Resubmissions
01-07-2024 06:05
240701-gs7rts1ekm 801-07-2024 06:02
240701-grl4qsxgnh 101-07-2024 05:57
240701-gny9ws1dnk 701-07-2024 05:47
240701-ghchyaxfmb 801-07-2024 05:44
240701-gfekhs1cmr 101-07-2024 05:39
240701-gcjp3axepc 6Analysis
-
max time kernel
192s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-07-2024 05:57
Static task
static1
Behavioral task
behavioral1
Sample
sample.html
Resource
win11-20240611-en
Errors
General
-
Target
sample.html
-
Size
494KB
-
MD5
90570683931d5f8a2ad2eac54d7ec9b4
-
SHA1
2e04b4ffa1ffafac3b5424bf6c59d0eefee13858
-
SHA256
9b7222bb21f452ddcb74beab90b78e805578d65c4e43758853f833ac1edb5ce1
-
SHA512
08cb12405bee74256212037938c3a367add8d6067c326fc154d2b6d9128254f817fff9e61672d67d4d6f4f37b78df6209b94f71c69f53abbf9db59bf0e36ec2c
-
SSDEEP
6144:lZHU5+U52U5ZU58U5ZU5BU59U5qU58U5Rb2:l5UAUsUbUGU3UnU3UIUCU3b2
Malware Config
Signatures
-
Executes dropped EXE 14 IoCs
Processes:
mbr.exebytebeat1.exergb.exesinewaves.exeLines.exetxtout.exepatblt.exetxtout2.exeinvmelter.execubes.exergb.exetxtout.exetxtout2.exebsod.exepid process 3472 mbr.exe 3708 bytebeat1.exe 3612 rgb.exe 3564 sinewaves.exe 1312 Lines.exe 4744 txtout.exe 4592 patblt.exe 3492 txtout2.exe 3468 invmelter.exe 1204 cubes.exe 3068 rgb.exe 2224 txtout.exe 1564 txtout2.exe 5024 bsod.exe -
Processes:
resource yara_rule behavioral1/memory/3552-457-0x0000000000400000-0x00000000004D8000-memory.dmp upx behavioral1/memory/3552-533-0x0000000000400000-0x00000000004D8000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 17 raw.githubusercontent.com 18 raw.githubusercontent.com 51 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
mbr.exedescription ioc process File opened for modification \??\PhysicalDrive0 mbr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 8 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1704 taskkill.exe 2104 taskkill.exe 3800 taskkill.exe 3800 taskkill.exe 1508 taskkill.exe 1228 taskkill.exe 3584 taskkill.exe 4888 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1276817940-128734381-631578427-1000\{1B101567-EA36-496B-B89F-1AC6884DD958} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000_Classes\Local Settings msedge.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\WinRGBClean.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WinRGBDestructive.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 1068 msedge.exe 1068 msedge.exe 4664 msedge.exe 4664 msedge.exe 2484 msedge.exe 2484 msedge.exe 4608 msedge.exe 4608 msedge.exe 3476 identity_helper.exe 3476 identity_helper.exe 4696 msedge.exe 4696 msedge.exe 440 msedge.exe 440 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exepid process 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
AUDIODG.EXEtaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exebsod.exedescription pid process Token: 33 3016 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3016 AUDIODG.EXE Token: SeDebugPrivilege 1704 taskkill.exe Token: SeDebugPrivilege 4888 taskkill.exe Token: SeDebugPrivilege 2104 taskkill.exe Token: SeDebugPrivilege 3800 taskkill.exe Token: SeDebugPrivilege 1508 taskkill.exe Token: SeDebugPrivilege 3800 taskkill.exe Token: SeDebugPrivilege 1228 taskkill.exe Token: SeDebugPrivilege 3584 taskkill.exe Token: SeShutdownPrivilege 5024 bsod.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
Processes:
msedge.exepid process 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe 4664 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
WinRGBDestructive.exepid process 3552 WinRGBDestructive.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4664 wrote to memory of 4472 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 4472 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 2904 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1068 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1068 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe PID 4664 wrote to memory of 1540 4664 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff721f3cb8,0x7fff721f3cc8,0x7fff721f3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5028 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4916 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,1685230806982785925,17552577791628338056,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\WinRGBDestructive\WinRGBDestructive.exe"C:\Users\Admin\Downloads\WinRGBDestructive\WinRGBDestructive.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4532.tmp\4533.tmp\4534.vbs //Nologo2⤵
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\mbr.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\mbr.exe"3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\bytebeat1.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\bytebeat1.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\rgb.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\rgb.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\sinewaves.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\sinewaves.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\Lines.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\Lines.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Lines.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im sinewaves.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im txtout.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im RGB.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\patblt.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\patblt.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout2.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout2.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im patblt.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im txtout2.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\invmelter.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\invmelter.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im invmelter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\cubes.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\cubes.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\rgb.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\rgb.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout.exe"3⤵
- Executes dropped EXE
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im txtout.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout2.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout2.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\bsod.exe"C:\Users\Admin\AppData\Local\Temp\4532.tmp\bsod.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD564f055a833e60505264595e7edbf62f6
SHA1dad32ce325006c1d094b7c07550aca28a8dac890
SHA2567172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99
SHA51286644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a74887034b3a720c50e557d5b1c790bf
SHA1fb245478258648a65aa189b967590eef6fb167be
SHA256f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250
SHA512888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-indexFilesize
3KB
MD5a0968189d1d0bad0ea8aa78a3877c57a
SHA1eeb21aa92fbb77e3de12cbd923e0fc853b4b1629
SHA25632c2c2213ea114f600d6a445303ea0f21797183167a1ec3cbe2d568061837bee
SHA512db6acf2f9e001f4605d8f243d43029b298ffe47edbc4e3593ce071b21d837c96900ed167e66b34fa3b4c2fcba90701a8d1436c34ec1534396abf44a670cbe0f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD590ed3eecfd849eea2d5ee9a078ac648c
SHA193eadebf05fa9003d658038e8745f3f0456943c9
SHA2566afe371c56e522e818ee0bdcafffa13c895620c77c1d99db5ccd8b680127f113
SHA512666f00e4136baaafc738d7d474d25b51537bb0556f38380f9c3714d49f4f5aa5fb032b2aa5bdf8839e508de0a94a83a02a3de973f5d48d7e855cd922e03cf6b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD51f6ccb923d9ba5c4d60196f75e4981c4
SHA173033a9a93cbfd15a9d0d72e6481f4e0559c95ee
SHA256d2a9eeb92bc7795f7608e94fdf339e6f432dbba6523028d04bd1b7a86a9d59d7
SHA51229d59cd287ab4c2bd875385351b9afc851d086b7cd0dd893fd4ae78a4676033334cb0e2eb9d08d0c8eebd14f4733dc7d7180053049e3e099eade8834ce58f108
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e60f1110decf6e019adf674bab4bde0d
SHA1d2200d205964b4c6be80ebe984a10445c6dc5845
SHA256411f537b8866eed81fe0241b25bf6bddd86acf4d386d4ce3f90427d845a220de
SHA512ce2dfa7cf35b8d20d1969cb2fcb0ef0c8f2a3b996f97205a446b79e7969029b1f23e17be0ef18c4c1003525c752eaf85e7cd82ad2462d65efb85a6850ddc8a88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5f6893659de7bb156cf9043c0c29e2db4
SHA1332e26839a8440ae5eeefa9b172dcbb0f0c6c05d
SHA25681da852b38dbdb64f4ca28f6b278efd85abd818d5ffa4aa50f3e66bb97e28a9b
SHA5127cd77f2da3e764277b6798326052b96de188fce9e6793a587a7807afb7556010e77dfc0857fbab3ac131b6271756609ca294c100ca16b6111b8fc04b4a09c358
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD577edab3405053c835868e805cadb0580
SHA14bff53edaa48298c5e33648a886344d86169bab9
SHA2563cc5a303b3c666773c347d34a6960114f3d00f78c9adf10a529e8c7ed9276e71
SHA5123f9df2d7817f108523bbd7d9633596198af8730ada25183830180013527539438adb838d2c4ceb9f50109367ffd9c303d02a59faa9c4e1112e2c8921533bc907
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52a73c267b74d14aabf180a300fef0c03
SHA170ad577d855aaecea44387ff6e467647e428142e
SHA2565fe9abd8b069827ff6b8e735c2f4e15dfbab60b124dc5d8082d65a43385a2f8f
SHA51257db9c1a308a8af5273a96b43e63504f40a616edcc9af6cd4d1906e24e961ebc80229d1b916e24fe081a6856a25552f0fd4a94be895bce18617d196299c8bbf4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f3ff3eb6791fb89e045bbc964521fefd
SHA1f10c809f32d3f2ebf9369b2e90d8130bba70ce7d
SHA256b40c2d8c3788c9c9ef3a6ca9dce5fdaf3be84c921f00aae9153496e78a1ed9bf
SHA512724ae31acece970881693a48a5f243b622654d493543062d19d1eb11249deb8e1f9d147fd998387fa1eae15fd3c8e1b41bf7e97ea966af43da312f4510189fc4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD529e052cbc1dcfb50bd44a6c4fc546bce
SHA12d3feb1755dbaa0d5e2945b45a535e2cd6950596
SHA256a9ba237c6a8e0d87a1c148e273dd940d08b8f1e83ba6dd88701094167d1a8a02
SHA51241786020584b61b3587a917b7490f7778672fa94e6c4e5ec5405bd7cef6bba25b6e74a6a307a73a231fd2348f7f57babee461fc6138c48b7291f0304dac029ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57fa6d.TMPFilesize
1KB
MD5885e69bc5375648f551eba3091dee016
SHA10d10d1d0135d648d42de008826c807a5c4aa4665
SHA2561774a9a4a2d4e0709e45d0339a75265c8ccea23393bfa075ba10c436ce767c0d
SHA512eec0707dd527e150775ceab058e525405f4693d0f581e8acd8c6bb4bd2bf7bdfae2cae467df17bf956a16205e4e7b3e435e576f9f3a37eb60a12c82916fa8c79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5fd26899daf3c7a344046e6f6fdaf9c09
SHA1dba3f97c073dea127bd0a43a985347caa1091266
SHA2568d3b47cf2e82573a8c5d3aadc8a6dc3b93155cf7c849e4d207ee284fedfe96f2
SHA512dff62ccf7cf3a15aa7397b4989df25aa59a992701cbbb73bd5c47e1f55ad69ee3e54e54044e902bffae8a9eb59f0dbbb5e48ce392824683043d5d62033ee017a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50a9cfff4da59b159f30577eef4fc4272
SHA11d1b22074158d0ff834f067a1287b0efcd54e031
SHA2563d522a55af6e87f2f64e47e38d5e615a73a34a68ac587a1efa0167c7e525c376
SHA512831137262cb958c393c8eb6eb4dc933c7833e64ac3cf169de5c75cc449d44016fbbe595a350614f6849cee63cb8de19ac84e0f89ac8fc4eef408d0eb249db5f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e16b61d36c1969995dcc1b7b1c05da21
SHA17e37ba9c43a9b384bd5b15826804df22079d3cc4
SHA25642d873d68e2692d2394303da5eb8ba9248e3481f722ab7681633764ba20c5460
SHA512c71b98bf63910451e24f0224f3985e553a89feda5cd2650b6f3ae054d73b7eaac2ff6a7fdf899e3a80dcdfbbad0ba15b9df562d52ef5fff96f9a4352e2b35750
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD53b5ef79fe85ae83669691cc30a3062e7
SHA1feea249981a343341fad2a49d2029b7904282d17
SHA2564f6316c8beb4bb5fbf12dd73cf73944d2e8a8d88c9cb0e3ade6a03f16a1f8103
SHA512b07cbbd707c278d2057cd55b6fb3132758482e4377c36e2c964d3cdf81d202ee3dc63c8431cbae18ab90fcd9481b9f4bc3ecf6db1e9000a32b86ae88e5dbf658
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\4533.tmp\4534.vbsFilesize
3KB
MD5dbe460e73bc825119c6326250ac8f223
SHA1191f599142390b486868a952f6c3df8eedc60ab2
SHA25639ec4ede07d340f3ce319a28da8ebf3cdee86ae95241a53fa99fe729746aaef0
SHA512f363475209e743e38b32078a24f99e89c93e18e7100a4c28d49d9054e981cbcaaef6960d434464af6f37789f76065d18671609e3a1b369ced34a8b14da1b06a3
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\Lines.exeFilesize
103KB
MD56381e3e4b02204e1353218ee6ec45c2a
SHA1a350d4432d2a1a8c7a34d5ea7214326ffc02c270
SHA256df3cc9a807a80697cd8b72f8f17a365849146cb4e41b4340e42f78d1bc1722e1
SHA512ac7f21c539667a77236b78006740c634b7d4c0a55dcb776872bb339501112c62e1990bbb73b8f3c4e5b065167b8102fe35aa4633248b19dca602606b68b15015
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\bsod.exeFilesize
11KB
MD52c0970f41f80a89af6da46f72076a008
SHA10a5e3f7871a51bc6a37cbc910aabe9d25a823b32
SHA256b1cb05d160f4469801cb993f76b2bbb7b077611973b4a914f50752b5852770d6
SHA512d9123debc1c21351ef6403646acf3383ee2c9d8d71d173db6b62aeda1148f5a6af851e6ba8989812c601ebe6dd1e0541a9e2b653f536c371c274aaf3f828da32
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\bytebeat1.exeFilesize
102KB
MD56b673ece600bcc8a665ebf251d7d926e
SHA164ef7c73a713bf3c55fb4ac4e5366a7a425f1b4e
SHA25641ac58d922f32134e75e87898d2c179d478c81edaae0d9bc28e7ce7d6f422f8b
SHA512feb18a1aa72de47fd67919e196abd200afdf22ad5a7e5dac20593252d8b2ca86982bb07c2fed3681ef06c9933c6d197590c1df65aa5df93cb6abafca5e53e9ff
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\bytebeat1.wavFilesize
1.3MB
MD509d2094f56d2d38aa64eac1d90c5a554
SHA1c6268759b1eee9fdfafa0d605d62bbbf85defbca
SHA2564599f6f06c7f491a50e3c4012a83cce9f3ee13ae209189cb8964f0b6ba14614c
SHA5124ca756a06612c281ec03dd9f064b9ddaf6756b00a5d54dee62728f5cdd7ad3d928559b9857ed2f733b8b3e842b396fed94b212ef2a384265ac623433d67010f3
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\cubes.exeFilesize
103KB
MD5ed695dac2b14ccad335e75f5ddd44139
SHA135f4fae272c9b8dc84ffdae9b4dbfa4ed32936eb
SHA2562d3e7cdbf244704934afa447552c049a891a9ccbd6d4ab42ca2504ad0a99e803
SHA512a028c258cc65e208303f458279035d430f8447c6ca950d2de9c345aa7c2a13cff3a36fefdeb9305f8caaffc7da91fff91e05ef8e52b9d3672f7a71b49bbf47d5
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\invmelter.exeFilesize
103KB
MD50928425141c06ebb894e50a54c2aa1f0
SHA15f27cdf914df73946a0d2e35bfa38ade93a16bd2
SHA256229f07414798adb8f850697cb0ad12a1911443c8b31c0484c1b96a16efee9a02
SHA512bb734885ce1e6a8ec2bf32bc0bdaf89298a419b25d6ac73362b850742f5bc11f4e6bf3cf03cc6d1bd025487140a778859211f70cbd2798fed1ea8fa57c957371
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\mbr.exeFilesize
577KB
MD5d1174d4066bc2b4c09059e7839651eac
SHA1a2b326436cb9a61ab1a9c1daa0aa6e6d424dc878
SHA2565000f70ff57cf2662d4b49c1c4ad275ac3f3d241f620988978e552c6f1c2d4fb
SHA5127ddef5b623aaa5de346cafb51a88b527d98190f7dea747b8809cfe7e7fd869dd2a202385169896c84d77db76df3d68ecfdb7d7cbdec556d071028306fe7375bd
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\patblt.exeFilesize
104KB
MD502a349c19fa0cef84bc88abf65f8bc2c
SHA165a1215867c12109150c10f3f831e997e411e131
SHA256ad088fa2c014bb718c005149138f284b183c494dec633ccb88c6c14ef1935199
SHA51233a1517cd1ef56429dc387fcec7e1b6f90438c5608deefb408d310239520a8e5b6c977b13b419d5795f7ba68c7ef03e951ff61534fd53fe6d36912a6fa93d06e
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\rgb.exeFilesize
105KB
MD5bfc9e8ab494313d6efb67fc8942f5ee9
SHA11b42cc97803221538e020cb90517cb808cf19381
SHA25633cbdb6e00f3f42f58502af8a9150604a44bb9b26825c909aa0edb5c744a1f13
SHA5122d01f92397b65eade1f6140f80e2cb626b3e53b112c7e77e84ea7f6092b07c05eacb9e5e9bcb4676c8bdd10fcfba4fe297f2a01eedffffa594af87839baae030
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\sinewaves.exeFilesize
108KB
MD5e9534d452e7b06b5591e0509553f8d86
SHA12be1075e3ffe29c95fb0fcbed4dcf9fc54788a58
SHA256edce21b4ec9b68e4e8a5232c1432d5de0865f1fded27fc69965a2d3d568de909
SHA51221c40c98f9351676f9a105a733472b4b9145a2a2fe13a82b681fec1c73d893bd2be472938e2b84b70836875ed18d0e615a003b4af0f99d5d463f2031500b57c3
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout.exeFilesize
105KB
MD54fa1fa5d513c7fa461af0b0fcdedc2a0
SHA1f9d0b9bbb95d8584050056a2a55541389d506566
SHA25657f402713148807269c35f71eaa37b3f9309f259dc03a14a304fa7598f8acd4f
SHA5128434b1f647ba903cb0d411f54d8566430bf7c1822e67d165b9e6f18cb906101be1c9566d8cc09741c9a629c9f45f774317112e4d20f3ac3ea1ad513b05cc90d1
-
C:\Users\Admin\AppData\Local\Temp\4532.tmp\txtout2.exeFilesize
105KB
MD521d90b4350b6c69d01174240997806c3
SHA1ca6cdfe5f7f0a15ca177eabf7596d64bc284215c
SHA256ecadb0f872cf2c112620e0bfdb9f657dd5ac25188c762b2ed7261f9612163757
SHA5121e8089c7c6f1660652b29ab5a5ccac7a51dfa5fa2e28144df5a196b232b4ac489d5eee7e873144365004b76995ce8315d29f7af5ffc90130b61c38a06f1966a7
-
C:\Users\Admin\Downloads\WinRGBClean.zipFilesize
6.2MB
MD57c129d423a9a7764939fa772f1c2da7b
SHA1b7191fbbcde82a5f069bbecc0fa836f09631b99a
SHA256bb2a8e8d8db1b59b377ddcc39c473af08744b305a3b2f9190fbcafc6b53e637a
SHA5120740ac6743c56a178c3f4869ec7bab7d7fc9a6a4c2db9628b339bb6da4e3030f00fabe36b2e5426383d8703faf3e104ab0bea2a3e498aa42a54c1a715470016e
-
C:\Users\Admin\Downloads\WinRGBClean.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\WinRGBDestructive.zipFilesize
6.7MB
MD52ccf48c0f0e4379e7fe1290008e9e27b
SHA14841ae2ef01eb9cf6046034ee605eb0082efcd48
SHA256f14dc938825e26808ceb544d8dbdeea14a3e88ee299d9b07f60b851e4f4b188b
SHA512ead74378f562cf24cd9b52917a0a6dac93659f7714f6b5477ded57e28fb9c93a67611fec4744b4c63cc95f634e3520724775ec263498fc8e0c5cb77719aa0671
-
\??\pipe\LOCAL\crashpad_4664_HGPZMNSZMRHEVBZHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1204-733-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1312-695-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1564-750-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/2224-739-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3068-734-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3468-728-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3472-526-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/3492-717-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3552-457-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3552-533-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3564-687-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3612-553-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/3708-552-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4592-716-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4744-706-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB