Analysis Overview
SHA256
4ca41a640085e2ca954e641790ed976dfe97e35e68a01c6a6b0bcbf92ec2141a
Threat Level: Known bad
The file sample was found to be: Known bad.
Malicious Activity Summary
Warzonerat family
CrimsonRAT main payload
CrimsonRat
Crimsonrat family
WarzoneRat, AveMaria
ReZer0 packer
Warzone RAT payload
Disables Task Manager via registry modification
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Modifies WinLogon
Enumerates connected drives
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Sets desktop wallpaper using registry
Drops file in Program Files directory
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Command and Scripting Interpreter: JavaScript
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy WMI provider
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-27 16:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 16:17
Reported
2024-11-27 16:19
Platform
win10ltsc2021-20241023-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
CrimsonRAT main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
CrimsonRat
Crimsonrat family
WarzoneRat, AveMaria
Warzonerat family
ReZer0 packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\CrimsonRAT.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\WarzoneRAT.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\CrimsonRAT.exe | N/A |
| N/A | N/A | C:\ProgramData\Hdlharas\dlrarhsiva.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\WarzoneRAT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\000.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbibra_dreb = "C:\\ProgramData\\Hdlharas\\dlrarhsiva.exe" | C:\ProgramData\Hdlharas\dlrarhsiva.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\L: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\N: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\U: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\H: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\S: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\W: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\X: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\O: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\P: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\A: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\E: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\G: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\K: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\R: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\T: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\V: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\B: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\I: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\M: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Users\Admin\Downloads\000.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Users\Admin\Downloads\000.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" | C:\Users\Admin\Downloads\000.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\Desktop\Wallpaper | C:\Users\Admin\Downloads\000.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5872 set thread context of 6100 | N/A | C:\Users\Admin\Downloads\WarzoneRAT.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a2b0fa07-87f2-4cb3-ab58-4bc3d3482d27.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241127161734.pma | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\000.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\WarzoneRAT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "130" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\뗃𐀀\ = "crdownload_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell\edit\command | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" | C:\Users\Admin\Downloads\000.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\.crdownload | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\뗝휀耀.crdownload | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\뗝휀耀.crdownload\ = "crdownload_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1669812756-2240353048-2660728061-1000\{CAA31D48-B660-4587-9CD3-A0AB0C74F6D1} | C:\Users\Admin\Downloads\000.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell\open\command | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\.crdownload\ = "crdownload_auto_file" | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\뗃𐀀 | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell\edit | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\crdownload_auto_file\shell\open | C:\Windows\system32\OpenWith.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\WarzoneRAT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\Downloads\000.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\Downloads\000.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\sample.js
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7fff91e146f8,0x7fff91e14708,0x7fff91e14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff652ae5460,0x7ff652ae5470,0x7ff652ae5480
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6600 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6680 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5636 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7052 /prefetch:8
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Unconfirmed 282964.crdownload
C:\Users\Admin\Downloads\WarzoneRAT.exe
"C:\Users\Admin\Downloads\WarzoneRAT.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp28FA.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5588 /prefetch:8
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3916 /prefetch:2
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Unconfirmed 695785.crdownload
C:\Users\Admin\Downloads\000.exe
"C:\Users\Admin\Downloads\000.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c7055 /state1:0x41c64e6d
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11706541014558794336,17314679765696838805,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.61.93:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 172.165.69.228:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 172.165.69.228:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 93.61.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 51.140.244.186:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.244.186:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.244.186:443 | data-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 186.244.140.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| GB | 95.101.143.202:443 | www.bing.com | tcp |
| GB | 95.101.143.202:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 202.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 95.100.195.163:443 | r.bing.com | tcp |
| US | 95.100.195.163:443 | r.bing.com | tcp |
| US | 95.100.195.161:443 | th.bing.com | tcp |
| US | 95.100.195.161:443 | th.bing.com | tcp |
| US | 95.100.195.161:443 | th.bing.com | tcp |
| US | 95.100.195.161:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.195.100.95.in-addr.arpa | udp |
| US | 95.100.195.161:443 | th.bing.com | tcp |
| US | 95.100.195.161:443 | th.bing.com | tcp |
| US | 95.100.195.161:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.133:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 161.195.100.95.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.109.133:443 | user-images.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 154.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 21.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 2.22.144.37:443 | aefd.nelreports.net | tcp |
| US | 8.8.8.8:53 | 37.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 168.61.222.215:5400 | tcp | |
| FR | 185.136.161.124:6128 | tcp | |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 168.61.222.215:5400 | tcp | |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d9a93ee5221bd6f61ae818935430ccac |
| SHA1 | f35db7fca9a0204cefc2aef07558802de13f9424 |
| SHA256 | a756ec37aec7cd908ea1338159800fd302481acfddad3b1701c399a765b7c968 |
| SHA512 | b47250fdd1dd86ad16843c3df5bed88146c29279143e20f51af51f5a8d9481ae655db675ca31801e98ab1b82b01cb87ae3c83b6e68af3f7835d3cfa83100ad44 |
\??\pipe\LOCAL\crashpad_3408_FPXDJTXXADTFPWNR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b9fc751d5fa08ca574eba851a781b900 |
| SHA1 | 963c71087bd9360fa4aa1f12e84128cd26597af4 |
| SHA256 | 360b095e7721603c82e03afa392eb3c3df58e91a831195fc9683e528c2363bbb |
| SHA512 | ecb8d509380f5e7fe96f14966a4d83305cd9a2292bf42dec349269f51176a293bda3273dfe5fba5a32a6209f411e28a7c2ab0d36454b75e155fc053974980757 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | f9055ea0f42cb1609ff65d5be99750dc |
| SHA1 | 6f3a884d348e9f58271ddb0cdf4ee0e29becadd4 |
| SHA256 | 1cacba6574ba8cc5278c387d6465ff72ef63df4c29cfbec5c76fbaf285d92348 |
| SHA512 | b1937bc9598d584a02c5c7ac42b96ed6121f16fe2de2623b74bb9b2ca3559fc7aff11464f83a9e9e3002a1c74d4bb0ee8136b0746a5773f8f12f857a7b2b3cb4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | da89e3d303345a944b54719f5c86a201 |
| SHA1 | a111cf1ea7b6160bde071d20a9237f3fac756aaa |
| SHA256 | 517393879b2a59c25ad60a0eb9636f94e7908eab18262f6888180675176f15ea |
| SHA512 | 274bdbe08ad035b22045705a41386c2a6eaa72d774621fca82b6fb0785a0638ecc2cf39baf28f52d64976b45682d590fe65d1c3bd310df7d0205e6013f30702b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | e91a0687e9de7636a450bbb8b0b1a6e1 |
| SHA1 | 85fa165cbc61577012bf8bafd57a91119eeddd91 |
| SHA256 | 50236c4044780b68d63726aeb8cf53b0bfa41c5c83b9168d56c333f03ae63fe5 |
| SHA512 | be2eab70a9591aebc30c32444b7bb8863e6235ff5c489ac43dda6fd6a67d693a5adf6c6419a17f9d08eb50ca27a386adb125f90703ef754533092ed04a816336 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
| MD5 | 57d28230dbf3fd4c46b47444221574f2 |
| SHA1 | 3f09c2b2ba45d4792e170852d6e547e4232a69cf |
| SHA256 | 749a1dd1964519f32a4a87fe0d365a7d657336413c6d7e05ae5504949e0ec100 |
| SHA512 | c55b98d66ccda4df545508914dc684a0ea8eb02dfe6bcb82da1bfb80c2ab8753ba78a7bc7bddace49c6638f3341575d1d8ee7227e94eee1190d09d70dae0095d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bf8c40f82ddf811311f7719404d7ec62 |
| SHA1 | 8753fcc0c2ccfe2326b33f507ff9433d44f2f9ca |
| SHA256 | 50b4f1c83ebebdd8bb9005fc2175a8731a3ca36ad5de1cb67682f61db17e6776 |
| SHA512 | 318f4dfec2de5f1c6ca2b585df84eb9eb1bfd6a2b70ba77cd283a896dcd5a63e32f43ccaa1dcc140f0c82ae8658295650f279bc5f4687585c751dd59bb91242d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8866bb2cb6793971ee0716191d1895a0 |
| SHA1 | 97cae5284f480ea944610c1f4599ae52015198a4 |
| SHA256 | 5c747e252ec4e2354308eef7130a5dd3a4e8e6491e9c74f53f1e9a9b133e28b2 |
| SHA512 | a024a11b266b31322491eb863616d4f1c12e118cf7ee5bc8049def0ae917482e6286b037a81f577c3160fd108bdd9360efa993439683c4f5d80f997d47fe8a17 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | d3412a01d4c3df1df43f94ecd14a889a |
| SHA1 | 2900a987c87791c4b64d80e9ce8c8bd26b679c2f |
| SHA256 | dd1511db0f7bf3dc835c2588c1fdd1976b6977ad7babe06380c21c63540919be |
| SHA512 | 7d216a9db336322310d7a6191ebac7d80fd4fa084413d0474f42b6eff3feb1baf3e1fb24172ea8abcb67d577f4e3aea2bc68fdb112205fc7592a311a18952f7e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 77f5a5f8e7ac56a0e2bd1146b3cdc326 |
| SHA1 | ad881943257252c418f0814ae2f79cbabac549aa |
| SHA256 | 1baeaaa63411bcff92adf8f4bebd9d1f44fbf79bf7d3dd543e029ae35b8f8b0c |
| SHA512 | fd30167a944077a4d7548a382cb66c2b35c65bd95ae3e57662d223aac224b85cfdfdb44cfd8845fbf5794188981742d66a53b0e1ba15325e0d3420390872855d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2e5f3b92125346e07f82374626ea9595 |
| SHA1 | f812c657cdfcf13323480be82549b7726f4e0f01 |
| SHA256 | 1ccae4f7c92224b233c12016ca5ea66e5cc6e396931a797741f8ce46e9ea2d9a |
| SHA512 | 6b8587702bb9b1e4397d63c9d0584c5a61d8f7370b7e11a6530da9c7f68592bf69bd0c53302c1677afbb0b0fbdf4c5fa20831622ffbcce82fb7bbc7f5760105e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 68755760a8598df5a9cb65bfd5dbc56f |
| SHA1 | 3a4f4695353099d20590976d0ca6e0cdfa343a4b |
| SHA256 | 873488164261740beae1eadfb702031769d8ed13320680c9aa317f3c429ace6c |
| SHA512 | fcf8f9e7b6f6f8e127ae44c831cda97e483ee7983d5bb020a1f4ae07e441ec81ab7759ca367c51d4ce4b4af8a5d9e9d037f9ee9d062d0908a1c7f24bffe77758 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586d1d.TMP
| MD5 | 1c94deebbea316fcd6625c94d928c6cf |
| SHA1 | 4cdc96c9b4b1e6b0784b229804c9ee5f6152cf32 |
| SHA256 | be9d7980215fc32796ee45107f743b3ccda8b26b504a3210651e6eafc89fbfac |
| SHA512 | 03cc3b928ed4fc9dc91431b4efa1f17ad5a8d4a22cf30328abb5d4502cd0aa90c8f2ac763e8472a79c57595d62ee43eb4371ef454f38fb12f1b9734d6b77aa98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 55361d648f5bd887b2192f874ac32978 |
| SHA1 | 7469801826af0c3ffb8bca94362866a2f3da9922 |
| SHA256 | 704c041c20ad239c56cdc0852dcaad966690af3c5bf2a8c2bd5a989250f8a613 |
| SHA512 | 15da06e7657d55f5ad0c2db59a4bcd6ef2b0512ae20bdd4e0b865b84fb439e011258e9cff33092ffc040903e238f93b0e9d766ad47cd293f05153a8bc7e43358 |
C:\Users\Admin\Downloads\Unconfirmed 508071.crdownload
| MD5 | b6e148ee1a2a3b460dd2a0adbf1dd39c |
| SHA1 | ec0efbe8fd2fa5300164e9e4eded0d40da549c60 |
| SHA256 | dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba |
| SHA512 | 4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | eb2472af841012b25a306922117ae783 |
| SHA1 | a4011245d8fc1865e21b3eb0bca75ea5c1c94c35 |
| SHA256 | 1f3ad4c488dd39986f5e5ea26135b9ac7c583156055c76312f215ddada5a2b8d |
| SHA512 | 5bf25e64117bcd00ef79cf6faf4904e3afacbb30d61a4c3775b9e19f80a2a0c7baa92af261d70f206337cb4c1b827c387fde7c765de1b7477314f4207167c551 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 174d550b1335a3eb59f00e6323fcd223 |
| SHA1 | ea243f26523b2dc5e35cfe7fdcb873dff01d51e7 |
| SHA256 | 1c4fe492a5e2a5ae08d4009e0ee4577796ddb72cef9bbba55308cd2e2ec532a2 |
| SHA512 | e2522c87d5168c7175de7e17684580956631e5c5931a8268c8cbfb75fa176788d6fafc80f679a349b25f5ecc563afcb2b50262c8588de20cad981a8b34636ac3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9bfdd04e048fe9298dd49c6984d33138 |
| SHA1 | e5abc53c5eb8a0a55b0cebe8210e4667e7bedfa9 |
| SHA256 | 01bf16adcc9a2063ad4d17d8e98f8853ad0a7d327b010c26d7c774a3a1295100 |
| SHA512 | 244553d0575a40cbccbda6778d71af1efb98d28921a0a0f598d3e466218eb07c43c71e22c535f098b7f1a044fc983b600af6d5370f172af678ad2862287a4bce |
memory/6108-513-0x000002C304FC0000-0x000002C304FDE000-memory.dmp
C:\ProgramData\Hdlharas\mdkhm.zip
| MD5 | b635f6f767e485c7e17833411d567712 |
| SHA1 | 5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8 |
| SHA256 | 6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e |
| SHA512 | 551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af |
C:\ProgramData\Hdlharas\dlrarhsiva.exe
| MD5 | 64261d5f3b07671f15b7f10f2f78da3f |
| SHA1 | d4f978177394024bb4d0e5b6b972a5f72f830181 |
| SHA256 | 87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad |
| SHA512 | 3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5bfefd3d73f26f08b463e0931286bdd2 |
| SHA1 | 18d08b31fc8b157affc54b786b42781ea6a4fc9b |
| SHA256 | 6623508ca28ffedbe15a1aec22c00790268d7033a3fb492ff1291223db4b7a9a |
| SHA512 | b9bc5f46864d7e3261b6f98da502562e66b06672aeec8f362be2f2a04f5d8ae552dc14fde4de570bd3fa85c514e41e08635ba02f3577514a941af7321920777c |
memory/5132-563-0x0000021D16070000-0x0000021D16984000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 11c5601645e26205a97ff13fa915bcf6 |
| SHA1 | 876d54e3efbf8d2b865053c5f2235dbef854a0e1 |
| SHA256 | 95347a254f4c370dec4829334b48a513e74763d65f65b1364f7385a3f958f624 |
| SHA512 | 2c4b43a94a9a2c6a4b6ee081c1746c643a1d1ba11d2029bd8405742ed959365e6a5646b1c9202cfd9a82fa8f5703161c25c2040d65851bb3f1c4ba8796296468 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | edb1fc491189759c19710b85917f06e8 |
| SHA1 | 738aac8093fa3bf23a6829271794df77e20ac8fb |
| SHA256 | 772e95986d5d5b5a0fbdc340432360bd82806eacb83ca835bc5498929c80c7bf |
| SHA512 | d8adfe984ee918b39552ecf115e1afcb8aaf88d88e6598b240499301e0c84a056f690a352259e689081a13f151584430193a6b997958b43943c07543d32b45fe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58d76f.TMP
| MD5 | 2800881c775077e1c4b6e06bf4676de4 |
| SHA1 | 2873631068c8b3b9495638c865915be822442c8b |
| SHA256 | 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974 |
| SHA512 | e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 339b4f5f70606510738907218a293f5b |
| SHA1 | 40680aa68ab0020eaba6ab7931bd0cda111f2843 |
| SHA256 | efa18fafa3d2e1b5e55d154285f2d7b031dcadb9ccd212ee5839c3c6561e7995 |
| SHA512 | fa50953b82bb7c63c449649dfa38a26119e08c0608c44c847a59543ac78c1da5a68e9b4b9939e3afb0324237b2cedf9f98b98b483ee8398be66386a877cdd5e1 |
C:\Users\Admin\Downloads\Unconfirmed 282964.crdownload
| MD5 | 600e0dbaefc03f7bf50abb0def3fb465 |
| SHA1 | 1b5f0ac48e06edc4ed8243be61d71077f770f2b4 |
| SHA256 | 61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2 |
| SHA512 | 151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 667546e3d192574a1506d76579a1e0af |
| SHA1 | 0aaf9da58a6f79dc31397318ed8846fb5ad62b11 |
| SHA256 | 3bb4cd35d9eaeeb14e0ca65ccd2729c0a463affa2fcc59694320c09acb43738b |
| SHA512 | c7efab3492893086447bca50b9a1817e86275bb9dadc1af8f2ec3644f64454fa8e17e4a431e2df26950c5c4b2cf576bb8b5e19994f22a1a7df5e9cd064298298 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2189423377a3117c14ebffc945ee3ba3 |
| SHA1 | 23ac4d9479a4b304123460c130221285ec305fa2 |
| SHA256 | 3c79ad838804bf18787da02e6ee076656eeb6000cfa3f057417a6d2a2d0d9822 |
| SHA512 | d58f0f205a3f3f030b8b5aae94f0f96b2c96f711b3f89972e0897583fc816fbf9dcd7b9acb635d6e39f40bc378fe63322af423fca9e7b523dbd9497ccf992999 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a4350d9a6d7412d29894125bfbf8831a |
| SHA1 | d6c1d675ef27be5641d7cfbecffe5553e6ab3309 |
| SHA256 | 1498d448f3f2d5b48f9ef44707496725072aff66253bfa1707494cfedc070e8d |
| SHA512 | c7ad05ffb37913aa54f244387f6e45ed52c1be27f4ff4adb26b4331ee31ba4dfec1c387b0ab8106256ed723fe283445c9f32e8422164bdedac842540dfef41a0 |
memory/5872-630-0x0000000000CC0000-0x0000000000D16000-memory.dmp
memory/5872-631-0x0000000005E40000-0x00000000063E6000-memory.dmp
memory/5872-632-0x0000000005AB0000-0x0000000005B42000-memory.dmp
memory/5872-633-0x0000000005A80000-0x0000000005A88000-memory.dmp
memory/5872-634-0x00000000065C0000-0x000000000665C000-memory.dmp
memory/5872-635-0x0000000006520000-0x0000000006548000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp28FA.tmp
| MD5 | 9695310bc7712c412051f3ef0fd46485 |
| SHA1 | eb704aa1dbd896f09043e6ed190fb6abe717907e |
| SHA256 | 655e111abd81994ea333676d0e2ac368d41a3f33b1fb2d1e70c79b46d9905727 |
| SHA512 | 61ee9f7bde873aedf567888de712ee79162b1ed81e8ae4059830110e42f1c6d448161042071dbc4d582d61c31154b375d01e62b711588f5806d5a5505197086f |
memory/6100-638-0x0000000000400000-0x0000000000553000-memory.dmp
memory/6100-640-0x0000000000400000-0x0000000000553000-memory.dmp
C:\Users\Admin\Downloads\Unconfirmed 695785.crdownload
| MD5 | f2b7074e1543720a9a98fda660e02688 |
| SHA1 | 1029492c1a12789d8af78d54adcb921e24b9e5ca |
| SHA256 | 4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966 |
| SHA512 | 73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bba955cce8a8cc5d8da835dd31e5902f |
| SHA1 | 9fca79509742d40215c0e034bc9d368754fab428 |
| SHA256 | eabe9c3ed24623219c6368c8207cd72907f84e4b7b6111fb47090858ae199b98 |
| SHA512 | ff50770e860b024c5b33919ca42a807feb145083fb011a33fb353a1676d7716325d59a19b61faa86b9a3818177212c7782dc1377d89d17edf8c5c46e3fbd831a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4fd7999fbe222be7214ef826c615629e |
| SHA1 | 6f84de58f1983ae2295cf14ca5646b7a4d7ecdf7 |
| SHA256 | 8b70888067e607b3972ce80da0385dd3a00a22e28af25b4036d31ec5cafad7d9 |
| SHA512 | e53b8a7ce12c4fb089856ba8ca1e68cdfdc47d7bd6d8e4c69b8f6942523940ffe04277a4104e191fd21ae46773106a401911ea5d0e989529c3f21eaa4b23d9de |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 77d8450824336f586dff2cd6df7e3a6f |
| SHA1 | 6d219252de3bafcc984e9b1148eaf9271b137399 |
| SHA256 | 674883129d7df8984cfd8d73ef80c9f92866b5683f9fc728d3f3c33287f594ff |
| SHA512 | 9fdc5bdbbb510832beffed64e7356e86911d1cdccb79fd7b719058e113701de99685ea58fe81cceb7eefe2b238aa8d34bd423a1786e931e0dd2e28aa34d2a45c |
memory/3468-699-0x00000000001B0000-0x000000000085E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\windl.bat
| MD5 | a9401e260d9856d1134692759d636e92 |
| SHA1 | 4141d3c60173741e14f36dfe41588bb2716d2867 |
| SHA256 | b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7 |
| SHA512 | 5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/3468-715-0x000000000C4C0000-0x000000000C4F8000-memory.dmp
memory/3468-716-0x000000000C490000-0x000000000C49E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rniw.exe
| MD5 | 9232120b6ff11d48a90069b25aa30abc |
| SHA1 | 97bb45f4076083fca037eee15d001fd284e53e47 |
| SHA256 | 70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be |
| SHA512 | b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877 |
memory/3468-721-0x000000000C540000-0x000000000C550000-memory.dmp
memory/3468-723-0x000000000C540000-0x000000000C550000-memory.dmp
memory/3468-722-0x000000000C540000-0x000000000C550000-memory.dmp
memory/3468-720-0x000000000C540000-0x000000000C550000-memory.dmp
memory/3468-724-0x000000000C700000-0x000000000C710000-memory.dmp
memory/3468-725-0x000000000C700000-0x000000000C710000-memory.dmp
memory/3468-727-0x000000000C540000-0x000000000C550000-memory.dmp
memory/3468-726-0x000000000C540000-0x000000000C550000-memory.dmp
memory/3468-728-0x000000000C700000-0x000000000C710000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 603189f7de26b1d28922bf6a80a8db55 |
| SHA1 | 3fa48919963431562795a597aea10e0c0d1056d6 |
| SHA256 | 41a2381311ea55d09af842214a5206c4c9c3c6a6b5502ecacd1ae0ae08eb42a7 |
| SHA512 | 36b5fcfecb1ce33f651314f59c85a3dcea90739435ef0ed271748fa5a8d689fb9499631f12aaacd9750f3a150c9ce6a601e81c3e80b513624637e3d5d5a47e89 |
C:\Users\Admin\AppData\Local\Temp\text.txt
| MD5 | 9037ebf0a18a1c17537832bc73739109 |
| SHA1 | 1d951dedfa4c172a1aa1aae096cfb576c1fb1d60 |
| SHA256 | 38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48 |
| SHA512 | 4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f |
C:\Users\Admin\AppData\Local\Temp\one.rtf
| MD5 | 6fbd6ce25307749d6e0a66ebbc0264e7 |
| SHA1 | faee71e2eac4c03b96aabecde91336a6510fff60 |
| SHA256 | e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690 |
| SHA512 | 35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064 |