Resubmissions
01-07-2024 06:05
240701-gs7rts1ekm 801-07-2024 06:02
240701-grl4qsxgnh 101-07-2024 05:57
240701-gny9ws1dnk 701-07-2024 05:47
240701-ghchyaxfmb 801-07-2024 05:44
240701-gfekhs1cmr 101-07-2024 05:39
240701-gcjp3axepc 6Analysis
-
max time kernel
192s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
01-07-2024 05:57
Errors
General
-
Target
sample.html
-
Size
494KB
-
MD5
90570683931d5f8a2ad2eac54d7ec9b4
-
SHA1
2e04b4ffa1ffafac3b5424bf6c59d0eefee13858
-
SHA256
9b7222bb21f452ddcb74beab90b78e805578d65c4e43758853f833ac1edb5ce1
-
SHA512
08cb12405bee74256212037938c3a367add8d6067c326fc154d2b6d9128254f817fff9e61672d67d4d6f4f37b78df6209b94f71c69f53abbf9db59bf0e36ec2c
-
SSDEEP
6144:lZHU5+U52U5ZU58U5ZU5BU59U5qU58U5Rb2:l5UAUsUbUGU3UnU3UIUCU3b2
Malware Config
Signatures
-
Executes dropped EXE 14 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 8 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 44 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff721f3cb8,0x7fff721f3cc8,0x7fff721f3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5028 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4916 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\WinRGBDestructive\WinRGBDestructive.exe"C:\Users\Admin\Downloads\WinRGBDestructive\WinRGBDestructive.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4532.tmp\4533.tmp\4534.vbs //Nologo2⤵
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\mbr.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\bytebeat1.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\bytebeat1.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\rgb.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\rgb.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\sinewaves.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\sinewaves.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\Lines.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\Lines.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Lines.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im sinewaves.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im txtout.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im RGB.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\patblt.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\patblt.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout2.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout2.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im patblt.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im txtout2.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\invmelter.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\invmelter.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im invmelter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\cubes.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\cubes.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\rgb.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\rgb.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im txtout.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout2.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\bsod.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\bsod.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD564f055a833e60505264595e7edbf62f6
SHA1dad32ce325006c1d094b7c07550aca28a8dac890
SHA2567172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99
SHA51286644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a74887034b3a720c50e557d5b1c790bf
SHA1fb245478258648a65aa189b967590eef6fb167be
SHA256f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250
SHA512888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-indexFilesize
3KB
MD5a0968189d1d0bad0ea8aa78a3877c57a
SHA1eeb21aa92fbb77e3de12cbd923e0fc853b4b1629
SHA25632c2c2213ea114f600d6a445303ea0f21797183167a1ec3cbe2d568061837bee
SHA512db6acf2f9e001f4605d8f243d43029b298ffe47edbc4e3593ce071b21d837c96900ed167e66b34fa3b4c2fcba90701a8d1436c34ec1534396abf44a670cbe0f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD590ed3eecfd849eea2d5ee9a078ac648c
SHA193eadebf05fa9003d658038e8745f3f0456943c9
SHA2566afe371c56e522e818ee0bdcafffa13c895620c77c1d99db5ccd8b680127f113
SHA512666f00e4136baaafc738d7d474d25b51537bb0556f38380f9c3714d49f4f5aa5fb032b2aa5bdf8839e508de0a94a83a02a3de973f5d48d7e855cd922e03cf6b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD51f6ccb923d9ba5c4d60196f75e4981c4
SHA173033a9a93cbfd15a9d0d72e6481f4e0559c95ee
SHA256d2a9eeb92bc7795f7608e94fdf339e6f432dbba6523028d04bd1b7a86a9d59d7
SHA51229d59cd287ab4c2bd875385351b9afc851d086b7cd0dd893fd4ae78a4676033334cb0e2eb9d08d0c8eebd14f4733dc7d7180053049e3e099eade8834ce58f108
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e60f1110decf6e019adf674bab4bde0d
SHA1d2200d205964b4c6be80ebe984a10445c6dc5845
SHA256411f537b8866eed81fe0241b25bf6bddd86acf4d386d4ce3f90427d845a220de
SHA512ce2dfa7cf35b8d20d1969cb2fcb0ef0c8f2a3b996f97205a446b79e7969029b1f23e17be0ef18c4c1003525c752eaf85e7cd82ad2462d65efb85a6850ddc8a88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5f6893659de7bb156cf9043c0c29e2db4
SHA1332e26839a8440ae5eeefa9b172dcbb0f0c6c05d
SHA25681da852b38dbdb64f4ca28f6b278efd85abd818d5ffa4aa50f3e66bb97e28a9b
SHA5127cd77f2da3e764277b6798326052b96de188fce9e6793a587a7807afb7556010e77dfc0857fbab3ac131b6271756609ca294c100ca16b6111b8fc04b4a09c358
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD577edab3405053c835868e805cadb0580
SHA14bff53edaa48298c5e33648a886344d86169bab9
SHA2563cc5a303b3c666773c347d34a6960114f3d00f78c9adf10a529e8c7ed9276e71
SHA5123f9df2d7817f108523bbd7d9633596198af8730ada25183830180013527539438adb838d2c4ceb9f50109367ffd9c303d02a59faa9c4e1112e2c8921533bc907
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52a73c267b74d14aabf180a300fef0c03
SHA170ad577d855aaecea44387ff6e467647e428142e
SHA2565fe9abd8b069827ff6b8e735c2f4e15dfbab60b124dc5d8082d65a43385a2f8f
SHA51257db9c1a308a8af5273a96b43e63504f40a616edcc9af6cd4d1906e24e961ebc80229d1b916e24fe081a6856a25552f0fd4a94be895bce18617d196299c8bbf4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f3ff3eb6791fb89e045bbc964521fefd
SHA1f10c809f32d3f2ebf9369b2e90d8130bba70ce7d
SHA256b40c2d8c3788c9c9ef3a6ca9dce5fdaf3be84c921f00aae9153496e78a1ed9bf
SHA512724ae31acece970881693a48a5f243b622654d493543062d19d1eb11249deb8e1f9d147fd998387fa1eae15fd3c8e1b41bf7e97ea966af43da312f4510189fc4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD529e052cbc1dcfb50bd44a6c4fc546bce
SHA12d3feb1755dbaa0d5e2945b45a535e2cd6950596
SHA256a9ba237c6a8e0d87a1c148e273dd940d08b8f1e83ba6dd88701094167d1a8a02
SHA51241786020584b61b3587a917b7490f7778672fa94e6c4e5ec5405bd7cef6bba25b6e74a6a307a73a231fd2348f7f57babee461fc6138c48b7291f0304dac029ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fa6d.TMPFilesize
1KB
MD5885e69bc5375648f551eba3091dee016
SHA10d10d1d0135d648d42de008826c807a5c4aa4665
SHA2561774a9a4a2d4e0709e45d0339a75265c8ccea23393bfa075ba10c436ce767c0d
SHA512eec0707dd527e150775ceab058e525405f4693d0f581e8acd8c6bb4bd2bf7bdfae2cae467df17bf956a16205e4e7b3e435e576f9f3a37eb60a12c82916fa8c79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5fd26899daf3c7a344046e6f6fdaf9c09
SHA1dba3f97c073dea127bd0a43a985347caa1091266
SHA2568d3b47cf2e82573a8c5d3aadc8a6dc3b93155cf7c849e4d207ee284fedfe96f2
SHA512dff62ccf7cf3a15aa7397b4989df25aa59a992701cbbb73bd5c47e1f55ad69ee3e54e54044e902bffae8a9eb59f0dbbb5e48ce392824683043d5d62033ee017a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50a9cfff4da59b159f30577eef4fc4272
SHA11d1b22074158d0ff834f067a1287b0efcd54e031
SHA2563d522a55af6e87f2f64e47e38d5e615a73a34a68ac587a1efa0167c7e525c376
SHA512831137262cb958c393c8eb6eb4dc933c7833e64ac3cf169de5c75cc449d44016fbbe595a350614f6849cee63cb8de19ac84e0f89ac8fc4eef408d0eb249db5f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e16b61d36c1969995dcc1b7b1c05da21
SHA17e37ba9c43a9b384bd5b15826804df22079d3cc4
SHA25642d873d68e2692d2394303da5eb8ba9248e3481f722ab7681633764ba20c5460
SHA512c71b98bf63910451e24f0224f3985e553a89feda5cd2650b6f3ae054d73b7eaac2ff6a7fdf899e3a80dcdfbbad0ba15b9df562d52ef5fff96f9a4352e2b35750
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD53b5ef79fe85ae83669691cc30a3062e7
SHA1feea249981a343341fad2a49d2029b7904282d17
SHA2564f6316c8beb4bb5fbf12dd73cf73944d2e8a8d88c9cb0e3ade6a03f16a1f8103
SHA512b07cbbd707c278d2057cd55b6fb3132758482e4377c36e2c964d3cdf81d202ee3dc63c8431cbae18ab90fcd9481b9f4bc3ecf6db1e9000a32b86ae88e5dbf658
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\4533.tmp\4534.vbsFilesize
3KB
MD5dbe460e73bc825119c6326250ac8f223
SHA1191f599142390b486868a952f6c3df8eedc60ab2
SHA25639ec4ede07d340f3ce319a28da8ebf3cdee86ae95241a53fa99fe729746aaef0
SHA512f363475209e743e38b32078a24f99e89c93e18e7100a4c28d49d9054e981cbcaaef6960d434464af6f37789f76065d18671609e3a1b369ced34a8b14da1b06a3
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\Lines.exeFilesize
103KB
MD56381e3e4b02204e1353218ee6ec45c2a
SHA1a350d4432d2a1a8c7a34d5ea7214326ffc02c270
SHA256df3cc9a807a80697cd8b72f8f17a365849146cb4e41b4340e42f78d1bc1722e1
SHA512ac7f21c539667a77236b78006740c634b7d4c0a55dcb776872bb339501112c62e1990bbb73b8f3c4e5b065167b8102fe35aa4633248b19dca602606b68b15015
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\bsod.exeFilesize
11KB
MD52c0970f41f80a89af6da46f72076a008
SHA10a5e3f7871a51bc6a37cbc910aabe9d25a823b32
SHA256b1cb05d160f4469801cb993f76b2bbb7b077611973b4a914f50752b5852770d6
SHA512d9123debc1c21351ef6403646acf3383ee2c9d8d71d173db6b62aeda1148f5a6af851e6ba8989812c601ebe6dd1e0541a9e2b653f536c371c274aaf3f828da32
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\bytebeat1.exeFilesize
102KB
MD56b673ece600bcc8a665ebf251d7d926e
SHA164ef7c73a713bf3c55fb4ac4e5366a7a425f1b4e
SHA25641ac58d922f32134e75e87898d2c179d478c81edaae0d9bc28e7ce7d6f422f8b
SHA512feb18a1aa72de47fd67919e196abd200afdf22ad5a7e5dac20593252d8b2ca86982bb07c2fed3681ef06c9933c6d197590c1df65aa5df93cb6abafca5e53e9ff
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\bytebeat1.wavFilesize
1.3MB
MD509d2094f56d2d38aa64eac1d90c5a554
SHA1c6268759b1eee9fdfafa0d605d62bbbf85defbca
SHA2564599f6f06c7f491a50e3c4012a83cce9f3ee13ae209189cb8964f0b6ba14614c
SHA5124ca756a06612c281ec03dd9f064b9ddaf6756b00a5d54dee62728f5cdd7ad3d928559b9857ed2f733b8b3e842b396fed94b212ef2a384265ac623433d67010f3
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\cubes.exeFilesize
103KB
MD5ed695dac2b14ccad335e75f5ddd44139
SHA135f4fae272c9b8dc84ffdae9b4dbfa4ed32936eb
SHA2562d3e7cdbf244704934afa447552c049a891a9ccbd6d4ab42ca2504ad0a99e803
SHA512a028c258cc65e208303f458279035d430f8447c6ca950d2de9c345aa7c2a13cff3a36fefdeb9305f8caaffc7da91fff91e05ef8e52b9d3672f7a71b49bbf47d5
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\invmelter.exeFilesize
103KB
MD50928425141c06ebb894e50a54c2aa1f0
SHA15f27cdf914df73946a0d2e35bfa38ade93a16bd2
SHA256229f07414798adb8f850697cb0ad12a1911443c8b31c0484c1b96a16efee9a02
SHA512bb734885ce1e6a8ec2bf32bc0bdaf89298a419b25d6ac73362b850742f5bc11f4e6bf3cf03cc6d1bd025487140a778859211f70cbd2798fed1ea8fa57c957371
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\mbr.exeFilesize
577KB
MD5d1174d4066bc2b4c09059e7839651eac
SHA1a2b326436cb9a61ab1a9c1daa0aa6e6d424dc878
SHA2565000f70ff57cf2662d4b49c1c4ad275ac3f3d241f620988978e552c6f1c2d4fb
SHA5127ddef5b623aaa5de346cafb51a88b527d98190f7dea747b8809cfe7e7fd869dd2a202385169896c84d77db76df3d68ecfdb7d7cbdec556d071028306fe7375bd
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\patblt.exeFilesize
104KB
MD502a349c19fa0cef84bc88abf65f8bc2c
SHA165a1215867c12109150c10f3f831e997e411e131
SHA256ad088fa2c014bb718c005149138f284b183c494dec633ccb88c6c14ef1935199
SHA51233a1517cd1ef56429dc387fcec7e1b6f90438c5608deefb408d310239520a8e5b6c977b13b419d5795f7ba68c7ef03e951ff61534fd53fe6d36912a6fa93d06e
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\rgb.exeFilesize
105KB
MD5bfc9e8ab494313d6efb67fc8942f5ee9
SHA11b42cc97803221538e020cb90517cb808cf19381
SHA25633cbdb6e00f3f42f58502af8a9150604a44bb9b26825c909aa0edb5c744a1f13
SHA5122d01f92397b65eade1f6140f80e2cb626b3e53b112c7e77e84ea7f6092b07c05eacb9e5e9bcb4676c8bdd10fcfba4fe297f2a01eedffffa594af87839baae030
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\sinewaves.exeFilesize
108KB
MD5e9534d452e7b06b5591e0509553f8d86
SHA12be1075e3ffe29c95fb0fcbed4dcf9fc54788a58
SHA256edce21b4ec9b68e4e8a5232c1432d5de0865f1fded27fc69965a2d3d568de909
SHA51221c40c98f9351676f9a105a733472b4b9145a2a2fe13a82b681fec1c73d893bd2be472938e2b84b70836875ed18d0e615a003b4af0f99d5d463f2031500b57c3
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout.exeFilesize
105KB
MD54fa1fa5d513c7fa461af0b0fcdedc2a0
SHA1f9d0b9bbb95d8584050056a2a55541389d506566
SHA25657f402713148807269c35f71eaa37b3f9309f259dc03a14a304fa7598f8acd4f
SHA5128434b1f647ba903cb0d411f54d8566430bf7c1822e67d165b9e6f18cb906101be1c9566d8cc09741c9a629c9f45f774317112e4d20f3ac3ea1ad513b05cc90d1
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout2.exeFilesize
105KB
MD521d90b4350b6c69d01174240997806c3
SHA1ca6cdfe5f7f0a15ca177eabf7596d64bc284215c
SHA256ecadb0f872cf2c112620e0bfdb9f657dd5ac25188c762b2ed7261f9612163757
SHA5121e8089c7c6f1660652b29ab5a5ccac7a51dfa5fa2e28144df5a196b232b4ac489d5eee7e873144365004b76995ce8315d29f7af5ffc90130b61c38a06f1966a7
-
C:\Users\Admin\Downloads\WinRGBClean.zipFilesize
6.2MB
MD57c129d423a9a7764939fa772f1c2da7b
SHA1b7191fbbcde82a5f069bbecc0fa836f09631b99a
SHA256bb2a8e8d8db1b59b377ddcc39c473af08744b305a3b2f9190fbcafc6b53e637a
SHA5120740ac6743c56a178c3f4869ec7bab7d7fc9a6a4c2db9628b339bb6da4e3030f00fabe36b2e5426383d8703faf3e104ab0bea2a3e498aa42a54c1a715470016e
-
C:\Users\Admin\Downloads\WinRGBClean.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\WinRGBDestructive.zipFilesize
6.7MB
MD52ccf48c0f0e4379e7fe1290008e9e27b
SHA14841ae2ef01eb9cf6046034ee605eb0082efcd48
SHA256f14dc938825e26808ceb544d8dbdeea14a3e88ee299d9b07f60b851e4f4b188b
SHA512ead74378f562cf24cd9b52917a0a6dac93659f7714f6b5477ded57e28fb9c93a67611fec4744b4c63cc95f634e3520724775ec263498fc8e0c5cb77719aa0671
-
\??\pipe\LOCAL\crashpad_4664_HGPZMNSZMRHEVBZHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1204-733-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1312-695-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1564-750-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2224-739-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3068-734-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3468-728-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3472-526-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/3492-717-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3552-457-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3552-533-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3564-687-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3612-553-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3708-552-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4592-716-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4744-706-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB