Malware Analysis Report

2024-10-19 07:15

Sample ID 240905-tn9rvavamj
Target https://www.file.io/IQBF/download/WQa3cKBb2WQD
Tags
chaos defense_evasion discovery evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.file.io/IQBF/download/WQa3cKBb2WQD was found to be: Known bad.

Malicious Activity Summary

chaos defense_evasion discovery evasion execution impact ransomware spyware stealer

Chaos

Chaos Ransomware

Modifies boot configuration data using bcdedit

Deletes shadow copies

Deletes backup catalog

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Enumerates physical storage devices

Browser Information Discovery

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

NTFS ADS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Enumerates system info in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-05 16:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-05 16:13

Reported

2024-09-05 16:16

Platform

win11-20240802-en

Max time kernel

125s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.file.io/IQBF/download/WQa3cKBb2WQD

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1735401866-3802634615-1355934272-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\44t8ntrvq.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\VapeV4crack.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4324 wrote to memory of 5724 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 5724 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 3756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2140 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4324 wrote to memory of 2848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.file.io/IQBF/download/WQa3cKBb2WQD

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7fff26e83cb8,0x7fff26e83cc8,0x7fff26e83cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,5715670675626727773,13356550723685287626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8796 /prefetch:1

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap9919:80:7zEvent25067

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe

"C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.file.io udp
AT 3.161.119.19:443 www.file.io tcp
US 8.8.8.8:53 19.119.161.3.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.39.65.18.in-addr.arpa udp
GB 143.244.38.136:443 hb.vntsm.com tcp
GB 143.244.38.136:443 hb.vntsm.com tcp
US 172.67.36.131:443 hb.vntsm.io tcp
US 151.101.129.194:443 hb-vntsm-com.global.ssl.fastly.net tcp
US 45.55.107.24:443 file.io tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
GB 173.194.76.156:443 stats.g.doubleclick.net tcp
FR 142.250.179.99:443 www.google.co.uk tcp
FR 142.250.179.99:443 www.google.co.uk tcp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 172.67.69.19:443 ad-delivery.net tcp
FR 172.217.20.162:443 securepubads.g.doubleclick.net tcp
AT 13.32.110.112:443 cdn.exelator.com tcp
AT 18.66.22.14:443 c.amazon-adsystem.com tcp
FR 172.217.20.162:443 securepubads.g.doubleclick.net udp
IE 34.254.143.3:443 mydmp.exelator.com tcp
US 8.8.8.8:53 112.110.32.13.in-addr.arpa udp
US 8.8.8.8:53 14.22.66.18.in-addr.arpa udp
US 8.8.8.8:53 config.aps.amazon-adsystem.com udp
AT 18.66.27.50:443 config.aps.amazon-adsystem.com tcp
GB 23.49.161.153:443 secure.cdn.fastclick.net tcp
GB 23.49.161.153:443 secure.cdn.fastclick.net tcp
US 104.22.52.173:443 cdn.hadronid.net tcp
US 104.22.53.86:443 cdn.id5-sync.com tcp
US 172.67.23.234:443 a.ad.gt tcp
US 8.8.8.8:53 173.52.22.104.in-addr.arpa udp
US 8.8.8.8:53 86.53.22.104.in-addr.arpa udp
US 8.8.8.8:53 234.23.67.172.in-addr.arpa udp
US 172.67.23.234:443 a.ad.gt tcp
NL 63.215.202.146:443 proc.ad.cpe.dotomi.com tcp
US 45.55.107.24:443 file.io tcp
US 45.55.107.24:443 file.io tcp
US 34.192.153.12:443 onsite-tag-logs.apps.nielsen.com tcp
FR 172.217.20.174:443 fundingchoicesmessages.google.com tcp
DE 141.95.98.65:443 lb.eu-1-id5-sync.com tcp
DE 162.19.138.119:443 lb.eu-1-id5-sync.com tcp
FR 172.217.20.174:443 fundingchoicesmessages.google.com udp
GB 89.187.167.39:443 load77.exelator.com tcp
FR 142.250.179.65:443 lh3.googleusercontent.com tcp
N/A 224.0.0.251:5353 udp
US 104.18.22.145:443 cadmus.script.ac tcp
NL 178.250.1.3:443 static.criteo.net tcp
US 34.102.146.192:443 oa.openxcdn.net tcp
AT 3.165.206.123:443 tags.crwdcntrl.net tcp
US 34.96.70.87:443 invstatic101.creativecdn.com tcp
GB 2.18.190.81:80 apps.identrust.com tcp
US 104.18.35.167:443 cdn-ima.33across.com tcp
US 34.95.69.49:443 i.clean.gg tcp
IE 54.229.219.223:443 bcp.crwdcntrl.net tcp
NL 18.239.88.34:443 aax.amazon-adsystem.com tcp
US 34.120.111.33:443 api.edkt.io tcp
US 34.95.69.49:443 i.clean.gg udp
US 8.8.8.8:53 prg.smartadserver.com udp
US 8.8.8.8:53 apex.go.sonobi.com udp
US 8.8.8.8:53 track.venatusmedia.com udp
US 8.8.8.8:53 hbopenbid.pubmatic.com udp
DE 18.156.199.224:443 btlr.sharethrough.com tcp
DE 18.156.199.224:443 btlr.sharethrough.com tcp
DE 18.156.199.224:443 btlr.sharethrough.com tcp
DE 18.156.199.224:443 btlr.sharethrough.com tcp
FR 185.255.84.151:443 hb-api.omnitagjs.com tcp
NL 185.89.210.180:443 ib.adnxs.com tcp
DE 18.157.230.4:443 tlx.3lift.com tcp
US 172.64.153.66:443 elb.the-ozone-project.com tcp
FR 163.5.194.36:443 prebid.a-mo.net tcp
US 104.26.9.169:443 script.4dex.io tcp
US 69.166.1.8:443 apex.go.sonobi.com tcp
NL 89.149.192.241:443 prg.smartadserver.com tcp
NL 89.149.192.241:443 prg.smartadserver.com tcp
GB 185.64.190.77:443 hbopenbid.pubmatic.com tcp
IE 52.208.192.13:443 track.venatusmedia.com tcp
US 104.26.9.169:443 script.4dex.io tcp
US 34.120.111.33:443 api.edkt.io tcp
IE 52.95.115.255:443 aax-eu.amazon-adsystem.com tcp
US 8.8.8.8:53 66.153.64.172.in-addr.arpa udp
US 8.8.8.8:53 224.199.156.18.in-addr.arpa udp
US 8.8.8.8:53 36.194.5.163.in-addr.arpa udp
US 8.8.8.8:53 180.210.89.185.in-addr.arpa udp
US 8.8.8.8:53 4.230.157.18.in-addr.arpa udp
US 8.8.8.8:53 169.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 77.190.64.185.in-addr.arpa udp
US 8.8.8.8:53 13.192.208.52.in-addr.arpa udp
US 8.8.8.8:53 241.192.149.89.in-addr.arpa udp
US 8.8.8.8:53 151.84.255.185.in-addr.arpa udp
US 8.8.8.8:53 8.1.166.69.in-addr.arpa udp
US 34.120.111.33:443 cdn.edkt.io udp
FR 172.217.20.193:443 0929e81483fb94c64ba7cc589781c4bb.safeframe.googlesyndication.com tcp
GB 2.22.132.37:443 play.aniview.com tcp
US 216.239.32.3:443 csi.gstatic.com tcp
FR 142.250.179.65:443 tpc.googlesyndication.com udp
US 34.120.111.33:443 cdn.edkt.io udp
FR 172.217.20.196:443 www.google.com tcp
GB 2.17.43.115:443 feed.avplayer.com tcp
US 172.240.45.75:443 track4.aniview.com tcp
GB 2.16.170.59:443 player.avplayer.com tcp
FR 185.93.2.246:443 cdn1.vntsm.com tcp
FR 142.250.201.162:443 googleads.g.doubleclick.net tcp
GB 2.16.170.59:443 player.avplayer.com tcp
GB 2.16.170.112:443 player.avplayer.com tcp
GB 2.22.132.37:443 play.aniview.com tcp
US 172.240.45.81:443 go1.aniview.com tcp
NL 178.250.1.11:443 gum.criteo.com tcp
US 151.101.129.108:443 acdn.adnxs.com tcp
US 13.248.245.213:443 eb2.3lift.com tcp
GB 2.16.232.228:443 ads.pubmatic.com tcp
FR 185.255.84.153:443 visitor.omnitagjs.com tcp
DE 141.95.98.65:443 lb.eu-1-id5-sync.com tcp
US 34.120.133.55:443 api.rlcdn.com tcp
US 34.36.216.150:443 pixel-sync.sitescout.com tcp
US 44.215.29.250:443 i.liadm.com tcp
US 74.121.140.211:443 sync.mathtag.com tcp
NL 185.184.8.90:443 creativecdn.com tcp
NL 185.184.8.90:443 creativecdn.com tcp
NL 193.0.160.131:443 p.rfihub.com tcp
US 3.33.220.150:443 match.adsrvr.org tcp
US 3.33.220.150:443 match.adsrvr.org tcp
US 54.165.173.247:443 sync.srv.stackadapt.com tcp
US 192.132.33.68:443 bttrack.com tcp
US 54.165.173.247:443 sync.srv.stackadapt.com tcp
US 74.121.140.211:443 sync.mathtag.com tcp
US 192.132.33.68:443 bttrack.com tcp
US 44.215.29.250:443 i.liadm.com tcp
NL 89.149.192.244:443 ssbsync.smartadserver.com tcp
NL 154.57.158.116:443 ads.stickyadstv.com tcp
GB 2.22.101.110:443 secure-assets.rubiconproject.com tcp
FR 178.250.7.13:443 dnacdn.net tcp
NL 35.214.136.108:443 x.bidswitch.net tcp
IE 54.194.135.14:443 ap.lijit.com tcp
FR 178.250.7.13:443 dnacdn.net tcp
NL 35.214.136.108:443 x.bidswitch.net tcp
NL 154.57.158.116:443 ads.stickyadstv.com tcp
US 34.36.216.150:443 pixel-sync.sitescout.com udp
US 8.8.8.8:53 150.216.36.34.in-addr.arpa udp
US 8.8.8.8:53 150.220.33.3.in-addr.arpa udp
US 8.8.8.8:53 90.8.184.185.in-addr.arpa udp
US 8.8.8.8:53 131.160.0.193.in-addr.arpa udp
US 8.8.8.8:53 250.29.215.44.in-addr.arpa udp
US 8.8.8.8:53 211.140.121.74.in-addr.arpa udp
US 8.8.8.8:53 68.33.132.192.in-addr.arpa udp
US 8.8.8.8:53 247.173.165.54.in-addr.arpa udp
US 3.95.104.232:443 ssp.disqus.com tcp
DE 3.75.62.37:443 ups.analytics.yahoo.com tcp
DE 3.75.62.37:443 ups.analytics.yahoo.com tcp
US 3.95.104.232:443 ssp.disqus.com tcp
NL 154.57.158.116:443 ads.stickyadstv.com tcp
NL 46.228.174.117:443 sync.1rx.io tcp
NL 46.228.174.117:443 sync.1rx.io tcp
GB 2.16.170.112:443 player.avplayer.com udp
NL 35.214.136.108:443 x.bidswitch.net tcp
US 35.244.159.8:443 u.openx.net tcp
US 8.2.110.134:443 cs.krushmedia.com tcp
DE 51.89.9.252:443 onetag-sys.com tcp
NL 35.214.136.108:443 x.bidswitch.net tcp
US 172.240.45.70:443 s2s.aniview.com tcp
NL 208.93.169.131:443 bh.contextweb.com tcp
AT 3.165.206.69:443 s.ad.smaato.net tcp
US 69.166.1.35:443 sync.go.sonobi.com tcp
US 69.166.1.35:443 sync.go.sonobi.com tcp
US 69.166.1.35:443 sync.go.sonobi.com tcp
NL 35.214.136.108:443 x.bidswitch.net udp
DE 18.193.17.175:443 optimized-by.rubiconproject.com tcp
US 35.244.159.8:443 u.openx.net udp
GB 2.16.233.56:443 eus.rubiconproject.com tcp
US 172.240.45.78:443 sync.aniview.com tcp
US 172.240.45.78:443 sync.aniview.com tcp
US 172.240.45.78:443 sync.aniview.com tcp
US 172.240.45.78:443 sync.aniview.com tcp
FR 142.250.75.226:443 cm.g.doubleclick.net tcp
US 8.8.8.8:53 134.110.2.8.in-addr.arpa udp
US 8.8.8.8:53 116.158.57.154.in-addr.arpa udp
US 8.8.8.8:53 69.206.165.3.in-addr.arpa udp
US 8.8.8.8:53 70.45.240.172.in-addr.arpa udp
US 8.8.8.8:53 108.136.214.35.in-addr.arpa udp
US 8.8.8.8:53 175.17.193.18.in-addr.arpa udp
US 8.8.8.8:53 35.1.166.69.in-addr.arpa udp
US 8.8.8.8:53 56.233.16.2.in-addr.arpa udp
IE 54.77.69.227:443 ce.lijit.com tcp
FR 142.250.75.226:443 cm.g.doubleclick.net udp
NL 46.228.174.115:443 targeting.unrulymedia.com tcp
NL 69.173.156.150:443 prebid-server.rubiconproject.com tcp
NL 69.173.156.149:443 token.rubiconproject.com tcp
FR 142.250.178.138:443 imasdk.googleapis.com tcp
US 172.240.45.76:443 track1.avplayer.com tcp
IE 52.209.3.101:443 match.prod.bidr.io tcp
US 172.64.151.101:443 ssum-sec.casalemedia.com tcp
DE 18.184.119.72:443 match.sharethrough.com tcp
FR 142.250.178.138:443 imasdk.googleapis.com udp
FR 142.250.179.70:443 s0.2mdn.net tcp
NL 89.149.193.104:443 rtb-csync.smartadserver.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 216.239.34.36:443 region1.analytics.google.com udp
US 216.239.32.3:443 csi.gstatic.com udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6fdbe80e9fe20761b59e8f32398f4b14
SHA1 049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f
SHA256 b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942
SHA512 cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

\??\pipe\LOCAL\crashpad_4324_CGRUYSUWDJUSUKJZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9828ffacf3deee7f4c1300366ec22fab
SHA1 9aff54b57502b0fc2be1b0b4b3380256fb785602
SHA256 a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7
SHA512 2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 05c56852791dc619473e7b1223995cd8
SHA1 848c1a69de1cbc6ba7702625794c175bc8f47064
SHA256 c8c66238e233e707466ba6cb3c8e237e0ecec623135715f1d9f36086426f1e69
SHA512 80b35a521e1c168f50e219d8666c53374baa81e75e003cfe6c82062818dc078409fb264139bff5566d1d1c9bb61bbd5c0ea796be554139d59a2c7e19da798d21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\Downloads\VapeV4crack.zip

MD5 3980ea9131415bf098be9ac67e04b110
SHA1 7e3e100ba5de186ac039b656c7ec4116b932c9c4
SHA256 10c188ac3d048ef8468e59eee61d8fb80c7aab4bc51d82a102ccc0a9d9ff99c1
SHA512 c09e7c3fa21e4b763dbaec68beada17d80b89d047c6b28f5b2ccca0477a0c791a2a7ce8dd8df16f3bdc57119a309442596bcf2cf9c315f080521716609c86362

C:\Users\Admin\Downloads\VapeV4crack.zip:Zone.Identifier

MD5 f8351c347f998806e5f80fe8be355d97
SHA1 ecbd122292126fd13b8bffc93d3f90736a1080b3
SHA256 c5d08d415ecc34475541b6689f6ba91d0733d7e83e614cff0d068181791bd5a6
SHA512 366983210dcd96fdbad94dc37842191e67eb3192101ad6b21ea2ea2634725e7651eba572e06c8d56e6a190e4af2751255998b98846a8d57d4e15962dd52cd803

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9e40ee9db733590cd12d0cb675bf5d1b
SHA1 b88d276e82d59295797c82e76aa8d95c077ecded
SHA256 90321cb39170863ee4e6cae7f4da5d5112b6307852796419148de18e2d14e39a
SHA512 005782074c39246f0c1a6fe7673dd16e4af9412b2729ca3b58f6b2788800e596fccd5d93477527098fca2731e5d50a37522c9ac32e927dbe5fc9bf19b16424ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e39e7b25e87b3d144100d57a014c8ef3
SHA1 89775ebe323f68873d34d9af2c0b1e16dac29b88
SHA256 5b7922c9574e8b76607960780924c5b3bc4786b0bdb3aac96724bb66618610ea
SHA512 9f9b51e7166c08d79512074f8cb4b34c84c1276e294a38f31cca2e60530ae452a293c2936f41db9f75a54976fa6e66906b081abc82321066fd381c1ea1619ff0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

MD5 c613e416c48ba7a462ad168871c7fa0c
SHA1 d32fb63a594fcf7d62ca555a33ed0f6df1326514
SHA256 1a5d17e389a95b21f18d78e07b4d9cacf64c0bb39ecd3bf4166095a9e4c2fc86
SHA512 f253b7ed83b67eb54e16a5ac8d01a887b997bc144e8b2ded24b613e3e05f3ffdad38168610e2b32391755abd12c2bb1aaa273728606343f3a100ae44ad72fb53

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bf0770b4dbace5680e9633d8b83e27d3
SHA1 86ada03149954dbc0d02eb1dba432c7dead9cf64
SHA256 f996b99bdee0f51d3393cad35dc1371bf8ccdd8c7630abcf48ab900cf1dc5121
SHA512 f16e10b85fd9ed3e181c37e27ccea6bae65dd863ba8ce2a9acd0d316a03f1fdce48255aeb2aad210b80b1fbcf0c4f0cf594150b373fce7b09f22eaf10e49ac18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7b2f68e712620b9b1d727415d9c21d78
SHA1 c73c690763da61e0c0a5bfb03cd8d1ebc9be0aea
SHA256 d29735eb494d45ae454972265a928fcdd6d4eae7be9ec1b1fd686fa9c9e4b8c1
SHA512 e8539c95caa33e2c269badd165457820426660c6aea31156f2e5f83787d0da2ce494e40ae80cfd847c816d5222809d48bccb56170f6299e6d68914291f89392a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cdb3034170cfef11e60aa259d9bae7d3
SHA1 e94040883530b53e9c67475eb205feb8ffae5e51
SHA256 3774d0c90babcd0056be03b18b83b6d1228fbb46b5c506a8db33d6aa338c274d
SHA512 3038df7d491ff52ce1e7383099f785cdc342ca1eade1a4320f47ef5d1769e855c3c0758e1f3f39ca819d02a3c9d9892fcb029658900ef69848aa4eb31cb31ba2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 07e81277919c292ed6d2e823b1376c7e
SHA1 267d9b18df46f3c54a6b55b009f95f6be1ec7d0e
SHA256 bb444ddf921d7e62e0d22b59136eed7c9f3d07766ba5f49312b3c98041f5d557
SHA512 f3da906dc8203929a9b469a66585e12565dfdcc33907bcdc2904ede15845e9921e5447b0fc83ad017bcba7cb3f7b1ed377f6ccde86caadd8bc160660d630236e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bb03.TMP

MD5 c5760c76167f70118802cc097be75863
SHA1 9b09956397ac027249f36499b37fbd909947d305
SHA256 9d20bfc7f7895b40a6c359c796950b28cf9d2ccdc14023803fdd90347d88001a
SHA512 2fae105e09ee337ac5e48c1fb45c08d17e1913540afb49e48643e871d8ff3f0b6ae47ae2ddf89087184d01448b39ffa29724e179ceb4c6f513d1541dc746f05e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6f110489-d048-40a4-bd87-8d07bf54e5e0.tmp

MD5 2374619589b7441b8fc652960d4ca0d6
SHA1 480ce4a15ba7f49a536da5363ff19883ab212210
SHA256 284957b856268e3eee7bfd812169a2a8e4cfe964fd96bde2995d2a3ca0d1a59d
SHA512 3e653fe2de368ec930e355fb9e83ddd1c7bbaf2a1c7c2bb9bd780807f288d143d0815b78d479cd42e362ed7c4cf5b2678cb3dc7b5da8e1c71cd9945953a20a07

C:\Users\Admin\Desktop\VapeV4\VapeV4Crack.exe

MD5 93fc906e8318df21ce5069c0f5b1e2e7
SHA1 2cdad311be360245ee694278ab90722f9f7a344e
SHA256 44860014a0607a88155015a474ad8029cb0c123da251eac3aff4417b5f1808f4
SHA512 4b0fcbc26d530c4b63ef161d8353683a88d2225348f530a18f97c36111b2770df32ccb3c18a647ecf9c9323f75b10124addcd74cfa83b61cceab273b98b7cbf0

memory/7012-448-0x0000000000080000-0x0000000000094000-memory.dmp

C:\Users\Admin\Documents\read_it.txt

MD5 24cb561c0c75be34341ef75731cd5b2b
SHA1 b6570ea1ad0ee0e1847b845f231546ffe2c7674d
SHA256 4aec149877e8322d95464dbdb3717c6a225a092cd261d536d16fd34520c72e38
SHA512 6206409b2514c30a502ad07aa74b277dae9392d57aefc4ea6cda6aa1cd6a1d0f252752fb67d672648d9afe9045ee5309b48cdb2ee8b6d061a16666fa19b78353