Analysis Overview
SHA256
7304c9b3a88f8d9a39979bde599a09f7f3e8eac2ec9368e8fc61744fb9881fca
Threat Level: Shows suspicious behavior
The file VioletClient_protected.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Drops startup file
Executes dropped EXE
Adds Run key to start application
Sets desktop wallpaper using registry
Enumerates physical storage devices
Unsigned PE
Browser Information Discovery
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Modifies registry class
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-03 16:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-03 16:09
Reported
2025-05-03 16:12
Platform
win10v2004-20250502-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VioletClient_protected.exe | C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VioletClient_protected.exe | C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VioletClient_protected = "C:\\Users\\Admin\\AppData\\Roaming\\VioletClient_protected.exe" | C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ENC.img" | C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133907622963721881" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1153236273-2212388449-1493869963-1000\{014D9B42-DDAA-4677-A2CE-2886B5DBF9C9} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1153236273-2212388449-1493869963-1000\{E8EA8243-4622-4C83-94FE-8EE8C8718064} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe
"C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "VioletClient_protected" /tr "C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2d8,0x7ffdc820f208,0x7ffdc820f214,0x7ffdc820f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1832,i,2184377737718815209,13833173755748208042,262144 --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2308,i,2184377737718815209,13833173755748208042,262144 --variations-seed-version --mojo-platform-channel-handle=2088 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2520,i,2184377737718815209,13833173755748208042,262144 --variations-seed-version --mojo-platform-channel-handle=3008 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3472,i,2184377737718815209,13833173755748208042,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3480,i,2184377737718815209,13833173755748208042,262144 --variations-seed-version --mojo-platform-channel-handle=3424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5068,i,2184377737718815209,13833173755748208042,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3484,i,2184377737718815209,13833173755748208042,262144 --variations-seed-version --mojo-platform-channel-handle=4976 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5696,i,2184377737718815209,13833173755748208042,262144 --variations-seed-version --mojo-platform-channel-handle=5668 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5868,i,2184377737718815209,13833173755748208042,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5868,i,2184377737718815209,13833173755748208042,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffdc820f208,0x7ffdc820f214,0x7ffdc820f220
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1900,i,4757500853719523549,14348383100800066021,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2208,i,4757500853719523549,14348383100800066021,262144 --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2144,i,4757500853719523549,14348383100800066021,262144 --variations-seed-version --mojo-platform-channel-handle=2604 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4124,i,4757500853719523549,14348383100800066021,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4124,i,4757500853719523549,14348383100800066021,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4644,i,4757500853719523549,14348383100800066021,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | appengine.google.com | udp |
| US | 73.179.34.234:4872 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 142.250.184.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.28.11:80 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| US | 13.107.246.64:443 | api.edgeoffer.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| GB | 88.221.135.2:443 | www.bing.com | udp |
| GB | 88.221.135.2:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 150.171.27.11:443 | edge.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| US | 150.171.28.11:443 | edge.microsoft.com | tcp |
| GB | 95.101.143.177:443 | www.bing.com | tcp |
Files
memory/1388-0-0x00007FFDB8F23000-0x00007FFDB8F25000-memory.dmp
memory/1388-1-0x0000000000D30000-0x0000000000DAA000-memory.dmp
memory/1388-2-0x00007FFDB8F20000-0x00007FFDB99E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
| MD5 | eaf9c62f7cdb70a7a58524d9e209ed92 |
| SHA1 | e287505193f0f4efef2a7aaa0d70ba86f4e30d03 |
| SHA256 | 7304c9b3a88f8d9a39979bde599a09f7f3e8eac2ec9368e8fc61744fb9881fca |
| SHA512 | 34264e68b007094ea68b25be43117075a9f806f85e61b4923fe4d124a7271eff1297231d981b7a884bd82f947307ded3f9cb05a3adf33a612baa761ad5e2f425 |
memory/3044-9-0x00007FFDB8F20000-0x00007FFDB99E1000-memory.dmp
memory/3044-10-0x00007FFDB8F20000-0x00007FFDB99E1000-memory.dmp
memory/3044-12-0x00007FFDB8F20000-0x00007FFDB99E1000-memory.dmp
memory/1388-13-0x00007FFDB8F23000-0x00007FFDB8F25000-memory.dmp
memory/1388-14-0x00007FFDB8F20000-0x00007FFDB99E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VioletClient_protected.exe.log
| MD5 | fde7cc81ed0c50e7ce18702102f19ace |
| SHA1 | e9f02b348fda9b22bb3999b4ebef4d366f153086 |
| SHA256 | 00ac4add3fbf73f31bdeb249969dddc68da554c9e9383ec524d63c64dc3f4b53 |
| SHA512 | 75bf55c4f619948f16e29f51008d026e7789eda82615f566b150d54f5769b64d7fe1a6ff8be458e2630be621c551183dfe272ce0a579024065cbc2b4b26f4bf5 |
memory/1388-18-0x00000000013A0000-0x00000000013AC000-memory.dmp
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
| MD5 | f5c4fca52ede7a1173c28186128056d3 |
| SHA1 | c5184c28a972a646c8a3fe68f3c25e77ef2612af |
| SHA256 | 0bfe4ec1ae3f35ea64a3976443ad90f2825528df97c96a501f9a97af0fd74435 |
| SHA512 | 29694fe89b3037a0ca1ee95382791ee2f3c4a9dd0067f41cf1152234fd45c3282bd43ce4edcd8b8c015868a21df78cb9b2d52e145d1caa4a5e04d0524092da1b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 3e9ed75cc14e09fcd8c49a2c7bad63b9 |
| SHA1 | 8479dcd133586769c38ac844b075b69801cbf6de |
| SHA256 | ae49d33bedc3dfdd82480c73f6399842b573428864e6d43a426a2678b9fd9350 |
| SHA512 | 6f5e46a78c9b7f07f9254466a4f470fc26c92163245daa85e7a33aa5b8215847a680f531c3a5d6cb0ad4a914de24d81342ad75ba3dbaaf6675acb7a3938308af |
\??\pipe\crashpad_2564_KHCQNMRVZJTVMEBO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 36326fcbb6119326e7c8aa24c4156548 |
| SHA1 | ed128a9727e1d58b970e732b8c66fc827b18372b |
| SHA256 | ac41191dcaf36d91f7bd9a077bc59b1bd7218daa27b263d1da6a548f58264987 |
| SHA512 | ed5c79f1edc0c65a1cf0ace91ea5538245c1569c3b25ae3cdf033ffcb55d37e7b09baec36570e82fc1525c24224cea08a53abab7e52db6376f48f099ffefd1fe |
C:\Users\Admin\Desktop\How To Decrypt My Files.html
| MD5 | d945801bb65b57524011cf0474ba0f0f |
| SHA1 | eb4708741bb6dbce89239ddc1dad3a43dfb4403d |
| SHA256 | ff1afd836f4bc07130484d89690d8251dd10218cc15b5a15fa04228376f55268 |
| SHA512 | cc2d9b4f5467ea53f05f65d76047c7f9e9f6bef8dd618ae9f834cadefaece4ea71e7d3814c32be7fe3c4bad0b27d6aafb27b1b5a4dfcfb53e928356dd92abc21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\e64043f6-4113-4a62-a96d-fca81b47f7ea.tmp
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
| MD5 | 98f225383546a5180c8f7dac9a2b89b3 |
| SHA1 | cf1507013516322fcd8b6d9ca362210faf85bb75 |
| SHA256 | 0b59168796dde7a57a0395ebe127330bdebc2b811f7a396bbdffd31b4696eb0e |
| SHA512 | 010e94ac619c7156a9b3b991b6fd051fd9936868455b67cf1464a72ed991fb01940f78822bd9a3a4e5a6c0f1984cbba31787f6f49d46568b251c8b548b51d128 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | a84ded1957f009e61ab3e93e0b6442dc |
| SHA1 | bd58dd172789557a24fe25d31cd220e4794f88bd |
| SHA256 | d487cffae8a6728f74b3ea1f14863720c516be79bb52294602d8eef0eb074747 |
| SHA512 | 091f51f034abdc5d0b8ea71cc3819ac5b45abb91eb40a9f7fb1c87c921f90a6e7c0b452cf92ba2e5a7a5668e75b1a15ca1dbe21cb92f3bcb45b5820cc16ea24b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
| MD5 | 06d55006c2dec078a94558b85ae01aef |
| SHA1 | 6a9b33e794b38153f67d433b30ac2a7cf66761e6 |
| SHA256 | 088bb586f79dd99c5311d14e1560bbe0bb56225a1b4432727d2183341c762bcd |
| SHA512 | ec190652af9c213ccbb823e69c21d769c64e3b9bae27bea97503c352163bf70f93c67cebbf327bfc73bfd632c9a3ae57283b6e4019af04750fe18a2410a68e60 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ca38e580b3429225c208a6dffbd4ee53 |
| SHA1 | a0d1291ab5cdd53092d14bfcc02fd58ca8097c67 |
| SHA256 | b32525bee09109df6827b314d2557f885f14eca838cbb9d939affedf42a13028 |
| SHA512 | 3adbd28acfe86346961f3c9c15e3c7a6f50357b45b09d1b6c9e58229247303ccca0366d208831f49b1693b22840625f0f15a0dcb5c48fdaa35c4a2bb25a5bf5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d260a83077599164396a1bb49efb9897 |
| SHA1 | 0cdc3f02ae26cada071ab3d7e0017ea57fefe1e1 |
| SHA256 | 31d4dd16e5f58d6fb6e4c262e66eb9e8928e43fe6286de94f0b942f7d7525662 |
| SHA512 | 5e9c0e418f36a8ec85476a805caf0250522faac3a1f553eaeb5d4867d7f0523b031154cfc68d553d202f6e1a49270275e824f58162cb58cbc44ed0399fcc5229 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 8ab584c846e7b8719e79431576431aeb |
| SHA1 | 1af5577a93fbc4e690abb3457901a2b24b7186d5 |
| SHA256 | 9f9de13baa86b09bc1d435ff99f6aa0e21e9757dea7bbd5f0890c550dfc2f071 |
| SHA512 | 4df51f14409413a614f2af5d7898021865c0aa9dadd162bf5d4cf155662cead0bf68aea786d97c931e147462adae41490d2d7207b91735b675787990840a9ca0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9e57028c240594ae12b252c36ad686ad |
| SHA1 | 0102ab0a1d0105ab9e05b5663a451bbb9133b194 |
| SHA256 | 238a53eadf45b4c408a8664b5e886915bc26c0bf48430840bb66c68d634b68f9 |
| SHA512 | d8d90777dc1d8f51089b8df31a279194eae9e1ad930bdd4a522d3f59b3fd9c6b1b13dcfec5d15d3885a0223fea95931dce8a68e6b79f115f27fd4e99399be685 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d123b68c8eb714c7ec6a15d05e5c6a8b |
| SHA1 | ba3475d21b7156cd46d1dcbce3a055cd171449e1 |
| SHA256 | 7a3ebc660a90a4cd5bb84ebffa33d9559972a38ce9e28760e88d3550c02438fe |
| SHA512 | 825cec83da1201de17227da692f4e0f7cdbacc1bd18e305b6ec6840fcaad7ab3bdc2a3c2785a6a64b9b3401a2d4414c83ab387ec768cc1495b76c0e58cb77bdf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6065a2c030675cfa66b0747f605189e0 |
| SHA1 | 49732d825b4ff6d3e452712f9a2f0f7a178395ed |
| SHA256 | 2dd768748e8b562fcaf00daa0c550ed8d0faf9ffa92b579dec2995bee641bb81 |
| SHA512 | 4abb15f2a827acbefe75aa0bdb963e2d2bffad798396daad6f4ec46818520a3ed6e867c8f04ec601ee4999fa7a2143489286db4029c73fe0ae8feec0bd7b1464 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 894be9bc9085514a2e09b4c51ff38d7f |
| SHA1 | e6e106b3395a0ab1822ff112620cd6a160fac7a6 |
| SHA256 | ad9ab6a403ceb6b1162b64ef510327915b9469cb37cc6401c95e7e82d6efbfcb |
| SHA512 | b2b1fedc67d2439a5ddfd3998bef0197596275b64f424d3ad843808880b78865405e0c8df9f9fd2db664ecae2693c2d8750a6b18fdba7db6adc90261e9a25c9b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | de5c3c4331eefaf834ec86f8014e3158 |
| SHA1 | ecbd704107513a36c8a3b38f157f5f115a426078 |
| SHA256 | c2c0ef0808098f38c9dabaa30261a9c790350609ca070a4a9f17df04e3f1827f |
| SHA512 | 6200c8b840fea21e086d2777f7716a3861e9da538908d92417c3cb29aaa92049336859903f7975c1d28034951ea2818620290d2f880d0cf2e0160ee982505657 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations
| MD5 | 961e3604f228b0d10541ebf921500c86 |
| SHA1 | 6e00570d9f78d9cfebe67d4da5efe546543949a7 |
| SHA256 | f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed |
| SHA512 | 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 3e45022839c8def44fd96e24f29a9f4b |
| SHA1 | c798352b5a0860f8edfd5c1589cf6e5842c5c226 |
| SHA256 | 01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd |
| SHA512 | 2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
| MD5 | 14d2dc9defc7d751e406ce276fe6f2a1 |
| SHA1 | 1e7dba87a4c4d2481c20dfcf1b8df503242284db |
| SHA256 | 0d614af9d8fa94faca4cd27b8e36fb862c5c109feb1a8db15f0df17150319669 |
| SHA512 | d11520c7cc381999deb16f5a2f8e6fd6f1c7b19060c3226ec3fc5a4f015bb4833227158dba1957855575ede909b281508678e94023e8a403a4876c049d94e5bd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\default_cloud_config.json
| MD5 | 256c40bace492c4e28451ce149d2f9ac |
| SHA1 | b48b0eaf986b9efc91d5c8dd394dccb6d82e2adc |
| SHA256 | f9e4da319fe1f5a7d497c452421f4648a24ec7588f309ebea0f0cd61a6251eef |
| SHA512 | 33b38d1ced015798722180fc8c8ce6daedb18cd5d0e4b3db27d6176c13cf3ccb1bd79f2e68ca390d6eb43ac508c29067e8f1a3ee9f0167cabe37ebbddf6b0ec0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 7e41a9377c89fa0beae970953e0859ac |
| SHA1 | 600f92946502f374cfb3e11e8747ed92ffe0ddd0 |
| SHA256 | 85cfc12e48c08a479c2d63c87f1868209cfbc181f35005c0fc70cd423078293a |
| SHA512 | 495b1b936ea2e6a95c5e51533434581d17e3c9bc48afc2532aaa9add10bb24808f49edee279e448eb6f95751c1a07c4ffead3d327484ce4cf8768c7b3a4052ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
| MD5 | 17e6ffa94bd478d302a886274d7261b5 |
| SHA1 | d1db27d0f929b3985d71838e877d5b8d5b2cc35a |
| SHA256 | 0d1b594ff94baad6a94830ed02a87f5af269e2ace6c92db844775037f0094fcc |
| SHA512 | ecbf4959b12284161643bdc832dcd926460807bfa92772b8adb7a2e2246d6e5abd9fe6b37430ed45b084e1a804f92819fd5d19e4086dac12c873f81f9c93b8d3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
| MD5 | 40102d256693ddc75195854b8dddf1c3 |
| SHA1 | 9a7bcbe89c067c6f2edb03d7d94061f34ebec336 |
| SHA256 | 62d3f2e867dd244d68c07ed61e4ca089ea396bacb984a8515d07e99a3de0666c |
| SHA512 | 894715ce2d3165d449fbf9ef049ce95085a4ca9916ccec763f2084a82665fc8ad438f153d9415ad5b8ad81fb5bb506b88508f626ec535aafa9f9ffd447fee2b9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
| MD5 | 19af77e639f2483e19cc0c2ca35c64bb |
| SHA1 | 00716412c0aae75774645d943ac5c7a7cb64d5c0 |
| SHA256 | fc7f9db41974943c5e9aedb19a11fddf7544d094f922350dd818949260e350c6 |
| SHA512 | bdad09747e8c245c6dc750a8e29196c5c13379249ef969da203981644b1f43f37bd8c337729b8cfb0d0dfc7a0e52db33aee1a15bbaaaaceb4401a67042964f13 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache\data_1
| MD5 | e08b1defc5fa42f0f0062c0be798d02d |
| SHA1 | 671be69bfe80c7723e507ca876292a54de467e32 |
| SHA256 | 087367ccade596b5546fc0a9385cebec4e1602d5e79438a368dd47695450a1f1 |
| SHA512 | 6269bec5063a79d01fbe2f58e695b72077ca27cfcc6f0274cb7b713a589a9da0c40f7ab2d7d80b60fbde3f883cd26f17c17b35fccb7acf69a281afed73e57aca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_3
| MD5 | e03f6fc5eae46bba4d08437065fa2770 |
| SHA1 | e85672a1b2fd896b0c24be2aae38b107915b4b21 |
| SHA256 | 3c3418d4548cb681c37c2ba299d1c78a05efb9411b16d037603ef6e63efce3d1 |
| SHA512 | b1db03d8e4f34953eac198121e96a78cb81f6add4e9fbc10187d7aa11a7aa9602365d90945be4ea9acbf1ed55b42653c844847d2b94075cd4d4d6ead5b5e075b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma
| MD5 | cfab81b800edabacbf6cb61aa78d5258 |
| SHA1 | 2730d4da1be7238d701dc84eb708a064b8d1cf27 |
| SHA256 | 452a5479b9a2e03612576c30d30e6f51f51274cd30ef576ea1e71d20c657376f |
| SHA512 | ec188b0ee4d3daabc26799b34ee471bee988bdd7ceb011ed7df3d4cf26f98932bbbb4b70dc2b7fd4df9a3981b3ce22f4b5be4a0db97514d526e521575efb2ec6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG
| MD5 | f547333cf863cff2adab2643813861dc |
| SHA1 | 1ea22d3757412fae4b5543833eaa34bb322d423f |
| SHA256 | 0ca509286511094706de0c70fa89a03a739761a16ffc36a4714b6328f43c7a13 |
| SHA512 | 0ba14a53667056756cc4af6206d5148d75d676616c24901404c6f530f5317c748e02f7a8642f828c66375c7b7c41d9bcb3ebf5692e55fddb05f4c3456573268e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser
| MD5 | a397e5983d4a1619e36143b4d804b870 |
| SHA1 | aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4 |
| SHA256 | 9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4 |
| SHA512 | 4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db
| MD5 | f996dd5de1b31006dc726733b007ddaf |
| SHA1 | 3ce779ac280cf569e83359dc75ce2591f04d4b1d |
| SHA256 | 564873a7992ace1feefce44c3e929dcd9902de83261c39b963b8d563379c201e |
| SHA512 | 10f03594e572b54940425361cf9bb6788941c724bdada101a52ca091fb3c146e8ff363093d850649d88f0f45702cb27ad49c136cd572b12380f054a9a33295cf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
| MD5 | a5e56150a28f60997ef9129051dc1d59 |
| SHA1 | 399daa0518be8c5a1d295de5061fa94475ad7447 |
| SHA256 | c74efa8df203bc824af791e07e11ffce93fe4f375bf84a75af348647ff537415 |
| SHA512 | ff359ef9851a256c228c07f9d1305488f0a687cfd9c56e4f19d2af5710201cfb308e06b7f0d71fb1c35bcd08702b4c17630ac430f425b12cbd54e9104e3d0453 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
| MD5 | 052df8fe64414f4516e8f7f7124a1de7 |
| SHA1 | 64fb383adf3f4140f95cdeff4febc691ed061061 |
| SHA256 | 4062bceda97a1884cd38de15b53f8a5b16b84b86ef311a9ad8e2977ca27a2ae0 |
| SHA512 | f3dad7858bc64ffda8d357920dd17970f1abad31795bdadc9c6a9baad4999c8c2cb9b55f5ebecf6630f10c96c30131daaee3e8737efd2b5ec6c5b0d9d674b90d |
C:\Users\Admin\AppData\Local\Temp\cv_debug.log
| MD5 | 95295cf39d7af2bd92c78c5ab4cbcb9f |
| SHA1 | 11e2fec332eb4463c5d532a1d54e0cc6701cc12a |
| SHA256 | a6fd452413a09305025cb23c52d7663bae2a2ced8c55575a4f3acceda3217f16 |
| SHA512 | 8e3767c70fe22273b62c7b12bd5120bba8cf93a9b7dc9696782339ec7af981cd443d9f0bd36eb242dd1f44ab9867954790d0c83179d795cf3ee657fd953eb933 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 59d3e3ccb8d73684023b287c1dc4650a |
| SHA1 | f989d6d53547697667335762bd843a6b26ea04f5 |
| SHA256 | da635f10f1c92925f0579ebbfaccfe6512a81255722740213808bc39ebf5c6c7 |
| SHA512 | 038d405074d54756d8b0daafdfb6d0b9382bbfc40b2a2e630b92fcf797fca05e987d1c3ae0e0240f21d55216f51d3c0bdd88a7bc6ebea11b72ac1fca36309e28 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\favorites_diagnostic.log
| MD5 | da0b82a7d7ce52a29db9ccfd47aa0e1e |
| SHA1 | 4fc49a5dce61a2d274de349bbe6d23996287e2c2 |
| SHA256 | c499b25989fe5ca0d9a5930161da3cdf3f4fbac5498e4d123bee2c44f0885758 |
| SHA512 | feb33ec4d1e1cdd1e5d57dce5d4faf3963d8fac279daa56558860500b2ab8ac53089e46795bb01f7a9a14fdb11950a27a7444bc42c90ecd235a8e75148aaee55 |
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\8b0d4544beb97a69dbb9583fca5575a9aba6e37d.tbres
| MD5 | 242d70ea68443de3f4e4ce97bb3a2ea2 |
| SHA1 | 95fe1b9e532af7c183e98ee56ae7e14dfb2d585b |
| SHA256 | c87154c8c04c189a7f21d66f473c6e86a7864d02b9abfc76c152d287b22f4d05 |
| SHA512 | 5e9ab252a896cf69539e4805df4522fddd8e37873022afe80bf309745f91989969cba4cb9ced85a509818e053d1ebbb6a61d22507badb7d6bb0c3bc0f0d5195e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_1
| MD5 | e5ef1426e55a854ff2234f80f7ec4159 |
| SHA1 | 8e5e7cd735c1a7dded3402b3ba748e4411747605 |
| SHA256 | 36eb7417f3b0d12c595078d8f34579ea8043c6622f806835971bbc4698d81e80 |
| SHA512 | 9ee84ea42a04f90537c4d53b5f7bb8ae27f25a54d05c59a65d8928372e3c66f8f58f3823d457120ee38f6822e0e05f4792853d534db508e73b43fd11e66cfbf5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_0
| MD5 | 1a096e210d71cf13e0289efa48f24dfb |
| SHA1 | 181f13fb66406ec82fa0ff847b77068eadddd61d |
| SHA256 | e135935beff12a678b780c6a4430b03ef503718d81cadbc08f6d1f5bf0fe285f |
| SHA512 | 14422bcbde35748ec7a64199d9e60912c9e3c96737dfcdbc885e47f41cb17fa3af73087c07598ec10c0f3fabed1b833aea31f6527acbe0760ddf9bccba80afc2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
| MD5 | df30064d2ceb0e92b6f9163215badcbf |
| SHA1 | a879c1d2bbe30df3274d4e502fbaa7ba6cfcf993 |
| SHA256 | 9b8436c810e5791111faf60772413faf41785d3113018733a265e8bed8d7dfa4 |
| SHA512 | 482e3d214efe1a2d73a9b2e8b699f4de6be1b4b8b90f07e7a21bc152adf9bf6fdd4b9e1aae82289adb823d7b33b2b89d6f06db8e80f87e2ca4fd1b6aa6d1b4bb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\first_party_sets.db-journal
| MD5 | 05aa68357908cce2f8ac7a451c9f38e0 |
| SHA1 | 944eaa680aae8aedcc039aaaf2994874b46161ee |
| SHA256 | 5b8b50676535c7a0454fea4b6c99dd88b9d07b1abe9f6589830ef6480a7df950 |
| SHA512 | ab8bdff49f75d449aab17a19c84e29c40639e2fcef114d8e91e18f95edc11f5f314975402f553d1118dd7f1345802b324d70a77b62d8b38d96622581ef73813d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\first_party_sets.db
| MD5 | b732993fee92feef21e1c2e9aa1fcc0f |
| SHA1 | b8bffce1a85e8f568ddcfcc7e0f66b29cfcce13b |
| SHA256 | 43bc697650b73e2fdd4b361e42fdf601afee195af55fbb6307bf3a08263f810a |
| SHA512 | 6c196ee8d757d793a4f37fd874126d1abbb99b28aded0f84d48d6fd59480079a0b8d8226acd02103fc9c08e84d29286698d91b8dd356e3793de380a04431054b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
| MD5 | bcdb4eab065e4334a84a1fac49c5778a |
| SHA1 | a8410f1247f61fc924ab987340e451c390dd5d14 |
| SHA256 | 3382bce8070288ba49cbb8539eeaa49ab1f4286d7c20bdca2e9f67a4c95b5eec |
| SHA512 | 1cb7c55e608ce3d0f1205dea80e6f75e6b79a62047e66ab8acafd9b4891334f85c9666d7340d061659bcc28c1a283ccacb6936ab81bfd5bc6b7c2be668dade41 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
| MD5 | bcac3edefc6b5c69aad9d9a79a9d25be |
| SHA1 | 85b67e504e43d00c75d9e932800c67193062fc11 |
| SHA256 | 774fb4e37ac5f4050e3775b4bead20d3b637849c050bd7b83435a4c44c1a3c56 |
| SHA512 | c1aff4743baa7fdc9e9a8d29c8c71edebbd84fbd5049f016cf9e7bdc2e418dab3225a029bc63be27c40b65cad16ab7348262ba442094da4e7afac6e18b43f033 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG
| MD5 | 5ebbd9b4de6465eca6f82cae7188ab3f |
| SHA1 | e0a10579a033d8aa4b8fdf54daab4488cd3b28b8 |
| SHA256 | c2138309926298b80fbb1fe650fbcd51bf8657eab03cda200fe0fdf7a80150ac |
| SHA512 | 9288bd58e2b7df30f16ec710b5ba6eedd7decf3599d2ae91df843a1cf0df854b5b1c84921c61f81d25ce282100556558977d11bdd764abe3794542966c07daae |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3
| MD5 | 114d538e3fb2a17030ac9f542e0fe992 |
| SHA1 | d60de1e5150e94043fe6d46fa295423dc3d0551a |
| SHA256 | 0bf5885c42aa5b47ca11d5e8e6f188e67de6e4ad37b3f191c76fb41199a70133 |
| SHA512 | b5449b1999609efe09833e1b72fca8e03edf5f7ced9c578b22f2bca0c6d547ac2a8e587628b74160c0bb49fe166e3793694fca3ee8f4c2923659898c4cc05871 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1
| MD5 | 9a7976ce23236bf20f863da30a3b92d1 |
| SHA1 | 0c9da7497cabc2bba5cec1057551cc45a193be20 |
| SHA256 | 943d3886430a879c838b6c052829891ca42e5beb7bbf965f2ef0ee9c02ee2d33 |
| SHA512 | cc3512cf651736d4aa6b9b0749eab6b475f51c52565ca3b000f1af330fbf313a13732a3651d078dd1f7314382163e822b8a1541302b8413c01776bfc8f34b1db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0
| MD5 | 42d56addd27d7f2fcb7694c36259c02d |
| SHA1 | 365f3810bd8a1040f206a3ce529bee45bf5350ed |
| SHA256 | 51c74d9a9d9938e13479f320a06d6ccaa5fd060ebb52c6152932d682a7c86885 |
| SHA512 | 86c6ad0714ad588dbaf382f9280e30bd8cc22a56e6175462d141e76f3277441b5849bc3fe1cd32d8a89f6f72ba65202a3ca6627e4c3f28017dced8618e41ffe4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | b6a1c9759ae6494f2b772b95778d2f1b |
| SHA1 | c19df5dcbce538aa8f98e4c663a6e5839c8ab02e |
| SHA256 | 055c060f444c578ec1c409f5033fec4c6c82f1d0a3c3419848b7d0c3ce403ebb |
| SHA512 | d0cf9b134ee6f44965a919bede241860bcf42168251540c16982315b503094a7d35c061663e2201614a4e67e4bc873da77dd57ab5972b73532a30b925a8d9c77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
| MD5 | 67f7039a75d8378dc16bc7a4a6e51248 |
| SHA1 | 29e50751f894ed11219f8e5c098ff9dc778dd5ab |
| SHA256 | b82268053401814ed844d97f8bdffd9b03a0ab634e609d487088b1b0b8474f2c |
| SHA512 | b4229c5970406a6aa402478a030fa1f86611cbc8a14a6b24c84adbb6476a3a99709fc17ca609acc66b63bed272828f83f82367d1403cb0f95c503ebc44100076 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1
| MD5 | 36b37431f6f230fd65d1f9d1212a7462 |
| SHA1 | 8be2203b22898b9349fc70b67618d3c033ccde86 |
| SHA256 | 85b1c2c0b2331a7d480699fd8040ba7046f2510ebd9b8010bb0bfd29b8a20d3e |
| SHA512 | ef966842e1ae47b372f92d53eaf45df1776fbf2d86f920ff11075846ffd1eb69088d9abd717812226d22b175a8db4e9c86a4834a118b5402bca052427511116d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
| MD5 | d1f9a1a945298dc40fa5c98ba379c77d |
| SHA1 | 96b527884a744c8d37a9d5f1d26e83bd3cf38da2 |
| SHA256 | f06c9c32e7e5efff0e137b68bebcb3c3cee87578f20f6e5692c0c0c472f241bc |
| SHA512 | f91bc378ef7ee5d7b1fe0526e6bc6bb307d05e57df17fc62de277cf2d05da8f4821f2154334185024bc371162355c708b719d21bca54aa86a08185a7bc27d1d0 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-05-03 16:09
Reported
2025-05-03 16:12
Platform
win11-20250502-en
Max time kernel
101s
Max time network
104s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VioletClient_protected.exe | C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VioletClient_protected.exe | C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Run\VioletClient_protected = "C:\\Users\\Admin\\AppData\\Roaming\\VioletClient_protected.exe" | C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe
"C:\Users\Admin\AppData\Local\Temp\VioletClient_protected.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "VioletClient_protected" /tr "C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "VioletClient_protected"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF5F.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | appengine.google.com | udp |
| US | 73.179.34.234:4872 | tcp |
Files
memory/1604-0-0x00007FFD2D973000-0x00007FFD2D975000-memory.dmp
memory/1604-1-0x0000000000A70000-0x0000000000AEA000-memory.dmp
memory/1604-2-0x00007FFD2D970000-0x00007FFD2E432000-memory.dmp
C:\Users\Admin\AppData\Roaming\VioletClient_protected.exe
| MD5 | eaf9c62f7cdb70a7a58524d9e209ed92 |
| SHA1 | e287505193f0f4efef2a7aaa0d70ba86f4e30d03 |
| SHA256 | 7304c9b3a88f8d9a39979bde599a09f7f3e8eac2ec9368e8fc61744fb9881fca |
| SHA512 | 34264e68b007094ea68b25be43117075a9f806f85e61b4923fe4d124a7271eff1297231d981b7a884bd82f947307ded3f9cb05a3adf33a612baa761ad5e2f425 |
memory/1368-9-0x00007FFD2D970000-0x00007FFD2E432000-memory.dmp
memory/1368-10-0x00007FFD2D970000-0x00007FFD2E432000-memory.dmp
memory/1368-12-0x00007FFD2D970000-0x00007FFD2E432000-memory.dmp
memory/1604-13-0x00007FFD2D970000-0x00007FFD2E432000-memory.dmp
memory/1604-14-0x000000001B7F0000-0x000000001B7FA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VioletClient_protected.exe.log
| MD5 | 4a01567f513143419390cb40e6abaf71 |
| SHA1 | d0d714d6e526a652fc4e5de4e6040d6b0e7687ab |
| SHA256 | 6efaeb6a1b391155453a57c7e437575bb18efc174f3099d984d9dea49eecebad |
| SHA512 | 379fcb42d0f72d302482fadd4f25cbfa9c5f6a9c50222877d0eed91f237ec688eb52f65ee0d3fccfd017a6b14bd36f34fa0b77a388728fe3942a981322d7a4bc |
C:\Users\Admin\AppData\Local\Temp\tmpFF5F.tmp.bat
| MD5 | 4788c8214727bd55b129a3138d96886b |
| SHA1 | 3a5f8185ce339a5cb937ca9fcbf4ce09c6338365 |
| SHA256 | e3d09e90cfea6240d132b6cab574483455a8ceb09f6fc058c541f3340a6dd1fc |
| SHA512 | 80f63d90b4b61e3183def492139a35fbec73bbbcfaf05ec2c37f3489001dcedf710e5a70dd842520aebf611ab34bc1dc28aee857373ad921181b0de6481c862f |
memory/1604-20-0x00007FFD2D970000-0x00007FFD2E432000-memory.dmp