of 5904 | N/A | C:\Users\Admin\Downloads\crowdstrike-hotfix\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 5520 set thread context of 5712 | N/A | C:\Users\Admin\Downloads\crowdstrike-hotfix\Setup.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\crowdstrike-hotfix\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\crowdstrike-hotfix\Setup.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://portalintranetgrupobbva.com
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc279146f8,0x7ffc27914708,0x7ffc27914718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5044 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,11568315224488534989,4191994618549967431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
C:\Users\Admin\Downloads\crowdstrike-hotfix\Setup.exe
"C:\Users\Admin\Downloads\crowdstrike-hotfix\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\Downloads\crowdstrike-hotfix\Setup.exe
"C:\Users\Admin\Downloads\crowdstrike-hotfix\Setup.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | portalintranetgrupobbva.com | udp |
| FR | 213.5.130.55:80 | portalintranetgrupobbva.com | tcp |
| FR | 213.5.130.55:80 | portalintranetgrupobbva.com | tcp |
| FR | 213.5.130.55:443 | portalintranetgrupobbva.com | tcp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.130.5.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ucccf7b02226ef9ab707d297372b.dl.dropboxusercontent.com | udp |
| GB | 162.125.64.15:443 | ucccf7b02226ef9ab707d297372b.dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| N/A | 213.5.130.58:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f4e6521c03f1bc16d91d99c059cc5424 |
| SHA1 | 043665051c486192a6eefe6d0632cf34ae8e89ad |
| SHA256 | 7759c346539367b2f80e78abca170f09731caa169e3462f11eda84c3f1ca63d1 |
| SHA512 | 0bb4f628da6d715910161439685052409be54435e192cb4105191472bb14a33724592df24686d1655e9ba9572bd3dff8f46e211c0310e16bfe2ac949c49fbc5e |
\??\pipe\LOCAL\crashpad_4228_ODNYMOXJHIDCZDTC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 210676dde5c0bd984dc057e2333e1075 |
| SHA1 | 2d2f8c14ee48a2580f852db7ac605f81b5b1399a |
| SHA256 | 2a89d71b4ddd34734b16d91ebd8ea68b760f321baccdd4963f91b8d3507a3fb5 |
| SHA512 | aeb81804cac5b17a5d1e55327f62df7645e9bbbfa8cad1401e7382628341a939b7aedc749b2412c06174a9e3fcdd5248d6df9b5d3f56c53232d17e59277ab017 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e76d3cb5e84e95c503973fb8cd3819de |
| SHA1 | 6e7488beb303c26982f5484f22546ac07d724f64 |
| SHA256 | 704e9e05924b67aa8bfc22738878f57e3aee34517b07bb910da188737de4f855 |
| SHA512 | d6cd674e0daf8c85e9ac925aef3cc21973fc79ad0b5fbd9b552d071ee407acc29422ef16ccf7a7cbc0e73fff19b1d8cbd3798d188f664420a49b5e4db9dda075 |
C:\Users\Admin\Downloads\crowdstrike-hotfix.zip
| MD5 | 1e84736efce206dc973acbc16540d3e5 |
| SHA1 | fef212ec979f2fe2f48641160aadeb86b83f7b35 |
| SHA256 | c44506fe6e1ede5a104008755abf5b6ace51f1a84ad656a2dccc7f2c39c0eca2 |
| SHA512 | fa549420066ff538b5d6d17ca5be0bd1edabca3699a659fd43522f2ba4836fce3bf4dc4bcbdfa22c45baddc603ed2294901310f991bf7b3e4338002a9c27b874 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 230c75a10e5469001d269bd3ae6b1fe3 |
| SHA1 | 862f73286538a1a68ed395f14e878974531aa80f |
| SHA256 | 93192ae520ec8b8df1b65a40eff31987d4cb8a02bb71506f4774f3d0b26cb79c |
| SHA512 | 94b5e247706ed9b845706c69450ccf166949405db8b7175dc3b14ef8f855492ea9520f23c67c15d2db6fef6d3911d9e390798ffb04b1fad9cbca21c5535ae884 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 797591a778b0678a56cf7e4a94d89aa7 |
| SHA1 | 108eab6760a361ba4f91d3ffebde4a5e095635e3 |
| SHA256 | 26fd641a1b0e750e4490138062c8060411eae0386672dc948015c063cecd7b57 |
| SHA512 | 693db56742ad3956dd0ec380462ae09619a294c5111fcd2027a9c5f57454014131e020652918f8b1cc7a7934310ccf95c796e7972ca33fc6ce8c12a88648a419 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 19836b9c76faaca8cc9ccfb477c5d8b2 |
| SHA1 | 3eb39a1f0b4e14c6e06586e6baa6d94f0d270193 |
| SHA256 | 119c801f6569bd3017d1f2988c26ebfd8222cf5d2005a5971147fd9b8746e317 |
| SHA512 | ac2693f91dd28f70f759301f7245dc95e1bc62378464bf5340eb97969289a23aad3b894fc6bf6b9d5ac0b6b807f538fbc05ab2310b6cbe27d0609df9ddfa43e3 |
memory/5748-76-0x0000000073DE0000-0x0000000073F5B000-memory.dmp
memory/5748-77-0x00007FFC36D30000-0x00007FFC36F25000-memory.dmp
memory/5748-97-0x0000000073DE0000-0x0000000073F5B000-memory.dmp
memory/5748-106-0x0000000050310000-0x0000000050349000-memory.dmp
memory/5748-105-0x0000000061E00000-0x0000000061ECA000-memory.dmp
memory/5748-104-0x0000000050120000-0x000000005030D000-memory.dmp
memory/5748-103-0x0000000050000000-0x0000000050116000-memory.dmp
memory/5748-102-0x0000000057800000-0x0000000057812000-memory.dmp
memory/5748-101-0x0000000057000000-0x000000005703F000-memory.dmp
memory/5748-100-0x0000000059800000-0x000000005986E000-memory.dmp
memory/5748-99-0x0000000000400000-0x000000000064B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\852a97c8
| MD5 | 6fcc54c357ab15d16467cf0eda6144ce |
| SHA1 | 0c68406f000148441b875566ec908fbec0750db8 |
| SHA256 | aaff71d383d1c1c2bc211b77f24ccb504479c4da3df53dc4339094384af81236 |
| SHA512 | cf4095e753c67be2581f9ce4981c321b0d4e3514c54663e4327f9623eb9012884562f71984688934feb88e854f42b74a6b43f2acdb15187f4d1228b460870a88 |
memory/5904-108-0x00007FFC36D30000-0x00007FFC36F25000-memory.dmp
memory/5904-115-0x0000000073DE0000-0x0000000073F5B000-memory.dmp
memory/5520-125-0x0000000073DE0000-0x0000000073F5B000-memory.dmp
memory/5520-126-0x00007FFC36D30000-0x00007FFC36F25000-memory.dmp
C:\Users\Admin\AppData\Local\controlfm\maidenhair.cfg
| MD5 | 451049d3ac526f1abdd704c3b1fed580 |
| SHA1 | f0fa21249e2414831b59a038334fd659c94361f6 |
| SHA256 | 931308cfe733376e19d6cd2401e27f8b2945cec0b9c696aebe7029ea76d45bf6 |
| SHA512 | 0c1c8b81116bc4b9a3ec640ff37c668b7efe729aa2e4a58d14fc78fa679b51f15baf6fa7d473e30d44abb4bbbe83f1ccc9d5f519dc6a254fbbcca53244596421 |
C:\Users\Admin\AppData\Local\controlfm\vclx120.bpl
| MD5 | 7daa2b7fe529b45101a399b5ebf0a416 |
| SHA1 | fd73f3561d0cebe341a6c380681fb08841fa5ce6 |
| SHA256 | 2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed |
| SHA512 | 8e9ec71943c412fe95563e488d91e6ef0041c16a08654ff14b11953f134007657d1e6ec95952f6b9c8b8567a35368840618db06e5cd99abc43ae495a3fbc6b96 |
C:\Users\Admin\AppData\Local\controlfm\vcl120.bpl
| MD5 | 849070ebd34cbaedc525599d6c3f8914 |
| SHA1 | b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa |
| SHA256 | b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628 |
| SHA512 | f2ca685b01be9d1b77d8d924e0097ddacee7628cc1aad8a87d8b18a699558d38a7851e6cff8bb2b8ae1980824588af5c3ac75b7b4198b620144dff61611f3aeb |
C:\Users\Admin\AppData\Local\controlfm\sqlite3.dll
| MD5 | 9d255e04106ba7dcbd0bcb549e9a5a4e |
| SHA1 | a9becb85b181c37ee5a940e149754c1912a901f1 |
| SHA256 | 02f37a8e3d1790ac90c04bc50de73cd1a93e27caf833a1e1211b9cc6294ecee5 |
| SHA512 | 54c54787a4ca8643271169be403069bc5f1e319a55d6a0ebd84fb0d96f6e9bddc52b0908541d29db04a042b531abd6c05073e27b0b2753196e0055b8b8200b09 |
C:\Users\Admin\AppData\Local\controlfm\rtl120.bpl
| MD5 | 630991830afe0b969bd0995e697ab16e |
| SHA1 | feda243d83fba15b23d654513dc1f0d70787ba18 |
| SHA256 | b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3 |
| SHA512 | 2f2bf30be615f44e56ecca972a9fcbe27187045e13c468d039645e5cc6d01f990cde32b322965f245bc8fccfd0920f09a0afa1d4de0748ed01dd9ffc1bd24692 |
C:\Users\Admin\AppData\Local\controlfm\madexcept_.bpl
| MD5 | 21068dfd733435c866312d35b9432733 |
| SHA1 | 3d5336c676d3dd94500d0d2fe853b9de457f10fd |
| SHA256 | 835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299 |
| SHA512 | 54664a9e60e5a0b148fc4684125b7eac9cfc57d0bc5838204ed587d62e44c3347c0bae3192d5c375b6a74335b4fed4fc53248ba542c59022e9761872e09e3ee7 |
C:\Users\Admin\AppData\Local\controlfm\maddisAsm_.bpl
| MD5 | 84bc072f8ea30746f0982afbda3c638f |
| SHA1 | f39343933ff3fc7934814d6d3b7b098bc92540a0 |
| SHA256 | 52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006 |
| SHA512 | 6e7648194738e8e49e48c2450eef1d482473cd4e5c0e83f292ac9174488f3f22a3b6ba96f07e024c2ab96613d9db1a97084ca0b3973ed5d88502e0d28e120ef5 |
C:\Users\Admin\AppData\Local\controlfm\madbasic_.bpl
| MD5 | da03ebd2a8448f53d1bd9e16fc903168 |
| SHA1 | 889b4f487d8bba6af6ff6eb7f5afd74957586c49 |
| SHA256 | d6d5ff8e9dc6d2b195a6715280c2f1ba471048a7ce68d256040672b801fda0ea |
| SHA512 | 0ddabef35bb786e29db15c1b85ac0dca740c0e8df133f67da0ea0ac3bcb3b0ee3f055bb348a4f6f32638f03ec1ad0fb1737d6c2928cb6e6e39e91567e27fade2 |
C:\Users\Admin\AppData\Local\controlfm\battuta.flv
| MD5 | 8274785d42b79444767fb0261746fe91 |
| SHA1 | 8c26e85bddfe4f24c229468b5faa0b2ad3a05549 |
| SHA256 | be074196291ccf74b3c4c8bd292f92da99ec37a25dc8af651bd0ba3f0d020349 |
| SHA512 | df14f6bdb4736d620eee7294d4d4fac5caeb5a382cfd63e0f0afd6779282fa2f498354d221bc7aa1d2c657a0953088bffb253be8c128d2cd9fd5957613eed9bb |
C:\Users\Admin\AppData\Local\controlfm\datastate.dll
| MD5 | 28f0ccf746f952f94ff434ca989b7814 |
| SHA1 | 506e85d2de6377492d90b98aa20663b0ff3ce32a |
| SHA256 | 6010e2147a0f51a7bfa2f942a5a9eaad9a294f463f717963b486ed3f53d305c2 |
| SHA512 | b74ebb9a12079caf7bc074bb977ee94dc6ffcae845c1120026f384953fe2499d4bb0cdb7b6dcb2ff7f37e8135db06048815cc13d1837235eb11fe86e3c4572ee |
memory/5520-148-0x0000000073DE0000-0x0000000073F5B000-memory.dmp
memory/5520-151-0x0000000050000000-0x0000000050116000-memory.dmp
memory/5520-156-0x0000000050310000-0x0000000050349000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2d5e3627
| MD5 | 84338ed41f360b3ec5e503c864f95b75 |
| SHA1 | a0bc351698adbf223d3bd4435b28014549bfa3cc |
| SHA256 | 80908d87b0051fba8ef9c4749f6d7b238544abc75d659bc6d9b0c689d7c212fd |
| SHA512 | cedbe0d12b14f3fc38797df61547a319da650b96e188d39037337e14fa9d4afca31dc635523afe9e5219a36b1b48e2838302f3388ffbceaff6b54673aaf25015 |
memory/5520-155-0x0000000061E00000-0x0000000061ECA000-memory.dmp
memory/5520-154-0x0000000050120000-0x000000005030D000-memory.dmp
memory/5520-153-0x0000000057000000-0x000000005703F000-memory.dmp
memory/5520-152-0x0000000059800000-0x000000005986E000-memory.dmp
memory/5520-150-0x0000000000400000-0x000000000064B000-memory.dmp
memory/5476-159-0x00007FFC36D30000-0x00007FFC36F25000-memory.dmp
memory/5476-169-0x0000000000350000-0x00000000003D3000-memory.dmp
memory/5712-170-0x00007FFC36D30000-0x00007FFC36F25000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 624eb68003e938367d2c9fd7ce3fe0ca |
| SHA1 | fa33db866bd43fa5f1ad493c004d8ff4868c6a7b |
| SHA256 | 4677aba428feea57f33818cad53014fd9bbf4344eee2f4d6c45a7135e23c9a58 |
| SHA512 | 9c53e91940de7d4b21c9238949df63867256104514a4d0f616d3e7e46709aa6221d78baac7729448c80821470334774793bb502994371a55f0608654bbc48359 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 11b5e355476fc8b346eb1147cda3383d |
| SHA1 | bd8c7c3815a6bbcfb0ba099b080beb86c122ca0d |
| SHA256 | e5d0ad9f9e20f4adc70dc320cd4337d9a702aa0706e51254217bf1f5622f29ca |
| SHA512 | e9ca98e464d65fc66c09da6e7d5401c349e4c89f27dfed24672bf378a72a65f66c1059623b9ba0badb68b8dea38297f43d8fd2fdb8630f7c3f27fe08a329df6d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5d312d699b91f4e246c90e5a8f892113 |
| SHA1 | bf186e184925046644add4c1f82882af71dcec4b |
| SHA256 | 79c44b4955d07719ede089f5b33b19d88e231d9221314403a9e9229ee42ac46e |
| SHA512 | dc8b7f908380a8e6188af8d537bf4021d84eccb9c14b69b1544ace5e57067e2df5eb54d0568e2c33c77aaee5824d5fc8949cef4195ead8b32e87efd04dec0771 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 3829440d88fc7fc12980e252aa41834c |
| SHA1 | ea18eadecd902de7ec22ee26af80a94170b52301 |
| SHA256 | 7a13f67524a3839e2168673384926b7d5b0c4871e70e7d6207b9cb36dfa30555 |
| SHA512 | 1852c5a2ee4824f16d36bfcffd1ac83d71eb6e0d2dd79ef0078d4aba566435e14ad9eb7d4c04a1473a9228709fb889280258aa4020eb3517444cf421fae86f72 |