Malware Analysis Report

2024-12-07 03:27

Sample ID 241113-cmhtasvcma
Target 27b9c2bbe7d1d9a042707f2dffed11fec9f2bb9804a5255d02c68b5b975d071a.zip
SHA256 27b9c2bbe7d1d9a042707f2dffed11fec9f2bb9804a5255d02c68b5b975d071a
Tags
remcos new discovery rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27b9c2bbe7d1d9a042707f2dffed11fec9f2bb9804a5255d02c68b5b975d071a

Threat Level: Known bad

The file 27b9c2bbe7d1d9a042707f2dffed11fec9f2bb9804a5255d02c68b5b975d071a.zip was found to be: Known bad.

Malicious Activity Summary

remcos new discovery rat

Remcos

Remcos family

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Program crash

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20241010-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0x64.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0x64.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\HCIMemTestController.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\HCIMemTestController.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\HCIMemTestController.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\HCIMemTestController.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 105.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

97s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\MemSpeed.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\MemSpeed.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\MemSpeed.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\RandomLatency.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\RandomLatency.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\RandomLatency.exe"

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20240903-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2540 set thread context of 1504 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 2572 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 2572 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 2572 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 2572 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 2572 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 2572 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 3000 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 3000 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 3000 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 3000 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 3000 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 3000 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 3000 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 3000 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 2832 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Windows\system32\WerFault.exe
PID 2832 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Windows\system32\WerFault.exe
PID 2832 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Windows\system32\WerFault.exe
PID 2968 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2968 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2968 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2968 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2540 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1504 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1504 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1504 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1504 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1504 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe"

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe

"C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe"

C:\Users\Admin\AppData\Roaming\scr_previw.exe

"C:\Users\Admin\AppData\Roaming\scr_previw.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2832 -s 528

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp

Files

memory/2572-0-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2572-3-0x0000000000400000-0x000000000070A000-memory.dmp

\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe

MD5 782db962173b5a744fdadcbbed8a6730
SHA1 49ec2b0443801cad7b4664f3887654a010c53392
SHA256 18d88f4214a2e62640719f1a5377c5f222721c97aa4ea2dec1526b09df211eeb
SHA512 8cebe2557a8847ad2084a9466210e9f931a14a2e75f73c30424e4a69936c628cdc41ac7493799662d2765225645ddc2f3d685f3aca48227b746eb6178beb10cf

\Users\Admin\AppData\Roaming\scr_previw.exe

MD5 d9530ecee42acccfd3871672a511bc9e
SHA1 89b4d2406f1294bd699ef231a4def5f495f12778
SHA256 81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280
SHA512 d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

memory/3000-49-0x0000000000400000-0x000000000070A000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3dx9_43.dll

MD5 e8ad346c114fda96fca288966eae8e92
SHA1 fdfad7f2030b54f076b2a2e24ef1199abf2588e6
SHA256 7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0
SHA512 d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549

memory/2832-53-0x0000000000180000-0x000000000028E000-memory.dmp

C:\Users\Admin\AppData\Roaming\gbxchd

MD5 162ba47ec20e7fb580672579a6fef9d2
SHA1 a6b52b8f549ca44ffe821f65e846b869da544c28
SHA256 227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159
SHA512 135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4

C:\Users\Admin\AppData\Roaming\cygrt

MD5 a727c368e3a6c273f28c80607f2df861
SHA1 a31a2b4a4677d58bf9f7126da6dedaf4502eb283
SHA256 bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca
SHA512 b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d

memory/2968-56-0x0000000074AB0000-0x0000000074C24000-memory.dmp

memory/2968-57-0x00000000778F0000-0x0000000077A99000-memory.dmp

memory/2540-71-0x0000000074BE0000-0x0000000074D54000-memory.dmp

memory/2540-72-0x00000000778F0000-0x0000000077A99000-memory.dmp

memory/2540-73-0x0000000074BE0000-0x0000000074D54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\caf05966

MD5 11c31131d79d1e3f4a7c4265b1b1dd9a
SHA1 840b13c42b1dfdcd69a4e7eb9faed7b0e3505102
SHA256 c7c5f6a25374b324ee24ab70e1ea1b5048adc9ff4570bb41168068fd0fe86f2d
SHA512 100c604f58a44997d70d35ead6c2c7c7d6a829dfd46a585dfd61cb0a6b750a25ab66f091ea64fe82935f79114fe3672a0bbf7769805072e8ff97543fcb454e55

memory/1504-76-0x00000000778F0000-0x0000000077A99000-memory.dmp

memory/1504-122-0x0000000074BE0000-0x0000000074D54000-memory.dmp

memory/1316-124-0x00000000778F0000-0x0000000077A99000-memory.dmp

memory/1316-125-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1316-128-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1316-129-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1316-130-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1316-131-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1316-132-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1316-133-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1316-134-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1316-135-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1316-136-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1316-137-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1316-138-0x0000000000400000-0x0000000000484000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.sys"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.sys"

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.sys

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.sys"

Network

N/A

Files

memory/2004-0-0x0000000000010000-0x0000000000011980-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

138s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.sys"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.sys"

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.sys

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.sys"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/2868-0-0x0000000000010000-0x0000000000011980-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20240903-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 801452727135db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000009522dab0dc68d4dbb15030f6ea23b713544b1aeebcafc14fc3fe06b9d23f3128000000000e80000000020000200000007eccb595c35eb594f284631eeb896c4fc8aee8037e420a5262468c8e5f4c15f18001000015eeae2b66d33cd036666e0f1510130ca9b948a23aeec1db7707f8a030b0ee9ac818746814a7d6a087783c8047878855c7cf33fb17ba756fafa1d3e279b7daf772bce4038a9fc942b88843fc4443b36864290b4401dd6672f545200e902e21124dfb2804ad8b8360b22e8a9c71cf2a50b7ffbcace68f71c8e4f2e07b13e74ee9a53407a1f90fe141ccf413a9dc830b2b0929c7be1c35a17087470207c1c6fdfee3b3199ac5be8e78096e6b1adb33ea416d29daaa9443f425eabc1504a82719d5e307555cdcc1b54a0da033e9fcf965640577278d0d3559dfcb76d2148353b7c9efd70b4f8e12811d7acdc9213c33412efa159cf44ec11d0f923f5107b269914eb989bdc2961439043854061667c96931b29c4ae2b399754fdafdfe9e0e37c4fdd6d196f711d6270f286f4c85ff17b5ab1c9b785ae4ebf487867e6dab0c705170bb7a731dfd5912b4ef59ae40f7f4f7cc5c34be7caa56fa69e7120ac3470ac6e14f3204daad55ef8c36eb8df2a2e6813ca479e5cb75b80c6b608878a5bb5782c9400000008cc8f06ec5b073c40ef27d1aa1673b8340afe6aaf4eb1102c3b5af320764ec2faed79ba72e2ea8d1471c7878ae5cfee7d6f74853c691b50c048a30edda481c76 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000866fd81517b571f3e922158f5c26afe564c1284c6850620881bd193c027abf36000000000e8000000002000020000000d887c6c5096179ab6caea7d85ea8efe9c30b09933dfeb63eb0d34b973a8724b22000000066a8f344c34cccb38f75203da79ffedc87ddd558e48f8cc7f4486ba6a18c05c740000000f2f41d6a7ddf3ae9887f04fe7f599ff5f8a2f4c8d02ce48f903a0495719600a84e259ba7272bc1c637f24c4f87bd6b04a379d79c43617881abd85bbbe90313a1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437625783" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000007f63f1b3109de0d60053c68aeb9ce004e7dc666c0c61f9251b4b2be4deda39f9000000000e8000000002000020000000e2cae05636ff14e5a24a0df98cd947a6effc62f2300bdb470438a59c94e6508b800100001800b656f93ae9ba166fa86005c26f781ff18110ea40b202de6c527f3f58061156d0c46972828ede1850261fc2dbf85a29a751b7047a36f91198a2bbb9e527d77d786a4121110d937c7d4fd2e82bffcb6784bbe045c5934c6c82ae3392f6de966cca1cf9f2c052b1db19d4b82859c29b1955b1e7555c20aa1a0f4adf7eb4722049d531862f3752ee173b9111761456e81c250d5d95689a39af8142cb974b4a1205957e27cd2c2cd75605d20e774ee1b77a34b60b6803bcfdd10b844206502addb2fb3563389895bdb21ad715faac075802918f2f9630cdcdb253fa965c072376f7c4f04cea2337765a117cedabe381449ee7c6fdf195370719b84d55b16326f6f4ae571b406dac65aa8e7ecb1a9c3e3602bfa2ff07662908e9b7a96e7656c041830cf9d91c819943bd08ae1a0904a5b0425fd16b028e1e619f54a220b729a9968b88e5732f034fb592e381fb5bbb1dcddf900436d7a29fa41b889586731ac2c701b9153de6ecc5eb371a933e84f7db17263d5eefd17dd4d23425df84e1559a0e40000000e77ff8003fc4b2c3ee2155d1e9837cd9a55bd4b0ef9d164cc97105edea6542855c2f44a2f26d1dbf095bedf70b772665b8434025d5dc8909e8c63e217539f9ec C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000006e983e5a2b46762f13b16896c3cfd270f99d2a1a4297eee243348daa1b94b8b6000000000e8000000002000020000000703c1a85c321d5b7a08a7d1f17574fcf6eea34f4ef36c7fdfcf506e4ad94431280010000597ff2c6857a8fef53f8019ed1a35ad52a0f830c19c46dead331ef212e01ced42a9c2545f7108063eb4bfc37461fa8b8f0954cd30834ec387023bff7dd0683c204169157f243fc8f06c693af3e5270f6ec9a68268b6048ed6946b647e572c45cc63744d6a6210c3aa21870f976e6b3e1c050107e953499d3cd3d7d923a96bebebd86569dcbdb6e635ff155014bf08ae88e40aaa07f8a36a090c59bfd0ffb0f2228c89a915f2636af1b39fe27a137b0dbe706f958b430119e9c365c3bf92618aa5a8b47872eeb684f91304e563df179030b5d1cad3a212ff486a21c26e3a06b2043a98fe872871b927700881f16e61e851933bc4038e6b0a04f54ee9da4d485f18e5ec3a55948183a7328e253add2d308687e55b5f201cb4eea1d00d6b2e4271af7edc2bad09e5db7dd906a096c8bfa13060a5133f89cb9201048f41e50bbbc9b2f02f4471d85434d26ffaeb8231b84480155db83aca5706fb4aae0a1f52baa281a6ca23595b0b33b21964d14b67d267cc797209fc035cef21967035107e65af040000000463d0968c6cbeac10a2b7d92e5e7dc1b1ad99a1c8ce7baf165340218c7ab75b442a4147f0015ec30db95f7617165b1813112bbf48627e54d815b91e0001a49c9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000eba333c1fb45a93fc8a83ea874d334d922039ef466bef398f7c1bbe3e7e72a81000000000e80000000020000200000004bbe8f8e2c3bcee655fa673d0ab6b71075b0ee6ecd875907807c52edb959c005900000001095263c92ccdf244b66e3d23be4f2923f58a6f334861bd159d0451060b7376caf36bd0e28121558c02d84dce762998f78da400618b529774bbae292cac64a5c881b6f65e4f25c1ba778ca48a8e9e4e44f839f300ff6247e28683b51df4408d941c926d0aa4f25205140b8256abb81b48bf550e2347f2eae6bbfa06b3a050e7ab748a4d6d67f9d638cdb46b62f2ee89940000000145afcacfe8dcbe732d82f78b1506b907dee2fa53730f40a3a16a0f33f7aab46654ee786dc04ad4488a36f659ebeb83c0a19e8343bfa5327b3edd9342b05447c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000cbc81d9452de55171ac1e587f5e7dd8a36dcce7a42b899eb3ea85b730e829731000000000e800000000200002000000054df58cf858d453eb1eed10d0c71e875b9b3e792dfe6ae1c3ccb6ab2b6599bf180010000607c903bb18dbf0049497577b2992582bf70478078de7c1c4f106f9682491ef79ce1922d903bc9194e52209681705a14e7e88e6a27e907378e74fd9d182de137d81e4b867d67c603cc22fcc5100eeeb75e5862d46687e99be3959d39d946e56d97c293eb2b213da572b2cb13f1c24f953df4f461b50621ff6681494ec0064416b1ba8d631e34b9b7f1884835f85a25554a6e94e9fa959814a1aba8db5f7f353a2e826c7d733f0ca28140f7c433251e49b1657c846e9ebdc87740baf74c4ba6639acb1aa35171f59149860b592934938d2a28049ac3373dbf8931e2a574e66783fa09926af1d46c0ea97e0ffb7d59b33c747b46c049bfb2abec5344fb4c7904f08ba10a796ab2d477eae2c63db89ce3795fc48f959f7cfd8cb9bd012b5cc0b51924c020c2166f2a0290774d8b01b88461f552fa57723df73338bdfdd45b1517d9440eebb2050456916a31854e1584e1fb45110dc104dfe698189227e7fdeef9c19174c08bf606b0783bdd2a635082768a49fcae3a31a07bbcabdc131ed9dc76e940000000ac9b1495eb68f3caf82b1ee9a5a44af32c2abfbe329be8188417963342a0462a7c19649accdf82198c7819b7a59afc8cbbcbfacdadbfbabaa1790c4ede06104e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000953975184174ff7e755d29138176c520a92c34ab6e9351428a391c4ec1f7e7ff000000000e80000000020000200000002881187b2fe235298b4bec4f3dc00bdf5b703e3f8a26008abece264c690f06fc800100001e6c79bc1c5921abc3f177f5e0b18386ac6dc2cca6b261768f241824bac337148711b56be168048d4240c9d2a3e9008e109f01035751f1f01e0ada28570ba4b12d0799d3ba41f26c070ccaf0742ddc82c1615c683e01094ac457f0c76d0825b5dcc5720a9ce737a54e1f6ac98e8e923a837adc9f755f3d430ceb514369e958c2fb8755cfab3a67e88c0a0230f00dd3e82961ee65bf337d0bdffea62e4aa14295d17d05038f40d3dc38734f29ec11835f12065c385e95ef5ab3c06d4e74f1c6bb4f218403336c63d68d81de61b782b40e1afecf052941e7f76027f94c72d0bb7031a6bc4f69e13396a37eb53279c7b98a0ae0b747900ccc02f7002b37cb17d7c0578077994a84921e35874fc8dd86c0ae76b37c3f56a2cb256c17833e78f03d568101c35d80977200829c3ff526cf5f2011f3d52b21a7d29022e724cf69c4d176b34fdfb1e6a464bbfe130b3126a57c836631f78f1e81fdc0ae3a3526a2888d68bfd0e3e674cb0ab9747c82ebad4c022e2ce2b580cfb4af54cf33525755d422ac40000000ab2dbc02e88f45e3c0c6efb22b9702baa4918fa5d60a190f7043850c5ba0fbc6ae36cd8c7bb50bf7042e8c45c5d3557fa4cb8ea0abb0c78142c99ff539b7168f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000301147aae1703bbdb7eadca7adfe553fb53b87b309627dd386d47089921bc9a0000000000e800000000200002000000025d2dfea2c3bf4282465ecc3f27d8e3c7e877a26aa838eba487d705f28647a79800100005600f9d859f95ab848753efa291e28578439a0688164cba30c52fb5058e73b07edaad73bd5310ad5b98bf2daac4f871d7a78edd4cac0111faf4cab46b682528990bf6c1bd9a60e6fe2fcc498406ceebd8041eb20927bc7d9c8043e48c7b2d88145aea134bb08aa1c32e7815a29ec1f952b481a8f8881cbfa5d4ecd40c1dafe2e66144ceb0e6559a9da362ba4d0e13b6b63013316fa8028f933c3ba8b1e1aa6006c0f28949725df7d893d68a29b68f2413ee1f763540ce73786586e09881af05e4e770f414f20f07f63d3948de2cc389ee0fb879929c6309c6d73c4e50919dc2d62f21c07e60f6542060050e6e845c5176c8930ef07fe71dbad9e66ccbabe447f80d2a2a99339ce7b2446f2089125f680b099be50aa504a1966a495f3430adaea4e23b6c849f060c1cd4743e915bfb8f0144218b2298d49b5356307a0584b9f3695b389a6745cd03a037e5fdf50912f3587d3e167ca78381634b80986856a3670b50fdf5d37250706919ec55b59e2babbe5f52cf7abcf438b3219125a11100fa540000000edfb6698d6915820268a5668557beec78320bcd5b1d3bbb4baeb8f1d7518b5e61367f411798a01b7eb077f3fa823df580825ee8ad71451f205696033a126994e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f00000000020000000000106600000001000020000000285e4334309d666e174fe129abc6088f0f5c6c524b3d93719b9f486ca0a3f950000000000e800000000200002000000086b03ab2d446ee4eaa3c8feb4dff394c55905b4182995ea4cd664c7deffcb94b8001000008e6abb93126178ca046adb85391fddcdbe5fd7cfb7042182a19c3ec635bae6b5e9f8d2bca6ee0f26218deebd8c1bc906ffac62e8da68a99f6fe116a97788f1f7a0b96ecc7c8ffad99573a360ad9e4dae8f3c66e60be3b392290a278f7488109c9eb824b38ba613f02fadb66ae0e5fab26b5bf8a42f212d6bfecb231ebef57cab2e22628312276b6e791710b72f50f5edd59be51de5727768d6fe29d6c502adf1b33f2793e9442137919a547c3084dc13813a8a31a1d8ae163df535b1f1c8bbaa10b53a6a2a49e87feaa539e037a9fde31fd598cdc4c7a69722b2c6f5d6e9d73f39fa32a1876ffbf1bb8d61c34dc3f01c87f41af05f2eab50d0c8c476cba1a0b6d9986d7f4b8e96737c75ef33f975bb812f6430a144ab2c688e79dab0c1ef470cea639d559e9ab6655c6e2a85aa16c190665c14e0ee4b3e149aba88090ed22ce5d4ada59d052f82be8df0308e84cfd5e7d74fa2046357c3db7ac149fc002320646bc3be0df29685b5e651add8499c451224725912ea59248cf43f73c5e78ca464000000005b2d3ea186b3d3ec9c2f82af0514b5f3db25932ec31e72baccd44e1ec79b25d08b097ead5a85fc0bcf6b4a8d3d00db1ef85b8bdd4f6e20e4ba19bfaac50475f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f0000000002000000000010660000000100002000000076197b30ccbcae593897dd7998a147ab71c67be94111c805243405ae4115ef68000000000e80000000020000200000004199727019680a4e63f6b3eba2ed84c8e729972e40f64e9437ea62c4657a7eef8001000087230dce3cbfc1061962752f8d6b03aa27693328824085cc372c46e4a53a022d1fa4ad229cf0205be5d48b1939148e5674b55c07d6defc9846a018200dbd0d373faef4e48ebd3bc660c8b1d445400de02d705432f27cbb986a56fa598d6ca23df427286a35aa172061ce21b1d4d7f2e5d27c24644c66b815ca891f6f830ad8c72fa3a70606b20b167e71b8eb77f307a900d80a465dbd41b67a67c3364217a94db1dc44ff4acc780121aa37dd72ad44ff8ddea7c4c201911291fd40803c4cbbccbfddba7ad23b29f6db16cd4d377b90d097db9064e2ed97c739e1b9ffbf7080e9ade7a3a0a728e7486d0cb1d5fb01142d34b20f115e4fd4e18827c7b13d803130eea605b9f25a0bd618418cbd1ae96a1b2b92a2f35ef68b51103f8d4678f4b35005bb5bb13f1808f13c87d508fcc519be1d9c8b6e806f4b2b848cf42c21931e7ad6bf3dc83a71ffd8b4fdcc944964811c1892093602c38d310c7795b19f95a58de36f1046fcee83a8dc9bd4e625676b1506f9f9c9d6f095ffdc6d98d92d5f05ea400000002ec3861282365c678dca61541aabae283cad3bf7969cc1693427b744caaabc2fac5d49a809d3f0e7ec6ca0ff613be94de5b3e2b31d3908d05a2b2fd51bbab888 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000000db5e79e553d51ee4de6bb3748a392099f026c72f1cb0a21c92bdbee78c8e429000000000e80000000020000200000005fe6e2997838f5a101da701e24c18a9b4f00aef69a7c4f9401692e3a683d8a3e800100000c311f0e25751432ea284e8bf50f9c3b52f66909ebea44bc1bb9342dfeaff6e05ca295f8f3e96cb34901759b435d1a8d6ac38eab28b031c800d3aa8cd7af59113fd7e6c40b2fae14c9966ef82ba97783fa93d782ace1ff85c678531353c81468c31ca65214092e5666d0a86cbf32d60b78a8a975b2a0f7eb752cb449f1c1e1058813b1e2221e1b6fa4b4745d86c04b9adf9e293c8785c1faac94bbe998c2da894432f3511dd8dec9618e42bcfa30fc93f18ee59947a8fa394093a200900c341c0e52d3519b10e3bd583771f016c50d16d0dc0b0d782e8e47edb391180f15738f25cb137cab2d35b493f197fd3d3d36cda76ad91cad0ae90b8197f183c237a1a623a0ac58dad21f1da23aa74984ff46aca931b37914bd709052fc49d9447101f776bf42c5ac718e091a84f1e1d8428208a9c3bd10c630a8938ed731ec58248a2461da560d5bf244cf18f45d10dcc7710271723378da0104d275a6c00b9f1023e4c093180dbf2b1cbdaeb4d6cc456bc280d6171dcd6c69904930aacfefca66c90740000000c7e96ac9e47bcccda7310f9fcbb586d7fecd4a6f2819190c609aed0ca145b583d39f5c1f603503e172a6740942f161eeb34cdaa3e8056b64d1bf129df2fe35ea C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2776 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2776 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2776 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2996 wrote to memory of 2760 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2760 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2760 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2760 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 3052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 3052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 3052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 3052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 900 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 900 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 900 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 900 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 1708 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 1708 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 1708 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 1708 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 1800 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2268 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2956 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2956 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2956 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2956 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 1408 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 1408 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 1408 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 1408 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2436 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2436 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2436 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2436 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2604 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://hcidesign.com/memtest/copyError.html/ver:6.0%20flag:3%20xy:1

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:209941 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275474 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:209961 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:603149 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:1586199 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:1651737 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:3028008 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:3224622 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:1782834 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:2044975 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:1717332 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:1127481 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 hcidesign.com udp
US 216.92.230.3:80 hcidesign.com tcp
US 216.92.230.3:80 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.75:80 r10.o.lencr.org tcp
US 216.92.230.3:443 hcidesign.com tcp
GB 142.250.179.226:80 pagead2.googlesyndication.com tcp
GB 142.250.179.226:80 pagead2.googlesyndication.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.3:80 o.pki.goog tcp
US 216.92.230.3:80 hcidesign.com tcp
US 216.92.230.3:80 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:80 hcidesign.com tcp
US 216.92.230.3:80 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:80 hcidesign.com tcp
US 216.92.230.3:80 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\favicon[1].ico

MD5 19726b2bfb9d3da466e694295321f34d
SHA1 ceedaa18f0b4d04b5e5157e3a00bb0fc1e2626df
SHA256 f82569f51f6fa7fdb1bd80419ba703008eb136df0f48eff2a8deb4594be3cf17
SHA512 1ba6210387100222e455664189ccc52b0fdfe52d0c1b946fbcdc232c543dca7a7ff82d5f6c39ea571356082711b2461c01e638745c2ccf9c55a7c12271119f8c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\anyweax\imagestore.dat

MD5 5d35a94f774ae474abe6d65d7b87dbcc
SHA1 df2407359dd09520ec030863d826d893e21b2b25
SHA256 967dafdb0b69291a7cbce987c7f723d2c8240a50f3a550626140b0a6374eecdc
SHA512 2efc9373040624a7875e2fe2bfaf55111a21e09fba265bfe132cdae60bc1c71c72782fcae67888b4921aa75e072ddfd57e530cb6bd8ad7f451e706db56944523

C:\Users\Admin\AppData\Local\Temp\Tar6349.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Cab6347.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90c8554aed9e71ae648bd8fc5d65ac1c
SHA1 0df511119f18d8b8a5340d6c6b7fb9deee3a4532
SHA256 0ea3c8a59d1a2d76dde9295ab80bd1ca844b2c7b1e096e77cf7e536986a8be96
SHA512 4af8f49d3ed75d3a2a1c8d95e3d4b41fcc2c02ff0d483db175cef8b9e835429779a2d0da792fd32eecc85914a0c3ddd50d716ed6e2268ac0cca5b3503186abe5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6109c02cfa16bec12ebf656dd8d897a
SHA1 fff110a9fa096510f8c824a9bb98dd86bbffc51b
SHA256 501b5517ea4b5d37f026017d109bcd1cf0d8b24923f4b281456f768964fbddae
SHA512 ba43471f1ddbd6937c181bf851431a01a2da3f3413ce63679bc698cf8cfe4b7cc00cffe69b83b101e71ae0e9aeb1d1dfb2624ee425464fec2866d24844029569

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 293401078c50568b0e3e4fcb322aad99
SHA1 e83fe130a8e01923cf26161de1ded331d6c15793
SHA256 1ef0312a2f52f1cd5badedca7070737e2f00cb189592ad5b2691e9db33255036
SHA512 ea522dc38c20d3f31239a4eaff032f4e9b57e186d8c1ae5e9e781eb1bb2127d413747afe22ae658e80e53837f950e4efbaff3d1cb49c1f8a9bf66f0cfcc8d4ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a905cb9b985ac02bf8da5a3d054efde2
SHA1 54bf9145eb37f36b287c9cdc328e73ca2837476b
SHA256 d1a2e35543522924d90ad9eff88a23d786ab6f56d9349ba433939668b309d037
SHA512 b749bd3c9548e3e018bba27ef71282d7242deb5f447914d66c056dfc000a1812985d20996714ce0d7885da8b073b03463bcbbb8e8f941468b0fb7489429f3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88d9319cc64f892b0397a25c68d13700
SHA1 01b2b9db6349a21055338565587e678d2c7ac758
SHA256 84acd37813a5a1799fe0b8f2816d1c50c3215d7c2b8d12bee6507d0cf3148349
SHA512 9388469d463f18531839644ca0190949062ffcb3a05ccc186d0e1a9ac058afbc44d43d73b52831558935c13e6b8523757811ecd986174b9b4a5ce118e5a2dd2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3872bb4b67ee8316a8346361446403be
SHA1 e3beadd1f1f5e2bc6e2436222992f66bd8cf444a
SHA256 ba48a08a25de3cab617c52f453aaa3ee51db47dd76f0981af6fb394eb5a800c9
SHA512 512b1b4a3da84a9d7659a1f2c2ef232ecf20394eca017673f06072dd6e581aaaa538caa2b845ba4a0402f3ab1e44ba424f5318646fb7ed0a1d1070d0d8c31ffd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47f7cbed9133bb0c66a795124c5a23eb
SHA1 6c5b1cfba332d63660165dcc188b46a8bf2a9a35
SHA256 f6c5584270210317d7b6e4aa3f070507b85dc5193e03bb44094cce7359a7f4f2
SHA512 e85735bb4eb2b2a0dd5e6ef8b56ea3fa5e9b61d4801a320d760255b698ad3e1d262485af81bb29920b588665c54e4ac52cfa8d0c5675572c58fb697b534c625d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6167266edf9d5f83e0fceb29627cae6
SHA1 16da07e6cc481c3c0a91bdad41a7872fe1d9c0b6
SHA256 b0efcc4a402fe067d4d3c9821356256a7a265cb862663c7eeb129d46395043b9
SHA512 ed1a993179c14f906d20b05848a0a15887e11715a2bd230f52376e32d22c94abf9bdfac91a7a4b17c7c0f12f615bfc035445a79d4552c2b1f981874a979fe2f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c770fd451e344e6d28e08b2ed6b8e02
SHA1 dcbd84c35b2364584feaea18d33f571ae0b034d1
SHA256 ed9628bf6fbcaa49ff83f99385b555cabbf6b83e43411ae75deff1192fcdb0d8
SHA512 85140df6ee2d871a85467e9e79d9d37282eebb23be4f94113efbe32267b8cd1a315dbf7436faa8ab8683ca6ebc5ff20f6b3fd5c0a32f251ac38617b13f754b20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 336506c85992d91c0a8d8935c84556f4
SHA1 f2b0a867b91fade91bff584d12ba16a866178f4e
SHA256 0b277d831bd883a5342b9e08153522b4a05a3a7fa4f67cae7599e9a13eba8095
SHA512 2c8605d21ca61dddae9622a617d237ee7fee616a1f404cd41725b6921d9cd9441ea1263d39b1b9fc3449695daea8a915c404a836cd5fdae74ccf0d0bdf1908d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 c3c684e80a7ed4ccb9f5720e08f2025a
SHA1 1ab1c2aa5eb543647281976bd6efd04498562850
SHA256 5ce326e7555e5459970c27d41ab0263ca3c5c4306945a5f96f1fa9f10f82d1ae
SHA512 96c9649b0bfaf37c2574fb3fc6a970f4d2848c335b335aadbc97e1d0a591e7915d0918382ff17cae536cd2be06dcd747bbad44e2f89f3a1c4539ad4772c15297

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9197FCB915EEF798771BF510D10BAF08

MD5 a7a6bf065e01310da1a9e06f3eb44027
SHA1 feb00ae8d62936f613ad75e54d90d22cfba21cde
SHA256 5a9b66db6d9cf6019fdd564ccf28827f3a289d85f8e33cc55cce20677423924e
SHA512 d3ec144af2858e757ef33fcad4ffa9b66a54dd8cdc5884e9ecfef9c97e41c14933b41e0c6f4c6f8f171d5a9013fe91739daa51d2771aef62081c6abf0d12e742

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9197FCB915EEF798771BF510D10BAF08

MD5 1d1d3eca27c982983f5450f141c08341
SHA1 84eae787e3169a186bb2060dfe68ec623354bf14
SHA256 66ffa5fbd6cd2443388dfccfe27bd08e92ae3c92ba8c913351306c193c114a3f
SHA512 0537ae4199944c0bdae5900630768486bdb8bda898a2163e81420e6a35585b8740f7bdc3992794f9dba1537c3b5a1fca9cc7d89ef59683712a8a506a52aa8262

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48ab6e51fa98f452b34c0cd23c17ce01
SHA1 b6bae42285aab9bd16d12c8fcd207c8185a8268b
SHA256 96c9a0dec887020ecec42ee3d31d21851c26482c2aa36f669e65cd3d8a8ebdf7
SHA512 e56874b576a858aae616f911fb4b661eb10b45f3b74093121019e82d6748271a7652a1c3acb30222e6c35b6fce20f84d5a2f836657f2d0d58945564a9e414332

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\f[1].txt

MD5 000069065fdf501325e5f8afa3c536f6
SHA1 af1043a67c653134000051934733ecfbcc88ab20
SHA256 e55c48fa16dfbb453ef8143e6e7a95f31af26e04b9629376bc6f8c19162819fb
SHA512 943981f4d350717bfb1c863ca68846bfa55891c2ffe1a5eb33bf7f39cdb3e23d0ae5b2a073462f66a0be90d5aa115cff195d271841ab937b522e4cba3e304134

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\at[1].gif

MD5 47aee29276b8180da0eae8b0c43e7fca
SHA1 b34f82d19c3f6ecacb5b0e381c677d768f6050c3
SHA256 a8dbb833706617b17ba1d3fc662c2fa040dbfb4506c2d6a2bc97736769a5f020
SHA512 fe49ffc80de463e13a68bb402b00bec70db8fb2e789441860234956a1b120d0d6f65bb03eaf792d6abada2eb8d9de6e01905c9488fa6b7e22c1694de7ba7fef7

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\b[1].gif

MD5 511512f9a967458ab5ef55d72c81c6a5
SHA1 0b1ced98f1a5351a561157630c4b45755ade8c27
SHA256 7370b11ba217c29e37536ab3ffacb582ee3277ddb012c8bd5a6c21a42ec92284
SHA512 5493b656951f05393ce287be05eb6c5006344b81376275a73844e7c3be13a0a153d07a258c44460a8cb2214ba6a448fbd56d01416d8aaf30258d3a0d82276166

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\logo[1].gif

MD5 af559e90fd465afe02451290449f6612
SHA1 19444ba0b2d7b9fcdd121e1706a4827c8e136a60
SHA256 828630fc2f38bcf9384e64165b9d768ce81d67c7e8b7fe14838836889d2b818d
SHA512 c3333fa26b7e056f2f90499d55dc186a71464f8e93f0e7faa50075a86e8396908e392ca81fb4515051ad1f6c7f0bd7f56bc795cc79364ac12e520ef2df0e0e79

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\logo[1].htm

MD5 d2190a704494ad6e2d948b5083bffa77
SHA1 9934622de981e2a58284765b7ce1d81983054493
SHA256 aa7b59b92b9a05570485dc74fd25632ebeb67428c441ba0b886aead82b90e1a3
SHA512 5a2b089dc64d93c2af0f10f704b3f83fb9f65bde319807c6f90d3cb93e92bb22cec542cf028cc7db95f580c809f217bf06857316d9c3c790309dd1d69554a3de

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\background[1].gif

MD5 2698b9e6bd73356002a65988a0dc0a44
SHA1 fa5cd1ec23885024572617f59d5bf20751174dc3
SHA256 5aedfc309c0babe7550a3bc5dfffc61893b434ae19d727a015c4f47f143ec689
SHA512 24903fc9b684083d26065a04d2e9dfcbea44d24dcdc45d8ab9b332a25af51563178a40d5bd7faeb60906ba4606254cf9569b62c78955a0a96e46a4d23dfe24ae

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\background[1].htm

MD5 4026469ac82026a9dc88310b851ae73a
SHA1 90fa0fa060402a587318939e3e5c4782e72bc199
SHA256 31db22b33f3cb4e6fe842cca9b47ce83b2965c8997c26d1fe25d2cb3a5715066
SHA512 4a0104e0540ddc020eaa35eb229a17d55583c4fc9b539958254e303a23bde802cd0ce8b997ef217a75d8bedbeec091fe41b533f7cf11ee5aa7e98e8bf9c529e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\f[1].txt

MD5 6c01de76e57255d7f1c920fb5a1e70f3
SHA1 3c6d81645b5fdb452c6ea020f47d018b86e15450
SHA256 677bfe04439d00ce3a036b4f643b35df0da40d7707a7b5a456ebd8fe9472103a
SHA512 5d5ae96ffe18d8f5bad428378c11cb017fe1e4ec0527598e8a7e8d3d15873d11fe14029271d9df3574a5cd03b564ef303fe3008b2ac13cf53feb6fb3d0cc6fec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cafbe6416296ceed56615b9620699b65
SHA1 eed186632ec8a84eb4095d02f6a51c586d7809bf
SHA256 6010e2115304fe5559a54ccb07c234f5f5284b5871cb0d9f72c43b138058ed49
SHA512 ac4fcd436230130588ffa45f899c1d987e94d70f659109fcf017bfcdc532dfec221bfe16f4c48df7b8b85684ca17841e7507faa5807213d9609c37a1f9161fac

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQQODH7V\ver_6[1].htm

MD5 13c9bfda5886a2ad50ba791d1be04382
SHA1 75aee058b94cf51f3882c58697f52317b878c5c7
SHA256 ee3459c3b2ca1e7908ea14d737f44a7390b17c5550e73aa56b3ac7de8d9ecaae
SHA512 de1e29007479ce5eae8795c452139f196e7fa28ce9ce6b3493e1515a993c055c8f2e86d6b9032877da81ee97b5aaf900fb4ab4df519865dd108741895cfc1437

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\ver_6[2].htm

MD5 6f778d4f9e310942cc50030021222553
SHA1 d9adb9a276d0c2e2a6c279718f6fad593ce8ee0e
SHA256 05766a17e47d15589b094e72f0d6da3c0fa51101a0b445538e23410138da9be1
SHA512 11ac9c71a3c33d0a09ef774389748968278e785a4ac82a133e339d985b119f621b90f43ae395534ba93cb1194d53a5ca03d047a9a15ae0a8de665cdb78d802c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ROLMKJ86\ver_6[2].htm

MD5 00918324de644bda0e5b3a81e7c3e79f
SHA1 02c4f17dedb478fc89cbaf11db019f928d511398
SHA256 42a915f0c2d3fcb1c55bfaeef0d62746078c02b3c7714f8de8da55cf0ad88ec5
SHA512 4024ab0d6062de6c2dfb09f42da95bab92a3bc6c7e3adc7497e38962ed078125baf4a0b759247775170cd3b4d7eb36ef2bedcd401ad9a325e617743a80567b0e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\ver_6[4].htm

MD5 56854c86301e49cdc7d1f0ec353aa723
SHA1 885ba79d36266cdd91c86570b35ca5503daf2450
SHA256 983787f36cfc2cfa9effbe474c350ae13c77bb02480a1fe2c2820b4c9ee90a01
SHA512 9fabb50a3956d646cde0c619e833dd6355fe0b374e1222fa52ef0e61a4d97414524e1b32ea68219d1478d655881df585a0f80348d258aca7f3eab77196394f02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 282be30a0db6158858fefe0898bb32b0
SHA1 70b6d42e64632a783d5250625ac4c1345817fc48
SHA256 8fe5eb393c169ea9d7981a9fb082209951fb036dabfd397071426866d912bf91
SHA512 b19235c260ba3938df0f65ad4be9311c11b107bdf670bc9065808165e5d2784dd9d5de353f8be90ecec520902fdec00411a0381b08b9f405fd60f0b90a7c29ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 84b6c9bf9017534022c26f5db5e37121
SHA1 5c0f212961aedc1384c0ea77d1bf1cfae5335649
SHA256 fb073cf19f075f842653915b7cd8f9e4834de5af753f2597ee7f67407b8addd8
SHA512 2b1abf189f7d6bf36c35f903d98f8f874a4f64a564498109cec6146d8541df5a4af64d405cef365488c0546f38e0993bfe612e8a3aaadcaf2fc55ea079b8ffb8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf069a1c63c4225363b14276fb906d28
SHA1 9dd95218a111d8b06aacf7c9c36ffb5c75a0d381
SHA256 6a83967566edeac78e85744b778427a28db4a254fdef97b46fc8a0960190ff3b
SHA512 d6c33691e981ef3556870d4f1c54ffb8e1be54044b333446afc32f3dedc87e773e76e96cf3e7a8ef38fa8b0d18576bf73af46cdf272bb0ff3332882ac2db4d68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7da1bad92ef8d8f7909a4513c30c7fe4
SHA1 1b68ef235f645d6bc88b976b8dc3435cf45cf9d6
SHA256 be3713eee99cece3d9aed0373c83e90b0edfbd02b57fb0cc27d720f4cf47d915
SHA512 819a46f1f392ff1752e19fa7b66ffd57a208f3cb9549f68108f94d368fc899b820cddca12ab6afc3dbb29e48ea0c6b44d9b21444b7c84a8ec6baf04b548c688a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 836d11b6b4d4ba271ad89edee70a355f
SHA1 bc0009588cef3526f0c8162c410081f69355dce1
SHA256 16c5f2042e1ac949f8b58dbc085d5cad277c5e4996c5408f8d8a7b0d63de5378
SHA512 807bef409b8de94c43989954a61edb64ee04fba6f50ac1f7f5534fd458477954935f487be8c8f48cf275bd179afbe3984fd41b834810390986341260177b537d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7970b6e8df7fc70fbee1e56a1b19feb8
SHA1 316717900eb7981ee2d30b4bafb5579a621536c0
SHA256 c0d93a0e33209ee3babbf23a27586cea23a9ec5f30f3cf8394d4c78ed725dc79
SHA512 c42b66be59582be40188d8e2e5a1699027cab9257d3020798986f0139af3ced36b2e17a4eb8bf2de3a68152b2f34a7c02bc1863fc35e3de6e44f193996be46b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 866226626e84c3f27ab9bde2cc096c59
SHA1 e2b4c7330f4e8fd40527410e94b4d8b6778b8b42
SHA256 9d8fc63b23e04982911f0b935e221780021d3108c51fb0a17b552d324941e65a
SHA512 dd24446a74f1860fc5c64a3ec54b18fa30389b47d73fd439e9bdc16c65c140dd487d1185490ad6c6a094512cc1e08f77d4d1fe916da890094df89a4ede343339

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b70c7bae6efe3cd1ee33b8d3cab6cd6a
SHA1 807b16ae22136778e4708f3bec539aecf65d6a59
SHA256 99428b79b9a7b22b6f3350db850820aceab9bc8b8d89135a3199aaf142f15fb7
SHA512 8296109c08d5f77b6264250c0d74b1ee38e52b8fafb4c4f9dcf118de13df6493b87a96ad042254e5b13794ce76460355fa79442600f79f6b38e7fd1dda450370

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 8ec9774ca13bbe3f1d6c6c73ac17ec56
SHA1 812755d67775e3eb14853344b858fbda8b66637f
SHA256 bd494d4d30492255900ffa71b849a533c1cd4c5d8a865e1ff0b8d5eb4396c011
SHA512 42f93cf6cf4908aabc694fa849af6f1d63f1ff95014c0b5ed735879082a38224a98af8c362755601c636a4050c01d379d27d5a272ec6cd5041b9998f002d40a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b03989d8cae9d69bdb6b81df08e8a1f0
SHA1 225799b513f24b32dada245e28a97f710ccf1149
SHA256 063a74f52b34a573984f1adebfc52c791b490093630b3563a16681f95841bc95
SHA512 4e180e57a5747b64baa3b06e48fa64c77b17c93819bf79bd493bca377425241de81a68a1764ab47ad5e40ae623378a6ddc8ab25d27b15b1b0fa5210547e801a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 743a13b19f50185b60e6cd65b9693b72
SHA1 b41297c277bbc046496a23655e4a4a65019eb584
SHA256 22fec7d9bab96aa0c53c03b7f2d83eb509878a6f55a8f5900e61091d9b6adbe1
SHA512 d115cc8c730e8d2d0b724c11bc890f22eeade37b1e8cf67fb8a8c8970cd1f92d70c111d6f74d2386aa5ed5154ab287f46fd5751d01889b199882f2197ae41443

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ff7fef2481ca42ef4750e0735793866
SHA1 d1c388ea3df0c129775ba543dafa10e1bc9a73df
SHA256 1c85e262002dcd4f9a8c537af5c16cf8d25cddb3f9308f74bb0d269097420786
SHA512 88570f9b77148525fe87af740f6e94b8accecf6c48846ba497bd4797a757c786f6c1a8110ce6a595ecd0f58afac1ec9dc3ed56ee83510d16e46d3a6f28b220d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d05fda6f94b378bd4ace8c0300eb4366
SHA1 f1bb97fbfb2b75c0ab12d00e1c917aef199d3325
SHA256 5e8c8a6c36669a7401a2bf8a099b6dc61bb84f3ef13aabf8e53ca3883d8dcd46
SHA512 3a00bd8ad2922d7785ee373218e2ddd2d042090acdbac59ddd11ecc22c2c7b05ef9eb0f39327ce7b637c0fed27ce8d544b28efe9cd082d58f5247aed273c3821

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5484357694bf78c3594cef2c2d2e54d7
SHA1 911e302dbefa29b774b33c0e83300ddce03b0631
SHA256 450dd65cae975ee312790f9d09d1131312ed14fb72a024d4d1893edf05e45aa1
SHA512 562139aa534a1237894c870d6c2fe2e0ad1bb2075364ccecc86325665a33a2bf28fd81932284b9fdc2551c80bfa527bb0c588c25b8bfb907c517aa9225347835

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2688f16e16b5eb3c382d6cb7f5e7dc7
SHA1 1fcd3d94f8d16f07e668b5099fa14b62a3e35c56
SHA256 03457103af5543e4efcc656fb407d2d46a9d4a78450887fdc75823b6e643ac13
SHA512 e0bbb0f343da4432b209dd6d1e29ef3b38a3caeb031e9e5f337e732c88c000df86d12fea511462cf6bc25dc40c3c64f2a80e38b765a0a7e1f1c8c04956a11edf

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\CCXLatency.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\CCXLatency.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\CCXLatency.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\MemSpeed.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\MemSpeed.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\MemSpeed.exe"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

143s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\MetroFramework.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\MetroFramework.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2676 set thread context of 4164 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4520 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 4520 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 4520 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 4124 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 4124 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe
PID 4124 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 4124 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 4124 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe C:\Users\Admin\AppData\Roaming\scr_previw.exe
PID 5052 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 5052 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 5052 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\scr_previw.exe C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe
PID 2676 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe C:\Windows\SysWOW64\cmd.exe
PID 4164 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4164 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4164 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4164 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 4164 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe"

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe

"C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe"

C:\Users\Admin\AppData\Roaming\scr_previw.exe

"C:\Users\Admin\AppData\Roaming\scr_previw.exe"

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Users\Admin\AppData\Roaming\Browserload\scr_previw.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp
FI 95.217.148.142:9004 tcp

Files

memory/4520-0-0x0000000002710000-0x0000000002711000-memory.dmp

memory/4520-3-0x0000000000400000-0x000000000070A000-memory.dmp

memory/4124-4-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Ryzen DRAM Calculator 1.7.3\Ryzen DRAM Calculator 1.7.3.exe

MD5 782db962173b5a744fdadcbbed8a6730
SHA1 49ec2b0443801cad7b4664f3887654a010c53392
SHA256 18d88f4214a2e62640719f1a5377c5f222721c97aa4ea2dec1526b09df211eeb
SHA512 8cebe2557a8847ad2084a9466210e9f931a14a2e75f73c30424e4a69936c628cdc41ac7493799662d2765225645ddc2f3d685f3aca48227b746eb6178beb10cf

C:\Users\Admin\AppData\Roaming\scr_previw.exe

MD5 d9530ecee42acccfd3871672a511bc9e
SHA1 89b4d2406f1294bd699ef231a4def5f495f12778
SHA256 81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280
SHA512 d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

C:\Users\Admin\AppData\Roaming\d3dx9_43.dll

MD5 e8ad346c114fda96fca288966eae8e92
SHA1 fdfad7f2030b54f076b2a2e24ef1199abf2588e6
SHA256 7e04681fdc438855e5b27a92c73b74ccb0a13338ee24a5054571b8efd8918ba0
SHA512 d63e542de66eb09d6847ed99e173763b7c24335566f650bdb198d4279b0de6e14cb4a03f29c66b5d7d6c480a6f520f677fccf8cbf51dc5db3f8af6c5412d7549

memory/1768-46-0x00007FFC7B143000-0x00007FFC7B145000-memory.dmp

memory/4124-51-0x0000000000400000-0x000000000070A000-memory.dmp

memory/1768-52-0x000001C34BB70000-0x000001C34BC7E000-memory.dmp

C:\Users\Admin\AppData\Roaming\gbxchd

MD5 162ba47ec20e7fb580672579a6fef9d2
SHA1 a6b52b8f549ca44ffe821f65e846b869da544c28
SHA256 227baa93552cc95a5d2142c23c27f2006e41093cfe24f89bea1b8fe8abbac159
SHA512 135e057a779e5ed593f455ecc646dbf0f21b0bab909e0d8c3d83c7817e82e52115551cd6710b75dbfb9026393861e6f24f63ec59722d1e73553df97ac0e55cd4

C:\Users\Admin\AppData\Roaming\cygrt

MD5 a727c368e3a6c273f28c80607f2df861
SHA1 a31a2b4a4677d58bf9f7126da6dedaf4502eb283
SHA256 bc5e2a7118a6e0a37b968dca2c110dd9db9a4359f6aea13f41ac04c663d066ca
SHA512 b7a47943727fced7da83f89d8eac50a50308a8a7abacf57b7ffcc0b2c05349360a8af60f3ab81755ba456b956b022c99f21692d339d399a42a5b8d9860b9045d

memory/5052-55-0x0000000074C20000-0x0000000074D9B000-memory.dmp

memory/5052-56-0x00007FFC99CB0000-0x00007FFC99EA5000-memory.dmp

memory/2676-68-0x0000000074120000-0x000000007429B000-memory.dmp

memory/2676-69-0x00007FFC99CB0000-0x00007FFC99EA5000-memory.dmp

memory/2676-70-0x0000000074120000-0x000000007429B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5743a78b

MD5 ccb3a5aef02508568db0b078d7a19be9
SHA1 72809d65eff36b0f57388161f799424c407d8f6e
SHA256 b34cae2198473f45582a5f271820d98c03c72074ff94a3fb1209f7f69b3f71c0
SHA512 ee93d8ce89f8135ce86e90b695b65f4bfc1ab71a1245ee472e9ffc3aa626d394935fa6b7c0870c1765cbf9b6922feef2d61c2766b97cf1a5b9741abf5638e7ae

memory/4164-73-0x00007FFC99CB0000-0x00007FFC99EA5000-memory.dmp

memory/4164-75-0x0000000074120000-0x000000007429B000-memory.dmp

memory/4796-77-0x00007FFC99CB0000-0x00007FFC99EA5000-memory.dmp

memory/4796-78-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4796-80-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4796-81-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4796-82-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4796-83-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4796-84-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4796-85-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4796-86-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4796-87-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4796-88-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4796-89-0x0000000000400000-0x0000000000484000-memory.dmp

memory/4796-90-0x0000000000400000-0x0000000000484000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\LineLatency.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\LineLatency.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\LineLatency.exe"

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\LineLatency.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\LineLatency.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\LineLatency.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20240729-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\MetroFramework.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\MetroFramework.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\RandomLatency.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\RandomLatency.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\RandomLatency.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20240903-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1928 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.dll",#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 428 wrote to memory of 2032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 428 wrote to memory of 2032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 428 wrote to memory of 2032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0x64.sys"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0x64.sys"

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0x64.sys

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0x64.sys"

Network

N/A

Files

memory/2812-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\CCXLatency.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\CCXLatency.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\CCXLatency.exe"

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

134s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0x64.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0x64.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0x64.sys"

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0x64.sys"

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0x64.sys

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\WinRing0x64.sys"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2020-0-0x0000000000010000-0x0000000000017000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-13 02:11

Reported

2024-11-13 02:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe"

Signatures

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4824 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4824 wrote to memory of 3260 N/A C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 4644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 4644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 1516 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3260 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe

"C:\Users\Admin\AppData\Local\Temp\Ryzen DRAM Calculator 1.7.3\memtest.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://hcidesign.com/memtest/copyError.html/ver:6.0%20flag:4%20xy:0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec67246f8,0x7ffec6724708,0x7ffec6724718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17995888829446636488,9022499630356164171,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,17995888829446636488,9022499630356164171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,17995888829446636488,9022499630356164171,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17995888829446636488,9022499630356164171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17995888829446636488,9022499630356164171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4644 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 1112

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 hcidesign.com udp
US 216.92.230.3:80 hcidesign.com tcp
US 216.92.230.3:80 hcidesign.com tcp
US 216.92.230.3:443 hcidesign.com tcp
US 8.8.8.8:53 7.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 3.230.92.216.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA1 4d16a7e82190f8490a00008bd53d85fb92e379b0
SHA256 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512 d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

\??\pipe\LOCAL\crashpad_3260_DNPOSKBOAEFLQIHY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e55832d7cd7e868a2c087c4c73678018
SHA1 ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256 a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c811d02b05895949c79e982051b952d0
SHA1 44e04edb153d66c09d8c09c3cdb65c9dbfb71961
SHA256 21b5ce35e200205bba7dbe4882f6e7d26868e7d5c5d0c659aa727a8faf508003
SHA512 da766e3536c700c95d67f7d340b7335d1c8d15e1f1af8ed94a781e265d8e692a1a2259c13102bd1c92bec7f2772af21fd62147c458be509f21bfcd5a7d9ca724

memory/4824-23-0x0000000000AF0000-0x0000000000B14000-memory.dmp

memory/4824-17-0x0000000004C50000-0x0000000005258000-memory.dmp

memory/4824-24-0x0000000005360000-0x0000000005422000-memory.dmp

memory/4824-33-0x0000000006950000-0x000000000695A000-memory.dmp

memory/4824-34-0x0000000006960000-0x0000000006981000-memory.dmp

memory/4824-38-0x0000000006FA0000-0x0000000007023000-memory.dmp

memory/4824-31-0x0000000006890000-0x0000000006923000-memory.dmp

memory/4824-25-0x0000000005430000-0x00000000055D8000-memory.dmp

memory/4824-37-0x0000000006E20000-0x0000000006E38000-memory.dmp

memory/4824-32-0x0000000006930000-0x000000000694B000-memory.dmp

memory/4824-35-0x0000000006990000-0x00000000069C4000-memory.dmp

memory/4824-26-0x0000000000B30000-0x0000000000B3B000-memory.dmp

memory/4824-29-0x0000000005C10000-0x0000000005C27000-memory.dmp

memory/4824-27-0x0000000000B40000-0x0000000000B5D000-memory.dmp