Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-wyr1wssfqh
Target 9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN
SHA256 9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5a
Tags
discovery ransomware
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5a

Threat Level: Shows suspicious behavior

The file 9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery ransomware

Drops startup file

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Sets desktop wallpaper using registry

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies Control Panel

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 18:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 18:20

Reported

2024-10-20 18:22

Platform

win7-20241010-en

Max time kernel

119s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wallpapers Every Day.lnk C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe N/A

Checks installed software on the system

discovery

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\Wallpaper.bmp" C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "151" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "119" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\Total = "119" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\ = "151" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000049ca9e8931b62497a75c3c897b18936598d65308a7753dc6ae2418ae5a9483a9000000000e80000000020000200000002ac85cca9314b1ac3418ef122b38ac44e03c298d5822c96afd4dd04a31112fcd20000000a169034cabb47149c37a31cc07595e74077a028be483e5f7492de6b9de79075f400000003877098d67ceeab9613a3d71cd72260ac1c0cc2c0c732660ffa6b777007d018b98b833448bb43a658796ce69fa28641ae02f56e5e2309df41b5fbe001a26e4cd C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "105" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\ = "979" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\Total = "41" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1068" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000040a58a83372074ced7131d9184230b8e5a1fa401f49d89ea4f76817e2d325ad8000000000e8000000002000020000000c286a6137eee07caf9621c529302dc0437b3c071cc1f4560517d72f66611ab7190000000de4457cba5472e583a6857c85cc2e9dcf813d67bec461ba4cdeeadbea785e717097476efc3b7a821803f777162894667cfb292738e33706003bf4262b1db9523a0eb9aac228c69328afa0f28ea82cc591befeeeabeb1c3393f075b8730d84b382f5f8424f172854e87e5ae117cc62fdcd4fd696397b2d64b3f1c24615a89ba64b9f572421488278266768f8e350cf20140000000b442cd7d149bb16384a92a6a70832f6725c44e4c8b461f87e9cd058d98c58d44bfda48baae1e12d761ac00d35eeadcbcfa28011538a8fcf1a98954c6947ab46e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "12" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\ = "12" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\ = "62" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0a779df1c23db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\Total = "62" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\ = "119" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{037D9811-8F10-11EF-A5FC-C670A0C1054F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\Total = "979" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "62" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\ = "1068" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\Total = "1068" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\Total = "9" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\ = "41" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\ = "105" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\Total = "151" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\Total = "105" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435610311" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "41" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\ = "9" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "90" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\wallpaperseveryday.com\ = "90" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2344 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2344 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2344 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2344 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe
PID 2344 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe
PID 2344 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe
PID 2344 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe
PID 3024 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3024 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3024 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3024 wrote to memory of 2684 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe

"C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://wallpaperseveryday.com/ThankYou?v=2.0.2&key=c2cb35504b9cf539262fbbd793f34b27

C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe

C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 WallpapersEveryDay.com udp
CA 192.99.62.48:80 WallpapersEveryDay.com tcp
US 8.8.8.8:53 wallpaperseveryday.com udp
CA 192.99.62.48:80 wallpaperseveryday.com tcp
CA 192.99.62.48:80 wallpaperseveryday.com tcp
CA 192.99.62.48:443 wallpaperseveryday.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
CA 192.99.62.48:443 wallpaperseveryday.com tcp
CA 192.99.62.48:443 wallpaperseveryday.com tcp
CA 192.99.62.48:443 wallpaperseveryday.com tcp
CA 192.99.62.48:443 wallpaperseveryday.com tcp
US 8.8.8.8:53 s7.addthis.com udp
CA 192.99.62.48:443 wallpaperseveryday.com tcp
GB 23.44.66.45:443 s7.addthis.com tcp
GB 23.44.66.45:443 s7.addthis.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp
GB 142.250.178.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.178.3:80 o.pki.goog tcp
GB 142.250.178.3:80 o.pki.goog tcp
GB 142.250.178.3:80 o.pki.goog tcp
US 8.8.8.8:53 bat.bing.com udp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 mc.yandex.ru udp
GB 163.70.151.21:443 connect.facebook.net tcp
GB 163.70.151.21:443 connect.facebook.net tcp
RU 87.250.251.119:443 mc.yandex.ru tcp
RU 87.250.251.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 t1.softonicads.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
GB 142.250.200.34:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
GB 142.250.200.36:443 www.google.com tcp
US 8.8.8.8:53 www.google.co.uk udp
GB 172.217.16.227:443 www.google.co.uk tcp
GB 172.217.16.227:443 www.google.co.uk tcp
US 150.171.28.10:443 bat.bing.com tcp
US 150.171.28.10:443 bat.bing.com tcp
US 8.8.8.8:53 mc.yandex.com udp
RU 77.88.21.119:443 mc.yandex.com tcp
RU 77.88.21.119:443 mc.yandex.com tcp
US 150.171.28.10:443 bat.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2344-0-0x00000000003C0000-0x00000000003C1000-memory.dmp

\Users\Admin\AppData\Roaming\WallpapersEveryDay\uninstall.exe

MD5 821787959ddc1f39fbfce591b39ad432
SHA1 fb06254891629fed38977644a7015b69f696ddf1
SHA256 41a5cde10a7f4888e457ed582dcc8a35ac2158bb714a3d24ebbd5fe08d5b196f
SHA512 680818f38c6a431b01d0601db7c5fa5ee71884ff5b7f665c22b20c19a8594a23f7a05879b6249c7653648912946875c0de87154cab5ca40318a68cd388f75962

C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe

MD5 1d3a57cbf9c81e9862e847faa0351192
SHA1 6a1a5b4b9d0acb13d733053269eaca8e7b7a6ba9
SHA256 1565cb1da2f45dacf7107d062ac3184f34429898b81ba95884b7f90bdb81085c
SHA512 65652f01d1087b69d7286ae7c73bc7c965c145cb3adbbbe8a43ef61b6eba5ab30d003b89ccde18bfc2d81586f46a3b5b64a6a8b3c566ec071f082dc01deb36a2

memory/2344-22-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2344-21-0x0000000000400000-0x0000000000757000-memory.dmp

memory/2344-25-0x0000000000400000-0x0000000000757000-memory.dmp

memory/2344-31-0x0000000000400000-0x0000000000757000-memory.dmp

memory/2720-32-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\f[1].txt

MD5 b54aec6a313fb192fd48aba4e7dcb8b5
SHA1 e62c25ab3bdc8cb970d09a0e5c2fd453bd1c25b6
SHA256 2bbfd2f7f254ec3306f2be0a16ea51d12446ca04cd88354808ab950d6ab6b1a2
SHA512 d0aac0cd2a08a3df8109961031337db3525fce402d7c640c070030fbede4f8d217a203f7c92fa219d0ac01ef504983676009b76088c735eda74d9afe0b22da31

C:\Users\Admin\AppData\Local\Temp\Cab6EAD.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6F7A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8e39893674c7c2d97c2fa964b79d9fa
SHA1 cd21068cfe10982ffc3bf17758c9bb3541ca4330
SHA256 00267c5858510686f8e81f85957270fa7aa2a092bf3d7e33f9d5dcd715587b28
SHA512 297a59f70d78b4544db61e959456f2df93a95dea5cec08c23e94db52b77cfa0efeb9761686a02b6ce7919d3e86dcfb11a9cd7c06c11227fcbe8cce05846f6315

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93f2403a15d77de74d6ecb21ff07eb06
SHA1 bb7d63a1d4e6455cde7b87a710787af349c62305
SHA256 2b8a68b21aee1e152a810e2ee66d62d36e3e6b9eacf426da7d9be55b42c8af1c
SHA512 34402c76bdba02a348badf3e5540e1198091395fd50498fed048eb37abf5790efa52890cb631c02393f7599ae33d3cd3c3f5323eb3b1bd3fedce0273e9117d6d

memory/2720-321-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2720-302-0x0000000000400000-0x000000000054B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c0ae14133666bb0918042475b2651aa
SHA1 7f52ee1e47f313e9582324351b05ae5d27a6a32a
SHA256 5c66dcedf49de0d9340df1b1162758fceb42dcc807620bb36f0aa7bdd07b3c3d
SHA512 d4ab154137ba464c6a59d5618e47eeb666e5858842ee41a4014c74fd28ce97a128e0a2da098c1041f5e525f24c658bca7562ddc7c017d30a3c63c63419d46ad7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d92226649a7d5098eefa4f75e392f93
SHA1 d1ed63d10fb843ebca2705b2299442ab67936993
SHA256 7b73357ba08983fab1c153ee71b4f603839896f6a0fa0ef0487f29de357033fe
SHA512 92a67c066448f825dd1955fdd99b074ae3461dcf06464f37d7357b8178d6d1fa4a67af9e31a9ac4c6a93c1056b5ea51e916a2fa9094e8fdf029bdd93f9347b3a

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\V84MBGA0\wallpaperseveryday[1].xml

MD5 b8d010a0886796d494316857d3066c09
SHA1 0c2b4079014e69b39145026b06d590fcfe564480
SHA256 4d8e0decf77718ad4483cf91cdf8abc30057951ea35a6a5dff7790878c348349
SHA512 f5eea0e648ea1556cdca94fd4e6069ad6957a5372de5a6d9433cfaa21bf3beef099e81bc6d2aae8f301771e4e50a8db72cad918ef82f3dc7381255a1c01cca98

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\V84MBGA0\wallpaperseveryday[1].xml

MD5 eed1879f7357c7ea49a438693961d54a
SHA1 09c4a684e9ce7782e1bee05390b51952a3ad3a6d
SHA256 acc2bffadf1841d674917491c87ee0df08d463961d3071b68cf2cb1501eb0b52
SHA512 09409c2a70a0c577bbeeb774185e947d9dfea56adf1019296ec4862112f67105e5de3ec8b3772be0c19fc12f08579708e9482cc250cc2c04ff43a86354a55958

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb60b158be5540777682a0d16734ac09
SHA1 afb8a5296231e9a58e3abb017d246af7f48b3e76
SHA256 4ccf8143ad993171b0cc188201a5318d6dbddf548f239e0ca8eddcbfe0899394
SHA512 9c5b2ee2669ff3db187fe9ae13ec86372e346d36e258115dab40f6cf2b5f5b306fd2106e23b54152c1c066a27823e27e81eb3a57b049732910b8cc6b5f5b8af8

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\V84MBGA0\wallpaperseveryday[1].xml

MD5 e0728c0a8e0cdc1023e7972aede1cfb8
SHA1 14f9b1f6d60cbf3c2aef095bd46fe431d39536e4
SHA256 e4009128e4c649b5b8d3d06c576be3b0897f42875a97d7387e2fd2253ce70154
SHA512 faa518ea92981a15fbd3f096032ea55f3364aed1b4ac2aff01a61b9d3705a7f933cd1d22117a3f7d16c8d74a58e6799d6db3b124635229300aef2e44bcfbf7b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 db9cde25623fdbcb4d26debde10572bf
SHA1 2cfe9fff30373103bd0844b844a33ac990f0f04f
SHA256 af775faabf38e7c4ffdead76c8681995c87b32d0675f992dd09e57e10f07330d
SHA512 c4ab17281a298bcea679e9fa2499288ca21c99a2dd254812e6fe8587dccfef534540c17ed3e487d9d1d78dcc970a64f498944a150e9ead8ec6a3c5b8dc3975e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce8b496a98c4348834f852061fddd821
SHA1 a8b50f6d048e0edca614e094d2164f174f33e195
SHA256 640172ea10e494f90dea41c8c0cbb78df2bf58aa99a064d05a375e39f7dac7e3
SHA512 786ca80f1e2204b06b0ef3995eb4415d95a2db8eb29bec221c05488814aed58204bc22f74cfdc7a1b52bb200b4b1f1256244135d85dd3fe3afb172a945c55aac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 659fc986360d826b8a119534c7187f0f
SHA1 ed542bc7af1e17bb814a3b4e02ec4963f6f055a7
SHA256 eecb57bb376162447b5d1501599cdf8047965e44e01445d966426a4898cf141d
SHA512 1f5565a499469415b336cdba33fa6b52a1d201d0fd9cdcf778d389dfa0b4b4f91077dc5086e1c89eba0b40ad5d27e217c331f44d44568286cdd6b4e9dac30280

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae4c27a290a4dfbad4092b1fc1d79d5a
SHA1 eb1d45e6dc2f3b7f1eb3f31782314b73d021c145
SHA256 f53db4ff63caba3539db07dce396ab6666139917c4b7b545d4de8a3038947d6e
SHA512 2c75e5872afd05dc91f04d21461e58f5ee42ca5fd68f722fad53205d2d55d09b13ee3af17dff4f8bb8724e82cc2c50ce63f1de41ebf0ecabb09e3d2dbcafbea1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f663940d22ce52f9625ece74c2532f9
SHA1 ea3cf46ca15891b893fcb7792e91ab882ff731f4
SHA256 e271123df76d144838e65103c3b39197f197943aa5d43a03f39988c97013a561
SHA512 f183ea13764a59cf4815b05a88799d44e8b7eb22af619136d210ddcef79d275ace212169937c78868b8395ab3c78f0ea86c38a0f6aeb51d4b9b45d6da606e12d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\V84MBGA0\wallpaperseveryday[1].xml

MD5 1bc1c43ab3380c474c4ca9e174ce5b15
SHA1 c09b1a0b4e23a2a8427b2b41be733965cdf6cc9a
SHA256 ad1d82978ced462cec5a7e6a920332800ff64ec6335db4e5c1865348c035f3b2
SHA512 68c0bb8a603762d7e8fa22bf9bcfaf6678652ff41704f7f61f337dfcde8125e79e696b6202000b67cd927d361bddfc22959ac688bd6b227e6bfb3935258416f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ec614d298b103fc79d4a3ba3813e907
SHA1 b309376713c31eb3de9245057aaed1aef7ee5b26
SHA256 21067d1d3fce54fe6f3d0e6a97d909c8d514767db62e6040f90a8744ab289fbf
SHA512 abda1eba1569f8e817545bab35c51b778059faadd3ab1712cd19689790d8516d7a29c1024153b2d69c623d486734f46ffbf7b2636bfcec9164d607aadb6fbf2b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb1b6e85b64a4cae3b5f1712760162cb
SHA1 4ced57b1af05cb62e5d60ef8b82865aa81045955
SHA256 eecdc370ff0e3411c867f3ae5a859ead5d0748d8c48eda00e7bea6489d1817df
SHA512 ea50b46ebeb2daf7c4234c3eaed84e2b67059c7ac6982f0cbd39f2e7f4e7ed559190937ae9060d1d6f7de98cd870cf375aec0303bc90560b4cffcb38508072e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f29622094c86305db13e7e50c2932c1
SHA1 bc7ccb3aad2f35f95c5cba3fc5ebab069e5a8c15
SHA256 1dd01cba452b5af7c3ce0d3b78d6392b1dd0b3c717aea332a29dd6dd9ae4065e
SHA512 0d0e4417d657c78620561b89b4f549103f7604f24f41389f1ead21992178c2156cfe2505c3ed89dfb66c9cea206013d0021697bbd05ea335fed6d82d9e1ede84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bd74db254e91c2c69a26aa2332eef67
SHA1 7953d0770a230a4cfd663de6723598b39213b1c6
SHA256 0c75424ad1c3286b52bd061567b43d7eceeafa10fc67920b2dba9d82ec1b7b77
SHA512 83fd161a7d9d50dcd18fafb9a5292febdf7c63579dd4ed91d514f9f0c0e8997c1f95e593bd5c09867d23c483ebbf3a69b08c2cfcec60d8f2c760e776d75d6b84

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\favicon[1].ico

MD5 f4a01b76c88f3cd921ccaddb1f120acc
SHA1 e8cac4efa390845ee57cd62bf23ae110f6e60f8c
SHA256 db694ac8625d8621782ddbf58a97d957d39b6b1bae403f9176b6afc18602c7ec
SHA512 77dea0d1d5482ffb03207eaf05f392174b09bdc21bf99a1fa258d21c6a93d2c24d313ec94ec9ed11186208c2bd5f8230775d7447809269b898d15030e6437a8a

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

MD5 79570d0137a8d1bc7b2d8efd4304ed99
SHA1 8e2f58e17b66da0febc98e33cf71e3b9ae5a5269
SHA256 3ae3b54bc05724c385eaf841a96ea4ccca52e15c9d7715dcd5b964a81b60514e
SHA512 176c492e1c82f54d9d025de8264cf0f3e74e8b066a16673c1943c15c895c35c1ab762560863fad712152353ad5530dbc720c067e6b4544c1845330417bdc8027

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ab923bddda6ce6cc85b89d35c8629c4
SHA1 5ad448e9420105f767bb21884f3a5f1f28379b67
SHA256 5f7aa6a4880ff9a4681ea6e71fe2638d19ae5fe0386bf0dbe6e7777b3c284d27
SHA512 cc5eb2455321c60c2d8b04b3f4ce182ad4609a7c64e482ddc935f91a50ff3f04aa59d1a11e3d40d33ab30596e2c3d18913768d012ca9e0f0baf634e9ea55ebe6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2725099566ec02d2e9ade9336b74f43
SHA1 2b80cba5a8b03415abc9f182cd7b4e005edcdcbf
SHA256 cc82c672902b6397c04b03b1dbfbf27a2de073e4dd69284879863bfc2fc7ce33
SHA512 87ca8a8ec57b7398448cbe33c5ccce900679e1c43d8939b12e8562e3729c659793b1ae0b5879e30f5bbf17fbe871d2a55be7db9820579575c530b75db59c9593

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49054cd8d42e67491942532523ca3b06
SHA1 263948acb76027636bd4f60ad9d9b15a669c482d
SHA256 630bf38048b4defda5d6461d75443a3e7281dfb55c3ed864419c25f9a7dac55b
SHA512 8a5c244aea23b1ff7029b5c26cf653790af2bcd2d1e0d90f30ab63091c24f165d82abaa570f0c66ea44ac37cfa493f363ec4dec1efe7dbf9fcdd9d2404ae44a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3e8bd2345d64a7c49efb03f8668f70e
SHA1 1c68953e81ce58225ed7dce553aa9650b411651d
SHA256 6e0b22255bd24b725ec5dc2bfa2bd18bb9acc6c9ab88016d43c94ce89c809ec5
SHA512 5409b6b153ea7a951538b4b932de2673a6570f1fc6dc53de1b89cdba7e7006568d568496003d1f7959854c31207eeb2cb67644c526a2a4dfcc2c229a05a5c95c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a00d7c3f75f7c2f6e39cae0bfd415e20
SHA1 d37eae073682ddc690c40972a1b4c373842a1930
SHA256 843265028e22977964fe758cb57e172dc337069eb5bc835a677ce34f7e36540c
SHA512 d62b61a442bcf5922a916d201bc27f59db928ae1fe31e9cd2acff42ad5e96b2fca8642fb97bb4342acfbf67e83810a0a58f49a04209e3863138e9f781cdfb652

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 640879762a9c8f35d8c28a19de332d2b
SHA1 e0ebf6fbf82bfeab85d769b855478c448a02b8de
SHA256 34e5fe52ffd112ab019d7a1d87cd635d946716cb17bc79cefa7baecfa1680882
SHA512 24687afff3aa8b814450181f26364d42be3ce16eccf020febdd724e54aab8a94427645385519a75c5efd6fadeea1feae5a6917683e6a541b52ee529869493415

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05baf298b4e3d15b66431422d0b205a0
SHA1 5d78dc1d29d667611d846cc3ba3cbec826258486
SHA256 b591c413e0a9a2da37123a8c42ca6aa451593d15ecc4178e93f3807ca9614626
SHA512 fcae399628a1ec3fb8b670b2b0378857fcbc1afb158863c99b871c4b262a7f12d7c62861b2cfb378a2a30fcddfcb1f1a99a81edc92b8b5fadeda5c88e1a2a6d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7268e61cbc79d03d6b70b98c4d374d01
SHA1 232b205b551e72509d1c2bdaa9a6910942d8ddc3
SHA256 d4f29bf0f47394fb26fbbb3662b6ad9e76bf42286239ff52235d454e28d9fc7f
SHA512 07ecd6f146b611cba01f6025937e15ce190ef6d3327b2b73f97c0e8c512586e9cba6a2803b51a2f0654185e9c2cc090f5acb465c01ec739f554dddf5daf7929b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f68195dcc0c5b03a7bc94f9ed52043b5
SHA1 3fe6f7cc320a1d3605666619e34444e7301d6fc0
SHA256 d9a08756c5ea1312259c17a950b0f50adcdb871dfcd80057503322c1fa610213
SHA512 77dc3791b25be0286b77e4136e0a4675e3c48522ffc6b32a09a9fcdf3aeb0d68e6347ec16d29b433fa1f6466884d8e3d460f609a57ad1b1f30c5bef101667772

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d125a3b1a5976dd1b37d362fd8f0b16
SHA1 2d292bf05d69cafd5d5974364a7d57b445729a9a
SHA256 f4a2b0dd8a772f7f1eefe98b938c9eee4f178bb7a6c1317f9c06c5ef979e5993
SHA512 8aa99270b11fff5fc84df06f5438d82e5a4e89f23a2ac289b9a446ee1f6b1c39b662524d34c50222c9c51768773dd002f725e19a651de40909129cb837538d5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ff36d5e749bd0ea18f08d07d557a3f3
SHA1 5824b697d068f4f91944d678f5d3729fc5f92bfb
SHA256 6d1dd1e3ef9abc736e44cf12dce9cde4d36442f702430d623631cedeba94a51e
SHA512 b013325c94fe6a4ccbb3a15ec4c9f97fff8db1009850072a8f9a6fb0d27a4585fbbd8bc11ad88760642480a6cea530e8d7322ac1217ae4ae2316ac6f5750401f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 979a3e41a3c94374cbe002abd54c4ad2
SHA1 636c79b2469b9aab569088a324d0d0ed1242c532
SHA256 c9eb887d35a174af8f389d1cf9be55965ab4cf258d3547173389219e7767d49c
SHA512 3a0eadc131dbb2709fb96d9c3e2e402a2cc50dc1cb1cec86c5909fd3d70f29736a8e69e1a9bef0012978a410aaad1b36e343bc7ac749a90f9c70b44739f01a5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15f5b22b5f2549e39b0ac9f9a34559b8
SHA1 d4105827fc1f141aec5895169ba73c65e916f0a0
SHA256 e88a83caa44f3514d92e336a93321537e58e496f962d888f124c551dc76efbc8
SHA512 2c2008ebd9423d0d469e4b7b736254a6c8535dbd37eb5f980e36de09074229fbe1f1585c6b1332a738f05e4a437f0314eb147f99f9e2a205d441e692813e7cf3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa1a671f938db37bf418d272d3b57c38
SHA1 b17716915c1c0f6ba82756a2b326cc5bade8e2aa
SHA256 c48758038d3c6e7a01545bbb1f18d865bb3b798244fe4598f37474d434ece9f2
SHA512 7512d0cddc2776eaf7abf7c6d2d561190720566be762f4123f7014dd4b0bb1051894ae877c649048d4af559e02e6a837797abb0b00bbeb73ef3c8762d62b69da

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\V84MBGA0\wallpaperseveryday[1].xml

MD5 035bf52ebd36fdfd95b8a0643aa45c3b
SHA1 402fe1440e849a019eb6d8729dc64c9db8010696
SHA256 d59ac707febdc67169db3eed4d011539e06119ddf8ce257feab3a4f010deac0b
SHA512 4fa1e31df9ebc209f16b4cb25a82c6a9e259a06c4e8d672607ff2440f33fff034637dd673c5cfd787e26f30c5f04530c40fe224bc504645297b4499f24cff93e

memory/2720-1243-0x0000000000400000-0x000000000054B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a515eaf8f02715ce84b515a2b65a0ef
SHA1 c61dcc65bea0041dac3d1fc439a1d1e0c4a9639f
SHA256 f8d0db572f31295c6c70c88d836e2f2d45507e8474f0b9ef8fa9a5e43a3b7554
SHA512 e33adbce5ee276ef3d3f2186c93f709f52debd215c7b40a3d04a34cfacede5acbd8eb5c6c60f09acb067fa2388d83089c28079483a62d9992a662476434f2e2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa52bec3e58d6b6eb4a1526bba29544f
SHA1 9010256ddca0faa587a004602ab16f3cba5d8b00
SHA256 bf0ff273b4c4ec66096e44fe6d0aac8ba577aee9e2382600ad22409e0cea9750
SHA512 8f74ab7dc056de8a447e79b95e76e66a76365be5d19832fc5c9a9b77da8450c09c622ae98d4bc01e1b1ba8fd4c99ac7f6d450de6200176fe323b5602ec5fb202

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5631580e3f87dc6048ccecadc0af451
SHA1 be9a694e3985f4d2936a3cbeb982f828568cd6a9
SHA256 7ee7120e014715e77d68ed06ee548b7f56fc082dbb84a590c2b31059ae807c8d
SHA512 d66bc8ac02357ecadf964e0fccf010c02bb8e5d6ef8bbf1f18c915e4d246b3bf2d94e01b5b2bbeff99e310899a165d87841eae3c33ee6bb84975d8cfcf41d3fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc47b782741e0d92226ffab982ef473b
SHA1 4b756d4bf53bfbe47dd554a7869c01adc8d866d7
SHA256 f1c7ada1c5cff596860776193300c4081fc70c5834765483a135b26c147bbca8
SHA512 7a5e22a1e94cd2cc14d6c3e3e7fc99644ccdb4287c409b34cb3c492a1bdb0de2fca9edaab76b2f57e1f795ea50c122a741cddbdcd6d483d8c2fa0ec0a00af7a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ddcdc8d389252780acf9aada7b4592fb
SHA1 1aa2e7190568190dc12cc6373b3656b49ca09f38
SHA256 25ab41c5084747cb4aee5184cc6234c8608370d032a7abc69486291e36d1be3f
SHA512 21479e105520c9dec9a7f13e448a58850b8d183da325c0000f5fa4f05bf67941c05f8699a5f15f929d1d67ee10dccfea93dcdf592ac311f161d4589a20321083

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba21cd592676880de09397c68c4071c2
SHA1 5629515179bc099cd2b8aab849055564674fd304
SHA256 69c722a3388ea6025e9b82b899fb214e68bd5e83d9ecd0cd8578df447f3d8acf
SHA512 0d230377ee3604b1dc697f4f97215aed399b3b5f31ac6ab7528678d9917bfe72eb78eae8cec9a356adb8c899f72a573fcc8e9458b8d068076952bc3af036f432

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1f492b48fb985a1376d61a161d49583
SHA1 33314a46dc55eb5d16403947161c21a10887164c
SHA256 7ebfcdac112cd324594b68c6cabaacf25c6c324decf944f902a2d5e63626054a
SHA512 21e1097382dfa8fc943fbd85dd0df3c38d2a12218eb6900eb899a63613b619548f464b498bc10cb50b5b3b5f9e727e502e13f1b17d89919a8882b9b7d1f90c0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 115f243eefc15a9eff20d11c6c23d92d
SHA1 2b600ea647fe867dae02ce661357e78599652580
SHA256 397997b82d812d2b851e343b281512047d27b36c3f018d7125f76a035e9cb755
SHA512 4ac79028493c6e39ddea859fdf826faee508c9391912e1b42727ea49464aaba810f3a1763bc136297a66ced01bf155bcd51d7b5978133701571557a272e14b85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed70d79893403c112e71ff4e555200b7
SHA1 2ea8eebcfeff0a869269b3a4016999798344bca8
SHA256 344d51785f00ad16fb01f3bba1f1790b96ae0354d3876dd78ba905160aeec001
SHA512 21f90fc0b68716eac8f9b600666991e9b00336949a2d174ebbfd05353c024ea89ff7774f4bf8f6b6ed34fc5bb998c3f00445c478657c6e8369aac41091fc0140

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59087db7d1817c3b2baec46d4aac4eef
SHA1 b6b6417136eb68b1457ef67dc951df207857ed31
SHA256 b680d90c9fa9728ddbab7920a63913746d519ae0bcf618022b1f4019faca5faa
SHA512 806f1e3fc2b21be73dca97962d3342ba50635322f51a53ebe94fae14e600b60f6c0f8c3f14a43450750bea6061cd2b35d4226f44c76f600788d563484c1bdc6d

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 18:20

Reported

2024-10-20 18:22

Platform

win10v2004-20241007-en

Max time kernel

114s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wallpapers Every Day.lnk C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe N/A

Checks installed software on the system

discovery

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\Wallpaper.bmp" C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3684 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe
PID 3684 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe
PID 3684 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe
PID 5004 wrote to memory of 3560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 3560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 1964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 4220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 4220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5004 wrote to memory of 640 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe

"C:\Users\Admin\AppData\Local\Temp\9017b0323e89da60572ff1297494cae4fd5d386512b1abed64c0e0d6dde56b5aN.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://wallpaperseveryday.com/ThankYou?v=2.0.2&key=3fa9c064cfcd88a34c84a01971f632a4

C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe

C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0xd8,0x104,0xfc,0x108,0x7ffdbe5546f8,0x7ffdbe554708,0x7ffdbe554718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5588 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,8058835614416483853,16846419160800205005,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 WallpapersEveryDay.com udp
CA 192.99.62.48:80 WallpapersEveryDay.com tcp
US 8.8.8.8:53 48.62.99.192.in-addr.arpa udp
CA 192.99.62.48:80 WallpapersEveryDay.com tcp
CA 192.99.62.48:80 WallpapersEveryDay.com tcp
CA 192.99.62.48:443 WallpapersEveryDay.com tcp
CA 192.99.62.48:443 WallpapersEveryDay.com tcp
CA 192.99.62.48:443 WallpapersEveryDay.com tcp
CA 192.99.62.48:443 WallpapersEveryDay.com tcp
CA 192.99.62.48:443 WallpapersEveryDay.com tcp
CA 192.99.62.48:443 WallpapersEveryDay.com tcp
US 8.8.8.8:53 s7.addthis.com udp
GB 23.44.66.45:443 s7.addthis.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 45.66.44.23.in-addr.arpa udp
US 8.8.8.8:53 2.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 66.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 bat.bing.com udp
US 8.8.8.8:53 mc.yandex.ru udp
US 8.8.8.8:53 connect.facebook.net udp
US 150.171.28.10:443 bat.bing.com tcp
RU 87.250.250.119:443 mc.yandex.ru tcp
GB 163.70.151.21:443 connect.facebook.net tcp
US 8.8.8.8:53 t1.softonicads.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 172.217.169.78:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
GB 142.250.200.36:443 www.google.com tcp
US 8.8.8.8:53 www.google.co.uk udp
GB 172.217.16.227:443 www.google.co.uk tcp
GB 172.217.16.227:443 www.google.co.uk tcp
GB 172.217.169.78:443 fundingchoicesmessages.google.com udp
US 8.8.8.8:53 mc.yandex.com udp
US 8.8.8.8:53 lh3.googleusercontent.com udp
GB 142.250.180.1:443 lh3.googleusercontent.com tcp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 119.250.250.87.in-addr.arpa udp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 36.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3684-0-0x0000000002530000-0x0000000002531000-memory.dmp

C:\Users\Admin\AppData\Roaming\WallpapersEveryDay\WE.exe

MD5 1d3a57cbf9c81e9862e847faa0351192
SHA1 6a1a5b4b9d0acb13d733053269eaca8e7b7a6ba9
SHA256 1565cb1da2f45dacf7107d062ac3184f34429898b81ba95884b7f90bdb81085c
SHA512 65652f01d1087b69d7286ae7c73bc7c965c145cb3adbbbe8a43ef61b6eba5ab30d003b89ccde18bfc2d81586f46a3b5b64a6a8b3c566ec071f082dc01deb36a2

memory/3684-20-0x0000000002530000-0x0000000002531000-memory.dmp

memory/3684-19-0x0000000000400000-0x0000000000757000-memory.dmp

memory/3684-24-0x0000000000400000-0x0000000000757000-memory.dmp

memory/556-25-0x00000000020B0000-0x00000000020B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 36988ca14952e1848e81a959880ea217
SHA1 a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256 d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512 d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

\??\pipe\LOCAL\crashpad_5004_BWVKQPOPUJADHWCK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fab8d8d865e33fe195732aa7dcb91c30
SHA1 2637e832f38acc70af3e511f5eba80fbd7461f2c
SHA256 1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA512 39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/556-129-0x00000000020B0000-0x00000000020B1000-memory.dmp

memory/556-128-0x0000000000400000-0x000000000054B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 46306bb892f4cfdf0e0df1146acaf893
SHA1 e59177dc4f38d17d61054ab45a070e3632bf2303
SHA256 daf61a8eac1deebc17fec95c7704a8b75a37b947afd37dc9e132286625bd40d6
SHA512 4304d9d15774512edca23b24161ba84fb9c16600ab1b47976703700e8345e2d1c475cc31ff7e40b133f24b4cf2884d48bba7e9cc5c52ffa49441fd6545685fb7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3a36647eb795af60a16dc5688ccaaed9
SHA1 c748a80c9ce4d446464438d35287704e63f281f4
SHA256 35e0d390b492fc58a47fdf81056e29f142528ff200c07005d6325085707c7b51
SHA512 75b86588e14e05d8a573a305046bae8a7d3e1cfb8582134ee1cfc8e72a5e1ca3bda79a415b311eaccbd5cd82b4011a89f7ab496635befaf3668cc2ea97daec67

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c479f1d8ef4a8b8efe5b59ced96ff2d5
SHA1 73531302bbea9dfe28a46b67f40aff89e58129ee
SHA256 be2248e48386d75dcfd002446a713bbbe1ca0688712c3ec35d67ea1460f73073
SHA512 afb3e7b40be3407a8e7754969cc957721374b19bf9cfd0682f16dbfe28a6f532ab9fc0b2111a0a69d4446027ffc140648e09505ff2f71b847628111703d1ab68

C:\Users\Admin\Desktop\Wallpapers Every Day.lnk

MD5 901dbbd060c9d03fd2068ba512aa0287
SHA1 e19cd876793a594b0ab9e9babe8560a1e765783e
SHA256 c1002bf77b907b8e382b019b4cb32cee7276d541d1626472285c2a05ce4b4401
SHA512 c22de2a738b01adca4e2ca926a6760b0e73d78d450f654797caa23556f97dddba06b960e3a965928dedd1814adf6a0a79efbdfdceebc059702491fa57d3102bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fed8094d359744fb45d67560917ab5b2
SHA1 988ac72693d95a925a3bbd0c92bc43d4f4bc7f6b
SHA256 ca8cafec5b1776382831475e753972ac51284402255c6af5adc5cd3ed2bbf8f5
SHA512 8c7adbe4a0cdfefba0dfdf4dad9f61147a67d074760105216a7470ed5654cd3232992a4c4bbb0661761fa8126d3f45e623698f5fd445a14ce0fe0dc0e2200b1c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d2cecf3445263b08ef1f18d5d65fa7c9
SHA1 44257de5b776068420e5afe907ab9c1b5b37c7ec
SHA256 e905c6061bb7fe61dc34c9e86377d1a8fff3d9a091dc0dfc969f35e78aeaa539
SHA512 b9d61b3dc46253a96554eb4d97e16f5664cb75928d010eb43d164d2acd782f8ad4f689e1eb1c57cb77dc3a346cb30fd82b2aebb6fca88fa17124dd7862af0ecf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582e6e.TMP

MD5 aa0da6c2c02b8d75ffe6866817a5eaa1
SHA1 ca6de3dd358164e93e7b5650d2c3f59e90322beb
SHA256 7261f170adddfde3e25b1e885e76da4972e9c8e4fc93d75f3b4cadf10bc6e7d7
SHA512 d63a2c42e444e01cb8b4a09678a7508ba2e3b12665ef271d3e8f8d8264e241faca3b4e2b37800353b62e6bacccfa073def79cd0c1c45fa55028ea2152303bbf2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 332111bfd41817ecab12b4ba96fe2ee6
SHA1 82c970ee8c6c3d62da092bb1605f409621a1a28d
SHA256 522df487ed60a8666e165ad052c66445d3dc928c3c1a986b656168da69dde56f
SHA512 2887c5c7e972a9bbc8f78252af2f573dbbca87088db924cfa6aa04ef4c05d7176e275a1ded0d4cd79254a6da3fd39540e2895a4537fa89bd49327fe062410c61