Analysis Overview
Threat Level: Likely malicious
The file http://Google.com was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Themida packer
Suspicious use of NtSetInformationThreadHideFromDebugger
Browser Information Discovery
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
NTFS ADS
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 00:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 00:11
Reported
2024-08-18 00:41
Platform
win11-20240802-en
Max time kernel
1792s
Max time network
1685s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Downloads\Krucus\Krucus\Krucus.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Downloads\Krucus\Krucus\Krucus.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Downloads\Krucus\Krucus\Krucus.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Krucus\Krucus\Krucus.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\Krucus\Krucus\Krucus.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\TV_FolderType = "{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = df021f006502d5dfa3235702040000000000530200003153505305d5cdd59c2e1b10939708002b2cf9ae9301000012000000004100750074006f004c006900730074000000420000001e000000700072006f0070003400320039003400390036003700320039003500000000004c010000aea54e38e1ad8a4e8a9b7bea78fff1e9060000800000000001000000020000800100000001000000020000002000000000000000500014001f50e04fd020ea3a6910a2d808002b30309d3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000f3c2f877f0e4da01d3375894f3e4da014f9a5a94f3e4da0114000000000000000000000000000000000000000000000001000000010000800100000004006900740065006d00000000000000000000000000000000000000000000000000000000000000000000000000000000001e1ade7f318ba54993b86be14cfa4943ffffffffffffffffffffffff00000000010000001900530065006100720063006800200052006500730075006c0074007300200069006e0020004400650073006b0074006f007000000000000000000000000000000000000000000000000000000000003900000024000000004100750074006f006c0069007300740043006100630068006500540069006d006500000014000000c8dc68ec100000006b00000022000000004100750074006f006c00690073007400430061006300680065004b006500790000001f0000001b000000530065006100720063006800200052006500730075006c0074007300200069006e0020004400650073006b0074006f00700030000000000000000000000000000000741a595e96dfd3488d671733bcee28ba671b730433d90a4590e64acd2e9408fe2a0000001300efbe00000020000000000000000000000000000000000000000000000000010000008b022a0000001900efbe1e1ade7f318ba54993b86be14cfa49436f73bebdf5342948abe8b550e65146c48b020000 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\GroupByKey:PID = "0" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000f3c2f877f0e4da01d3375894f3e4da014f9a5a94f3e4da0114000000 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\IconSize = "32" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{7FDE1A1E-8B31-49A5-93B8-6BE14CFA4943}\FFlags = "1" | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Krucus.zip:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\dnSpy-net-win64.zip:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Krucus\Krucus\Krucus.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Google.com
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe57513cb8,0x7ffe57513cc8,0x7ffe57513cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3320 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3480 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3444 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\Krucus\Krucus\Krucus.exe
"C:\Users\Admin\Downloads\Krucus\Krucus\Krucus.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,670615062063976516,14613128732341290811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8
C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe
"C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| FR | 142.250.201.174:80 | play.google.com | tcp |
| FR | 142.250.201.174:80 | play.google.com | tcp |
| US | 8.8.8.8:53 | 174.201.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FR | 172.217.20.196:80 | www.google.com | tcp |
| FR | 172.217.20.196:443 | www.google.com | tcp |
| FR | 172.217.20.196:443 | www.google.com | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 172.217.20.196:80 | www.google.com | tcp |
| FR | 172.217.20.174:443 | ogs.google.com | tcp |
| FR | 142.250.179.78:443 | apis.google.com | tcp |
| FR | 172.217.20.170:443 | ogads-pa.googleapis.com | tcp |
| FR | 172.217.20.170:443 | ogads-pa.googleapis.com | udp |
| FR | 142.250.201.174:443 | play.google.com | tcp |
| FR | 142.250.201.174:443 | play.google.com | udp |
| GB | 92.123.142.88:443 | www.bing.com | tcp |
| US | 172.67.199.135:80 | krucus.com | tcp |
| US | 172.67.199.135:80 | krucus.com | tcp |
| US | 172.67.199.135:443 | krucus.com | tcp |
| FR | 3.164.163.56:443 | framerusercontent.com | tcp |
| FR | 3.164.163.56:443 | framerusercontent.com | tcp |
| FR | 3.164.163.56:443 | framerusercontent.com | tcp |
| FR | 3.164.163.56:443 | framerusercontent.com | tcp |
| FR | 3.164.163.56:443 | framerusercontent.com | tcp |
| FR | 3.164.163.56:443 | framerusercontent.com | tcp |
| FR | 3.164.163.56:443 | framerusercontent.com | tcp |
| GB | 13.224.222.120:443 | events.framer.com | tcp |
| US | 8.8.8.8:53 | 120.222.224.13.in-addr.arpa | udp |
| GB | 13.224.222.120:443 | events.framer.com | tcp |
| US | 76.76.21.164:443 | cdn.unicorn.studio | tcp |
| FR | 3.165.136.44:443 | framer.com | tcp |
| FR | 216.58.214.187:443 | storage.googleapis.com | tcp |
| US | 34.120.54.136:443 | assets.unicorn.studio | tcp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 204.79.197.200:443 | bing.com | tcp |
| GB | 92.123.142.139:443 | th.bing.com | tcp |
| GB | 92.123.142.139:443 | th.bing.com | tcp |
| GB | 92.123.142.139:443 | th.bing.com | tcp |
| GB | 92.123.142.139:443 | th.bing.com | tcp |
| GB | 92.123.142.139:443 | th.bing.com | tcp |
| GB | 92.123.142.139:443 | th.bing.com | tcp |
| GB | 92.123.142.139:443 | th.bing.com | tcp |
| GB | 92.123.142.139:443 | th.bing.com | tcp |
| NL | 20.190.160.17:443 | login.microsoftonline.com | tcp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 104.18.33.89:443 | www2.bing.com | tcp |
| US | 104.18.33.89:443 | www2.bing.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 185.199.111.154:443 | github.githubassets.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| US | 140.82.112.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 6fdbe80e9fe20761b59e8f32398f4b14 |
| SHA1 | 049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f |
| SHA256 | b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942 |
| SHA512 | cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234 |
\??\pipe\LOCAL\crashpad_2772_VLBNWUUNXPFUXLZB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9828ffacf3deee7f4c1300366ec22fab |
| SHA1 | 9aff54b57502b0fc2be1b0b4b3380256fb785602 |
| SHA256 | a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7 |
| SHA512 | 2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 53389f959f0cef27bb065ed995a20623 |
| SHA1 | fdc1efd9cf996e241e522761ce6c1ee463b2c1ba |
| SHA256 | 7556ce42910bb1649abda565ae532ec779db9a220470354b47103595c5b5025b |
| SHA512 | e01b7017f7b74bc96580e7b18a42c028cd39ae84a81ca058237ae2369d06cc8be8211774498cad09ec303aa018cd531c5c5a989936d854aa00ee2dff0ec1db10 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
| MD5 | 3e552d017d45f8fd93b94cfc86f842f2 |
| SHA1 | dbeebe83854328e2575ff67259e3fb6704b17a47 |
| SHA256 | 27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6 |
| SHA512 | e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f8dc26ff340a102675bdf4b831df3be7 |
| SHA1 | 9c714ee8c113cff400122025c1d1ae4e0fa14fd2 |
| SHA256 | dbc5455f11433af6247b7864448e33bb86eb119c9c4693520baf901a34e0ffa6 |
| SHA512 | 0c329a4a00dd6578ae11c2de5d68d0c5e7749e2ac2530668f3694576e94364035b7e5ed90b8cd0af2dfe147320b25f738c227fa6a9617edf2d42d956def8e847 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1977750e6fb6d87c4f33e13389544d5a |
| SHA1 | 8c43827bb170d1aa7d14dacfd76c3b9e52ae8c7a |
| SHA256 | 08dde0591016611390f9470f5586dbe9b6334366b2b1a0c623bcf1b60d725d01 |
| SHA512 | 5ef0f9fce26278051f834d04a79c69837e12701f2d9849444c46c425bdb49b84947c24d6b435bc0ce92213963ef4ee749a247318177170c4753a541f0cb162c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | bb733d07aa76cd719430b6d15bf07a9f |
| SHA1 | b817b72d1c1d3374eafcb5c6710921e2d4156ace |
| SHA256 | 9d9b6ae6e0f264c1f16b8365870a83c23d67e1392dca23e997221e65e6eab125 |
| SHA512 | 7445c6a3a61d3ecb7c625f78b5d2538159e4e6db369fef5076d0d7a688ce5ca1c0e17cfce9dfde648d5f4502682413f921c821c0b923385d78ce4c843a87d768 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 37aac153f0c64a758d0c6b0432c94b00 |
| SHA1 | 9519f3925c8a1894b2c1d13d3b8f6573582e0b69 |
| SHA256 | 3b596a5c9ba392dc80ede4d424481c61a5f80edba0dd70c38031a73f0d4d9a99 |
| SHA512 | 59c183c72ffc0e3af5b0a2969e513582f30f2c512240eed273b808986a3dce0adca4e9fe8f2e8bf9acf50375621d559cb3365f6a86f5ebbb07c68dba5c9baae0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 359900b90f13d7362de1ad8c5f7ddf49 |
| SHA1 | f37d10f0e35ad536741e07a2a2527e1cb6699bd4 |
| SHA256 | b4d70a258fda5f8329dacb7c697316996fa69d2de69e5e6c627da47bbb898939 |
| SHA512 | fc8c1b89190fd6e933b2b902289ac4519f20949f86cb131dfac46f777db942b7f37a83ddab0707344edede3d369b2838b4aaa759c66c7d7ce7d214534054287f |
C:\Users\Admin\Downloads\Krucus.zip
| MD5 | bd1a3cd7e906a47af34fd08bd830de0c |
| SHA1 | 47a590d6e85acd5c998e11578ef1d62970eab68a |
| SHA256 | 063ff076d9ec49d52cdf439a0f8ebd68c4185762d19bedd62adf4cfc2784ef7a |
| SHA512 | 2a82b0e4ae1c5b372f9ce0f2b214a7c5bf5ff9fe28b5771b10aafa0424ef13b6dd8bfe576d7821988e8c4080676d9c145bb2c312e4f69a2d8a80aff2ff2e776d |
C:\Users\Admin\Downloads\Krucus.zip:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 340ad36e05d7ea11897cdf975fa3378a |
| SHA1 | 77f47ce1a202cfbb20a98f4f4303ff62a27fe3ce |
| SHA256 | eb77c45b4c16236f4161ffaf4128907d827bc6daf08b22d7b3d7642753a1bec2 |
| SHA512 | 248d7ddf75a2f8c9c3086b80354ea9db9768e58011465b7432d973ff374fa6f337b6ba1edb7d7c627aea4ef8b5bd4d97da492a2017ec651107f2b04bd5218a86 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4a7e0f47b4435e7861c7c98aff1882a3 |
| SHA1 | 22036a8a969619416394fb684e6a959bd1de21b3 |
| SHA256 | 42d256b205b47d6e15410fb1e6b8fa461e0e4ed8a58b8751a0d80f15d0459cdb |
| SHA512 | 5cec6d105880b7b6952078c41dacc5bb72b7d2e062860eee5ffe71185ace6c984aca85f3da81585eb2cbd3fa45fdef6403fd9744f316322cb3af8e2ccae2e5e3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c041e208ca9608fe3f59290eb65b3cb7 |
| SHA1 | 59d5ff62b556849492179b4b4e4d41e541e11910 |
| SHA256 | 11326c635b2dcde800cf698d8970d034ad6bf1ad2002d960a41a2ddc9e14d8df |
| SHA512 | f60b2b6defe13d76e40bceea14c7b77c236c2428581867299df27e054c59664fa922bca26702bdfb48cb038bfd6c919fe0999469f18cb19900345ee822ade1b0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | a34c340a1d1e64241608aa3095ad3ae8 |
| SHA1 | 0e8ddd2c10bd7fce6e5b16e0e8fb279a4a10e9bb |
| SHA256 | 0c6eb6b0d4199988ec97e79814bc30175c021cdd5d2445abe4c841595d61adc2 |
| SHA512 | 68665d754c677d048eafa104dbc549809d0f25ec15d191a8494691d569d36a75ccc409bf8fb0ae89146c737d4170aa5d8b5d46c363496d2727128433542de9dd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9515eafa03716d140e210139d82400a9 |
| SHA1 | b5c9a68d40363d2b9029e5f76a64366574ef229d |
| SHA256 | f9c55eb783576cf0fe394c54cf3c3e935b1222cf4710709d890ac453b62bf365 |
| SHA512 | 2d162b9b29ef15a0951bdbc64e2d68b3b128c5f85e4a1b68a243cb54341873b5c089b7d589cdd98e789afbe5a3c9d65a9cd32a5b2a611d1021b080aa62579bbf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8240709a5cabf79f694721617ae3d571 |
| SHA1 | f87c0b38329e7c1ccd33b26ff5ff9867c077c08e |
| SHA256 | b384a93015e9b5b71ea5d8a16c8f84689a76b4e4977e1eadf3d47ff7426142d1 |
| SHA512 | 78df68791b762eaacfa26ef7c1becbdca7ddd8ddaacc690c38719b3b0c1a9edcf49f6692843dcc9bb66873cf94aeaa794c76238b092b1975d831f8d0cc76b77b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 76547b66c008f455a917d9923b70bd85 |
| SHA1 | e2785ddec73e590d32931cbbd59a7a9143e9177e |
| SHA256 | db71299e8f6719f927c6656401059a2d3e503c54a78df3074d37636ba76da89b |
| SHA512 | 244fb087ffbcb66312b9682a69dcb4da100d6c40bcdd298478331dca058ccc596b427498ef7fae00922a71c5aff5a199efc35fee3854cd6485327ad0799a9d4b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | e511a394d4819a92ad834786a1df435a |
| SHA1 | 38f96f90ec0ccdb66035c59afabdb89f2674dff0 |
| SHA256 | 94d249a3d2cc55c80e5230ed26580dfd47209a29b9f6d2cae2f7ee07289d43bf |
| SHA512 | 601ff2acdc9f5d3dd44ccbf520afa3f91c7960c44f8329c17dafe23fd703bdb796139bb4cb863c37fa91b7404e9b9a494bb8b3c69dcafdcd6a84091532d88418 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3afb1b6ebeaa31bfe248c64a695d1ba7 |
| SHA1 | 4f1add2cd6106d60723e14174d999ed133cf1ec4 |
| SHA256 | b29587eea4c9b1d2be2a2541b1020882717421f7e85cc0b8cbf46f8ad163bdb5 |
| SHA512 | 3f6349e582b5845f82d9a95bae37064d55eda21e922ba7d229d157deaec02b99ff3053017285b58c844c893169f5633c64278019bf6af0608f0bac60d4d5563b |
memory/1924-644-0x00000000005F0000-0x00000000014AA000-memory.dmp
memory/1924-647-0x00000000005F0000-0x00000000014AA000-memory.dmp
memory/1924-648-0x00000000005F0000-0x00000000014AA000-memory.dmp
memory/1924-649-0x0000000005E40000-0x0000000005E52000-memory.dmp
memory/1924-650-0x00000000061A0000-0x00000000062A6000-memory.dmp
memory/1924-651-0x0000000006E00000-0x0000000006EB2000-memory.dmp
memory/1924-652-0x0000000006D80000-0x0000000006DA2000-memory.dmp
memory/1924-653-0x0000000006EC0000-0x0000000007217000-memory.dmp
memory/1924-655-0x0000000007260000-0x000000000729C000-memory.dmp
memory/1924-656-0x0000000007350000-0x00000000073EE000-memory.dmp
memory/1924-663-0x000000000B5D0000-0x000000000B5D8000-memory.dmp
memory/1924-664-0x0000000007670000-0x00000000076A8000-memory.dmp
memory/1924-665-0x0000000007640000-0x000000000764E000-memory.dmp
memory/1924-668-0x00000000005F0000-0x00000000014AA000-memory.dmp