Analysis Overview
SHA256
55e7d851f6b8ecd03e0ee601e92adb483242102718cec9befd2e4b4076542a71
Threat Level: Known bad
The file NoEscape.exe_Virus was found to be: Known bad.
Malicious Activity Summary
CrimsonRat
Modifies WinLogon for persistence
UAC bypass
CrimsonRAT main payload
Modifies Windows Defender Real-time Protection settings
Crimsonrat family
Deletes shadow copies
Disables Task Manager via registry modification
Downloads MZ/PE file
Modifies Windows Firewall
Disables RegEdit via registry modification
Disables use of System Restore points
Event Triggered Execution: Image File Execution Options Injection
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops file in Windows directory
Subvert Trust Controls: Mark-of-the-Web Bypass
Event Triggered Execution: Netsh Helper DLL
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
System policy modification
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Interacts with shadow copies
Modifies data under HKEY_USERS
NTFS ADS
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-20 22:51
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-20 22:51
Reported
2024-12-20 22:56
Platform
win11-20241007-en
Max time kernel
311s
Max time network
313s
Command Line
Signatures
CrimsonRAT main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
CrimsonRat
Crimsonrat family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
Deletes shadow copies
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
Disables Task Manager via registry modification
Disables use of System Restore points
Downloads MZ/PE file
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\NetSh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\CrimsonRAT.exe | N/A |
| N/A | N/A | C:\ProgramData\Hdlharas\dlrarhsiva.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\tbibra_dreb = "C:\\ProgramData\\Hdlharas\\dlrarhsiva.exe" | C:\ProgramData\Hdlharas\dlrarhsiva.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemTemp | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\NetSh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\NetSh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\NetSh.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\vssadmin.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133792087120057750" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "147" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 996172.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 149401.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 737964.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 619108.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 168534.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" | C:\Users\Admin\Downloads\Annabelle.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NoEscape.exe_virus
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc81c6cc40,0x7ffc81c6cc4c,0x7ffc81c6cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2232 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3384 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3532,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4436 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4820,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4452,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4656 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5064,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4992,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4328,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4244,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3592,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5088,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5168,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4748,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5160,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1132 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5212,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=3336,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5188 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3296,i,13217740294306357608,15574655746256074125,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc81e33cb8,0x7ffc81e33cc8,0x7ffc81e33cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6316 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4740 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6596 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5920 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6636 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,10502611828334133644,1733657292730504133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
C:\Users\Admin\Downloads\Annabelle.exe
"C:\Users\Admin\Downloads\Annabelle.exe"
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\SYSTEM32\NetSh.exe
NetSh Advfirewall set allprofiles state off
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\Downloads\Annabelle.exe
"C:\Users\Admin\Downloads\Annabelle.exe"
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" -r -t 00 -f
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ca055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| FR | 172.217.20.164:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 164.20.217.172.in-addr.arpa | udp |
| FR | 172.217.20.164:443 | www.google.com | udp |
| FR | 172.217.20.206:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 142.250.179.97:443 | clients2.googleusercontent.com | tcp |
| GB | 142.250.187.195:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 95.100.195.175:443 | www.bing.com | tcp |
| US | 95.100.195.152:443 | th.bing.com | tcp |
| US | 95.100.195.152:443 | th.bing.com | tcp |
| US | 95.100.195.155:443 | th.bing.com | tcp |
| US | 95.100.195.155:443 | th.bing.com | tcp |
| IE | 40.126.31.73:443 | login.microsoftonline.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | user-images.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 185.199.109.133:443 | user-images.githubusercontent.com | tcp |
| GB | 88.221.135.32:443 | tcp | |
| US | 95.100.195.156:443 | th.bing.com | tcp |
| US | 95.100.195.156:443 | th.bing.com | tcp |
| US | 95.100.195.156:443 | th.bing.com | tcp |
| US | 95.100.195.156:443 | th.bing.com | tcp |
| US | 95.100.195.156:443 | th.bing.com | tcp |
| US | 95.100.195.156:443 | th.bing.com | tcp |
| US | 95.100.195.180:443 | www.bing.com | tcp |
| US | 52.168.112.67:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 13.107.226.254:443 | t-ring-fallback-s2.msedge.net | tcp |
| US | 52.123.128.254:443 | dual-s-ring.msedge.net | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| FR | 185.136.161.124:6128 | tcp |
Files
\??\pipe\crashpad_1696_PPKAVZNHUHXEJWVP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 320bb7dd574ae8d0c18162b4cdd2f1a8 |
| SHA1 | 509984157c3191065f316d1b614c9765c1267412 |
| SHA256 | f706f01ebeb3d1e3e5a0dac94096d038490b56d312aaea0046510dd9f2023a71 |
| SHA512 | f45800641975f0ec38eacae8b059492b243bb33ae58f75cf884d4f7b49f2e7b4c5ce1213ea4ba844562ff4cfb6616463882735f1fc00822b6af96427872c9032 |
C:\Users\Admin\AppData\Local\Temp\scoped_dir1696_1942840943\1018833e-e7fe-4bf5-a3a2-229b8f6c13af.tmp
| MD5 | 14937b985303ecce4196154a24fc369a |
| SHA1 | ecfe89e11a8d08ce0c8745ff5735d5edad683730 |
| SHA256 | 71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff |
| SHA512 | 1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c |
C:\Users\Admin\AppData\Local\Temp\scoped_dir1696_1942840943\CRX_INSTALL\_locales\en\messages.json
| MD5 | 558659936250e03cc14b60ebf648aa09 |
| SHA1 | 32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825 |
| SHA256 | 2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b |
| SHA512 | 1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
| MD5 | 4ec1df2da46182103d2ffc3b92d20ca5 |
| SHA1 | fb9d1ba3710cf31a87165317c6edc110e98994ce |
| SHA256 | 6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6 |
| SHA512 | 939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5c0f5b98fe9fd127da0f41549f64e686 |
| SHA1 | 251702cb1ec10b74fc26af78975f7807606d15df |
| SHA256 | 536753554f420f6ce35688d0129ec48da3dd142e7199585fc3a7a68353862ef8 |
| SHA512 | 1c9f01f81b39cd7023873bdbf3f2291cb2d3cbe1e640581d2cdf4c21483602045a43fe4f93cc72e66565449fc2ccc63d56b34c8c942832f6165242dcd78692e3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 23f4bba2215e96a09fde1672c6d3c46d |
| SHA1 | dee9c5efe7c6736791f4e515778fdbeeb7d5c5cf |
| SHA256 | 9692d37d83074a3d2adecbc9be45ca51e0dee3c03e30311d7137727c220ecc20 |
| SHA512 | 3098a4697a88f32ca734642540fa542308c38fc8ac2b5ecd89280425aa42aee2ac5352fa4b183bb7cd3859c7e1568600fdf23aa6e93ea7c9ba39951c63c484ad |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 5de83f3474414ceec570cebc63757e70 |
| SHA1 | 1d8e7e6f5c07dbadb6599363bc080d75b063a460 |
| SHA256 | 2cd08c1dfa224ed49108df55e78a376973e90de196fb26e7f2f3a5bb8e7619c9 |
| SHA512 | b0f361ab6aa3298b966f7969182187a1364467c9a5c57288c8fb414d9e161632cbe557a727fbce2789b6a337da0acbe786d05b6a7b655b25fef98fff6001c667 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 44a6e7c65b41bc6d34779d897ac67bf0 |
| SHA1 | 54a213d76e0dc2a1984eede876cd1f0183e29d3a |
| SHA256 | 60a5466f6f9df76444d98d62aeb76f99e737cd19ddac6c7fb340c713b44cb943 |
| SHA512 | 5ced5d1fa9df56f15bef07b5f2abf81a0b5ff06e2b97c8392e73798002753650e515bce04f3ba66c6c5e92a1a6b1c0d6786f0bddfddd4bc3a6839b470f34ecdb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005
| MD5 | d79b35ccf8e6af6714eb612714349097 |
| SHA1 | eb3ccc9ed29830df42f3fd129951cb8b791aaf98 |
| SHA256 | c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365 |
| SHA512 | f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9b773a16-52f1-4bc7-97c4-9febd4cf0f81.tmp
| MD5 | d9df4ffca9414ff1189909f1d8da3178 |
| SHA1 | bfb567282c8a633e62996487f9191fb140c683a5 |
| SHA256 | 10544aa80cf850bf77574f6ba8d72744ce70ec749bf5794a417a782a36c77298 |
| SHA512 | 40c0ae7881842ef3dc04295e94571005cb2eedc4bc69200f1702c3f67731efb48fc5f599fd253549c944308edad832208f0e9c6d72ad2fc3e636a60240c8e864 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | cf84fae74f02cf86e17d65f7921ff3f6 |
| SHA1 | 2db37ce325bb55c9ff895367d33f9307083e0d57 |
| SHA256 | 88601b623e50f2141332b43706a2a8c070943d94a23b051217acba5f01e723fd |
| SHA512 | c73de1c532cf64133798c0018bb1dd659b881392b05ea898d2ae16bc28dfb123ea915199d509fdf5f38cf1b2783e201924b8c922aca724fd0da740081b41493a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index
| MD5 | c74927b12a54cb57a1ddfcb83d61ddf5 |
| SHA1 | 31df8f6a8f965db5e065165068de64fd70112493 |
| SHA256 | cc68a0c59fa789ffe9c350d32fed0fb67f432761db0635c9eddf9c1435ea056a |
| SHA512 | dd2513d78bff8bdebade6f69fba7be2cb60503a254584abd615faeca9083c715e715a5917193c23828403e66fa1a7529a66a7dfe55bba4b33d28b8cacd9a5abd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c3525d60fb23179c275b7b3b275f168e |
| SHA1 | e01275509c22fe314369e29dbdfbaeba321ea489 |
| SHA256 | 82822a639e6734e07416c35d39593348ce43c62f71439a0d6650979bb8daeb65 |
| SHA512 | d13ff8e0d551ef89f02d6cf84775e8ad05e82d076c2f185105563376b8e5699ca9a74365eea6846e2ad3cffb669d345e7047655d3ce16540dd30f0a7a9b9cd10 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 3550bbbb325923952cbda5c82d837f35 |
| SHA1 | 7e3d4b5718cf18324c27480f21b8025c9ea4e252 |
| SHA256 | b84eb467dbdda71ea0d182975365b4a128e17a5359d390627d4d744a7dd97a44 |
| SHA512 | a1b363bf5dbe7fbe2bb0b56f41ef5a79f7f85df5ab8eeca9dda8c5e6f238cdad71dd57f5654925b8816a4b1afa65cdc0d68c90397a1c2e7aa44c487833f6c5e7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 452f8391a3ccd9f92d57fcf06dc404a2 |
| SHA1 | 94d55601b77bc41555724140fdb1e40e404263b7 |
| SHA256 | a6d6cc9e3ece855bbf90e873058c22f55c02af0fa74c9706ca75effdc0bc0748 |
| SHA512 | 9a3b6386b7a5ebd61bcea60686a2489606c77c97dbe4680aa0d40955a2064d773aa335f8bcd1f58419b8fbe77fb653067e7175393630e22fe278548b90a0d0ae |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d0e60e90581f8880084ba40aa90893ef |
| SHA1 | 229adc9d999b121d80ab43060804c123e70ac1db |
| SHA256 | d7c14b84118dd9b33eb64d0e69b45cd5b7bba089f81cc1c65e59cfa85347545f |
| SHA512 | aafdc903c8274a5fa3d6a5f9159e59132dbb0c0b49a2fe6eab1810d8561787a4674b5d1522c9a8238fc727305b2f4eaf4cba178b86d0aa12a159e62321aa2fbd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | bb8446069129178309b1f43021ac21d9 |
| SHA1 | 3bfb7b0335ce69b0d7a93747b5ae57a1b5601c68 |
| SHA256 | f8a76772406efe3981a72b3dd871b56a5012e52c9064632536ecedc9a1079f59 |
| SHA512 | 2da24bfc08532a44f0afdff45a718227cbaa982014d2867d8d774a4cce3b0b8b5a873f26361c8ee1d948d1e0f550c8c0af2b262616465ca33925c28664c85999 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | e19d554a8e2908346745fd3af0242068 |
| SHA1 | 87c46c4ab1108dc133d0e58b0c74945beeaff684 |
| SHA256 | 0e5c4aedea20928b571d22233c1cef605529c493a344fb72da9b54ef91fb6604 |
| SHA512 | 610241bf187166c27d5a563af0ca669fdf57b4c982931368996b2bedec70adf4c38cf7bb47f63465678ee69e69a9f6c43c48f521f6bb6a3703c593b08d6c421f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 761ef9f5da72467f2ff73d18238e4e9e |
| SHA1 | ae6867cb80a62f0781f8001e8536fffbd4a3bf97 |
| SHA256 | 693c4825a870f28085ee6180d8cc79e0a2860dc0c3b15584cab4119a5e2a742f |
| SHA512 | 9e82cb3c9b7fc6db44525e7f45f016cfbc608456899fb2f2307a9ee0555c6c08900a0d89a794b2c5a88537543cd8e121991d82d10217adb224955eacbd196144 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 7145bd63e15631105e696330b8f9758f |
| SHA1 | 0f0c5989fd1d69d8e96c5b352a9bdbacc5de9989 |
| SHA256 | 783951943fe813a0c7ef0e13ff5b7f64492af70fe1b15aa01518ae18afbe09ba |
| SHA512 | 4aa3fb766f72b3daf89844cdf5a0a31497b1205babda5f1235134b5a03157544b0ef88615ef857a139c6ff7e1b0c0caeef3993c9c67dcb2b74f7652a3bc53e7e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c50b6258fb763943cd2486e5c5b9bfda |
| SHA1 | 1567012d7a86b95f65a87a93850d86e2bfcc342f |
| SHA256 | 2ef381257c288f17836499fd53c6f9064d2208f15e781405ac936d5d07e70947 |
| SHA512 | c1d15acc265e66192483c8e7f4088308eb6a85a29223b964adc6ff42c6b14488ff0d2221479a703b58a75918a034b81d2bffa403f1f0b386723a129bd394d8b4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006
| MD5 | ca9e4686e278b752e1dec522d6830b1f |
| SHA1 | 1129a37b84ee4708492f51323c90804bb0dfed64 |
| SHA256 | b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26 |
| SHA512 | 600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 969c68d3bbb135ebbd7e4b869886dae4 |
| SHA1 | e167b2588d08f1f733bc9d82beafb6d2e3ee594d |
| SHA256 | 55da54db2d0454e6f65e1ca510edc34bd2799e59cc72cd598edccfd43a940ac1 |
| SHA512 | 9c231295200aad012224b18b68c3fdf4290f54a7f0ea91cdadfae1c72790d319dd0e4c24b27ae256521b89ba70e6d4d77c849dfd0c56622efb2f7daf812bcb85 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\d57625103830e3cb_0
| MD5 | fcb1c4a1955dfa9c5bd1379f1ee6dfee |
| SHA1 | b7b5e64b95f5e1dd897835802b52bcfa81a79512 |
| SHA256 | 73aaa3643854e2691410df7077da19c3d74a2856b27d64d3efb859ace5b7a9b0 |
| SHA512 | 7ad53e359061180335592f7b23c482ef7479835a30a2a229c908077fd0878158509c1e66684a0606fa6a9a22558ca8cb07918b1a3270b2b48003629fe3dbd58e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\f3ae0d23e488645b_0
| MD5 | 342f17a8cb891ca0384bc24343f0f77e |
| SHA1 | b3c115c89d082513332683d6978a423edf6e8b6e |
| SHA256 | d97db7d77548969c156cadcc875d1ed8f107d9470416024af333bf4aff4362d6 |
| SHA512 | ffa47099f993b05e0d52a76f7aff1ccf1a7f06a36b15624d34c334a5f1d097d93c165d9a4e51edb637bbe4ce097e493a6b88aaeb433061242ce36cea30ec9bdc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 537f18146beba50d97f201411f3712a5 |
| SHA1 | 58917ac01239952a71354abad520b9165884826f |
| SHA256 | fe19618d2ff368b2255aee951365820c8bc50c81653b9c7cb841c24b97fe25b1 |
| SHA512 | 12ed4bd38a9f2ff89305ce7fac9bd8be3dbfa31ae4901ad8428b20dc0561464d0c5e397126fc601bf86cfd185564c91f3c2607cc3c20d84097405a5f3b82c4ba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9b8f033a64b0ae605d05aced74c073ec |
| SHA1 | 5b9d2afb2676f12c06a37a79dac196434a97b454 |
| SHA256 | 49932f09cb62537c8f1561fc5eccef3411e326e67bda2dfc70ab5627587ec788 |
| SHA512 | 1916d552838b78826299082f0a65ace4cf3a77bfe87a56c5c4cc59ab9b1ef1809b415e211c08a11a64400f5b94f58905a3395ace294919a8faf34c4f4db667e9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b0ca06929667057d4738ede876093bd0 |
| SHA1 | 8107dfff9ae9a2a70c9a7dfcde15123e9ca6a3b5 |
| SHA256 | 2fbd2f9735ae509b97ed1778b54337966a85cfb805ac990a23fa847df7d4958b |
| SHA512 | af6b9417e81f73646e04a9c61e825d4dd6cdaecfb886a39947153db240ce887bb69675a135a71cd86771ec7cb6110ba8fe766c0364385e2706b44532a78f90b4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | e88efe0dfe526e2a8dea0f812e3351b7 |
| SHA1 | db084c6e4bb87a1714a8b4d517a74abd69c6fe07 |
| SHA256 | d7667b39d34ce6fb285fc5281e0b3f9add27cc55663dd8ed7cafdde3d0c9b5af |
| SHA512 | 4ed39300c4e9099af246d5961cc6aee7fbf5a65a6f18f4b7c0228b80b0ebf1d2f275f408ac60b2cb2031095730906cc6b8f0be2457e1dec9f7e7a29e48a00d29 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 6bc6b11104fda860e8078b0f1c752aee |
| SHA1 | a7aef9712350b1e9bd0dbb4b8cb9a333616dc68e |
| SHA256 | 0226655c7678e7a6553f6b027968e650907a5f7ae34de6e0d5e7b4ed5c4dc700 |
| SHA512 | 4bf419768b4a30bd41a02b8ef5db06c4302ef08008dd8361f9587487373782b2f3eb54c98d7ddf4069bd702b4b05e1dae7d5e7bb7868cfaf2ce59571beb1a21e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | a52aaf1ab0c148e12585a881acba3507 |
| SHA1 | dd05ff8923fd587a68a1fd08d98da3eab1876538 |
| SHA256 | 29cd5b55936318c22d9ad190c718415b43aeec444254e28668a42f2f595509b3 |
| SHA512 | 0f9e4cba2c08357f19955a00ea05e0c75cbe93886eee2e7d62e96793428ad609600318457ee6cd35981a00b8557bd8903925818daabca9aa758d0ddc954c3523 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f1d2c7fd2ca29bb77a5da2d1847fbb92 |
| SHA1 | 840de2cf36c22ba10ac96f90890b6a12a56526c6 |
| SHA256 | 58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5 |
| SHA512 | ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a4ec5451-8717-4daa-9ed9-689f5d4d18ac.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4c1a24fa898d2a98b540b20272c8e47b |
| SHA1 | 3218bff9ce95b52842fa1b8bd00be073177141ef |
| SHA256 | bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95 |
| SHA512 | e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 416845e829be525d11f20ac6846006f0 |
| SHA1 | 0550d8dd27a019c41b522734662c6da631d138cc |
| SHA256 | f0348909c7503739ea3196d4a16f9bb4dc247974706901ab816987f970910d64 |
| SHA512 | bcf237e4bb9dfb58eaa17d1e7c739342dcb32493a11e4491f351a137e58498cfeeeb49e05c4818b78f777de6bcb731a17d3f93ae1bcfcee240da603b85d26237 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1adedefc6222709d30a47ebf7e0c4802 |
| SHA1 | e38ae9fe7c57bd00be2e527cbda4d925eae93a63 |
| SHA256 | 9deec36c127c6b9907dbc2273457168ad021b20c7bfdabd2c72fea7d4aa7aaf3 |
| SHA512 | 935f6c5409c4938eaced9deff5b29ac6796a2ab631f6703242f68576599e241eef54b180b782a42a0a368d897f695f2e16a85b06879f24f28f112c8e57cd3e73 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5a99b2f82f4f4b8ced5ece8e781995c0 |
| SHA1 | a5efcdee4aef18fc22f860810d139807dd7900d4 |
| SHA256 | f5acce36a142219fe16d4bdf58461b31afd1094d1cfc29ea6b27228ea3133791 |
| SHA512 | 73dffb56d4b63626369d15873f3c45c820fbe42e8c71c18b0ce9b6e010feb58ee646f630a85aa534555910d4f6838e41bea36e8939ab30300ad4623a5da8a03d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3520f8a327442726969a3bcda5a07a35 |
| SHA1 | 673ed1cdb5b055c475d2edb5e5fa642c76b9aaee |
| SHA256 | d9a60ffd9a0353df9008902dd369a14bff0d785f6755b1a87ffae4017ccc88ae |
| SHA512 | bd1146c31b6813c7ec1ff258f064a442c2f0ac835a9f20885e2acfacfb5065c7f0ebd754a46cfb2101264380ad022f139fe5a24e26dcc7000a804a3da3b390c8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 81905f0dc567731ca9bb1fd7183d0b06 |
| SHA1 | 78a2a7b74d1ae671a7d84a5040fbf76587704c16 |
| SHA256 | c420aa2d57c3fb41de4ea6f4651d72335002acce1b9ef60d78c568db54df7584 |
| SHA512 | ae0b2111d96c71de5ec762970fcb959a7dcf09361587943246c5a3acc8812d63a89b52323e16b44c278e00051466267a4dfad599445dd6bde31df10e7ee4e4ba |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 358df223df4a527968b7c7f73d2a20e8 |
| SHA1 | 081229e06dae406db472bf503a85391b640679b7 |
| SHA256 | 610fbdbd959889fd4569795b17c08661e74652717283dcc7c11fffbea045692e |
| SHA512 | d3ebfe01e3705c20349072ecf22ec9dca8d0c7e134c2211cec5a326ab3faf0df21a87d92e6202d342e339ca998d4eb52b886e81663d012250e23d63aba698623 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59bcaf.TMP
| MD5 | f1634d94f8f2be3715289dd6780a924d |
| SHA1 | e1326841487415f743ce366db2b7d4f9d1844f59 |
| SHA256 | 1c07e5bd0b3d9f8b91c7409cee337ba6207632ec4e3fa48d19475e8fcb271251 |
| SHA512 | 59e642427d4937671a94ba4786110b731dff15437f94a344ae26764742439421a96177436877582a2f9dbdca528834328649f6f2b2a73dadedc8a234e444ca89 |
C:\Users\Admin\Downloads\Unconfirmed 619108.crdownload
| MD5 | eb9324121994e5e41f1738b5af8944b1 |
| SHA1 | aa63c521b64602fa9c3a73dadd412fdaf181b690 |
| SHA256 | 2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a |
| SHA512 | 7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 30c960008e1d24807fe6bb0aa1b25db6 |
| SHA1 | de8c8c2ba326a3e13fe4b77af3dcb76ba2fbd016 |
| SHA256 | 333ad00eb7d54d97c8c5e75c5eff7762220c2d8536bdb78252968a300d0d3ccc |
| SHA512 | 76286f6470cce09d31c14c1508893be338b683534748de125216ee6320f98abfcbb371c207fb2d8985b808e8825fcfd583d9038b384897972dbcc7df32c27d8f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6ce4d438f1d715308996f64599a1954a |
| SHA1 | e717ec5d023c46b93ecfee26d5367186479c0770 |
| SHA256 | 3511c086cc2dd273bdbb42ec54901689cf178a901274306d29219c7ec3738590 |
| SHA512 | ef4064deaed9be5613edb21c712bf548e2d8fd07d120c827b4e8c72fe64ca29ec6e7abf5a53fa16b9560a2c1daca13840dfff3bda796e9fe190ab77b90546668 |
C:\Users\Admin\Downloads\Unconfirmed 168534.crdownload
| MD5 | b6e148ee1a2a3b460dd2a0adbf1dd39c |
| SHA1 | ec0efbe8fd2fa5300164e9e4eded0d40da549c60 |
| SHA256 | dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba |
| SHA512 | 4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 12619e20920c7e54f34060f7799d14be |
| SHA1 | e0a1f200049c8ec3de4cef266e4f83e90113c02c |
| SHA256 | 8e7c375a93ecaae17b73f24ce20a4fcf5627d3eaaadd809804d7bbe94e008c59 |
| SHA512 | a31a4016bca004cf7ca5b9e69f311013a477ad3a38ac3f36d8229e19dabe7fc14b9246da96d12418ef7f14036c53d682f55fcddf3fe8b2bb9b7e0157b5ae4335 |
C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier
| MD5 | 0f98a5550abe0fb880568b1480c96a1c |
| SHA1 | d2ce9f7057b201d31f79f3aee2225d89f36be07d |
| SHA256 | 2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1 |
| SHA512 | dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ba5db0ccdbb6d1b74cd1b7f718f2fb24 |
| SHA1 | 295ac0132c703b04dd7e83bf824f73db35b9e155 |
| SHA256 | 0989953441afc1ce82ab5c3d2c5b20c1af58b71dadeb5105a8ec0ca707078701 |
| SHA512 | 6d3c3b60c1256e2a4ba03a4b149ad20eb26b14bcfb612c5c7e46f601bf06f475c4b70c630add0a47ce771c1b6b51c04930a605aaa3a130bba2927b0eb5b62815 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\5a82545a-44ba-4098-8859-a981b97e82f3.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | d8c341e864a1570445dc34dda0387b13 |
| SHA1 | 0023b743a2f6d6ad0cd3ab2b74801f197d63ca5e |
| SHA256 | 88038d1bbb8bc1b683efbc2a2636f48171894bac725bf0f545ea6a017608527b |
| SHA512 | ff70389ff613bdce72cb2cee5e9cbc239935a7595805545a7151e76804e293200bb9e8bd3f6dfa872b48c9f8bb75c6722fc10e5bf7dee082d1379741f61e0e46 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b91ad5b73f843c198ad00dd1dcc6c52e |
| SHA1 | c5d37bcdbb4c50f2d728609b6af2fa1418039642 |
| SHA256 | 9e4f3ed90521c3aa36797483eb05c6a235c37413d720ecae7d2ed833c182857d |
| SHA512 | 5731d3b5a58f2a9a8d2f12c5408393571a3d30ac1043068857dc16a6def386b1d91e1de513fd815608e03455bc3abb81a496503c2c5b1078d61028805e5e5576 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ffc151c8bd4eb5648e7738f4712dc76e |
| SHA1 | 7f84682f7cac37ab6a2edcc7d5ef71ee57219c96 |
| SHA256 | 641b997c4a4285ee39bdfb48089966f0c86bea078aa02a1c2b50911bd025013a |
| SHA512 | 077dc706524a88d5f43e9a1296627523f2fe086ac0632a634268e8a08d37c74b640e03a1b146e4d7a6381dab442748a5bc024df74c0795e119e923b0027987e6 |
memory/4396-1251-0x00000260759A0000-0x00000260759BE000-memory.dmp
C:\ProgramData\Hdlharas\mdkhm.zip
| MD5 | b635f6f767e485c7e17833411d567712 |
| SHA1 | 5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8 |
| SHA256 | 6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e |
| SHA512 | 551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af |
C:\ProgramData\Hdlharas\dlrarhsiva.exe
| MD5 | 64261d5f3b07671f15b7f10f2f78da3f |
| SHA1 | d4f978177394024bb4d0e5b6b972a5f72f830181 |
| SHA256 | 87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad |
| SHA512 | 3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a |
memory/4844-1283-0x000001FDD9230000-0x000001FDD9B44000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5abc6d61a3d3d0ce3c0c637f2f421744 |
| SHA1 | 2f5bf76aed887904d09f83b4aababe62a91ab3cf |
| SHA256 | 09ecf724304feaa9b4fe3c37eef7a0eca654605890d8777869064654f65d3278 |
| SHA512 | 0744fa3c5d3a6bf66626ff4985ab5d4cdb1b4ffbc7c5192e4aa4bc88121fa5d5bf738ccf66ba9675382553f5c26d919c8c077284b0bc608f640ad60bf0af0da3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 13700106cfb9665adca1f1418a9b6b44 |
| SHA1 | 2da59fd8ef792c75ef9c13d7c1c98d32dcb9397f |
| SHA256 | 8c28db01ea0aa77e1e7c152d8d3ce4b073fdd572a252bc2937d6400463363f70 |
| SHA512 | 25127b37f5694bb83f731d0cd44330c2f4e1046a11c4ca219e8ce3f0bee2c46d3c1e9685863c8b4a4c130b19cd7064aa3ef12ccc1d78db3b621325f2f1da9bb2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\dedb0141-39c1-4ab2-988f-785bdb4acc5f\0
| MD5 | c2c4450dd9dd82f2214c555cead43118 |
| SHA1 | af8f5b2955f2f1976128d08045b35d6c939495f5 |
| SHA256 | 838fa0b08fba45c99233254dd2e1b02840c6f2c842a3848ee1fd343d0f3dc6b7 |
| SHA512 | 6e30efbaab63f33776e263a72a42a52fa15cf145edee80b129b50ac80be97411285dc1263cb4609896be6150ba49ba59fae3f906e9cdf55f8539da0d79837de9 |
C:\Users\Admin\Downloads\Unconfirmed 996172.crdownload
| MD5 | 0f743287c9911b4b1c726c7c7edcaf7d |
| SHA1 | 9760579e73095455fcbaddfe1e7e98a2bb28bfe0 |
| SHA256 | 716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac |
| SHA512 | 2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
| MD5 | 9144111da59f7e6a87e9eb9f99cc77d9 |
| SHA1 | 4e78106f8b1b3e55060c9fabaec204f3210f3a39 |
| SHA256 | afda63571a658905f9c3a915afa334f769af93dcfce9076fc24b13fef7527dcb |
| SHA512 | 6296d83c44883d494442e95a8d75d49053549c6479904d35b0044bc57b25fe07bf5983ddfa3d18b29765dfe875c448ec90845540a11aa2d49d8414b9e88efcd7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9e224418ca25f81e4f40b92fef120fec |
| SHA1 | 85c8ff4e9ba70187dfa46ccd9f1a6dd758cbc770 |
| SHA256 | 1687e284a8c168d1153178a4592b0591dba5411a3885cadc2ab45cfcf4443068 |
| SHA512 | dff85542535d355e1c67fa2a89bcbf76df46fef45609ec691faea6dafd44e937c5b0dd9b3bf4152c53b67fbd5d6024c1d4aa7e0577ac2e1cd736efe8b5d20962 |
C:\Users\Admin\Downloads\Unconfirmed 737964.crdownload:SmartScreen
| MD5 | 4047530ecbc0170039e76fe1657bdb01 |
| SHA1 | 32db7d5e662ebccdd1d71de285f907e3a1c68ac5 |
| SHA256 | 82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750 |
| SHA512 | 8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e |
C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | dbdb75321aa17addef3e44780ca45f5c |
| SHA1 | cf2801c7968dff1d34b5442f1e09667de8500e34 |
| SHA256 | 3219c549865f421cd9c6c5c4602b9be743735fd0a6bd3b8868ceee64989f2ef5 |
| SHA512 | 451cbb2eb0d4d4e7aaca084e3cd032f9ca57896e77f411491b4c3c6ac993839dd1d189f0eaca4254cc358c66e7e50182b3dcab59da5e8c8502a97247370c7b56 |
memory/2292-1393-0x000001DB77730000-0x000001DB78724000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2aaf36710122cc35caecd20bfdcd4b68 |
| SHA1 | de1399ffcdb5e807f7d28619edb71d420ee54c5e |
| SHA256 | d509b10a9da84272248b997766312f79dae6dd53cfb0e11b8d2cc83bcb108741 |
| SHA512 | 4680f2085c84efb98bf810d14ab58a73fe8d852b338efbc2bce8a8d330ba4164f4aaa4a7fbf81ea05a699a476d351415f43aed249600f860cd1c0da4ad540b86 |
memory/2292-1415-0x000001DB7AE70000-0x000001DB7C3FE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4f0c360c8435b2a5a7569e7c61b2c20f |
| SHA1 | 42e518cde0d114fddafde0d8baad9d910b7280b0 |
| SHA256 | bc650764229d02363bec5dedeca045d61a20ef3fd977bf78ff81250dcea58e76 |
| SHA512 | ed83046f1bcd3566b5b5a118afcbf4dfb46ec9b925d08deaf07ec6bb39c46a1052646c30520942d74ebb3eb6d5b1af5b9ae68d91490168cf8aeddf16ff3fbfd2 |