Malware Analysis Report

2025-08-05 20:01

Sample ID 230925-awrrfscb23
Target SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe
SHA256 d9d93ecbdd4afca82d80c8e28f3e97e5cd0763ce59acaf2d1286ef85eca37a50
Tags
smokeloader backdoor google phishing trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9d93ecbdd4afca82d80c8e28f3e97e5cd0763ce59acaf2d1286ef85eca37a50

Threat Level: Known bad

The file SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor google phishing trojan

SmokeLoader

Detected google phishing page

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-25 00:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-25 00:34

Reported

2023-09-25 00:36

Platform

win7-20230831-en

Max time kernel

150s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe"

Signatures

Detected google phishing page

phishing google

SmokeLoader

trojan backdoor smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2388 set thread context of 1200 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5099423948efd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000e38a302fb349c2712a82ddfd988d2a5fbfe404468052483de4267d86e7fc4e0d000000000e8000000002000020000000e8e0243d3837b93f81688d9af59235d8a84056016134b04235e19a632b49ad4020000000e106605554a1f2c86cdbb3ef6c67705799d0f80c3e4b092bb107fd5ca61f36b7400000007946d60482fc24053d28ae0bd5dcdaee297f1ca00cdbb88e46a4bc4dd9b1fda6000e02b32cef7497a73032ba9eee348c7b5c4d5d507af03ffbe035f1549a1e8f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000535623c31d54b74e37ca9f202950df8047cabc0f4e016345fa2597a2c9113852000000000e800000000200002000000040bd21fb8cdcb6d41ba560d7cc54bbcbb0d987529b3e292d9d1b7969e8e9cafa9000000010274be26eea31ac87291f0debdc83e263e087cbf13cfb00bc14372f836d20259da1efc687a108aa60fb82c0dbf803befbfbd8989212abb2d6d88f526535519a1f0ab90350991fc32328fde6c4ff85cd5632e123db046bc2e1cef2c43bd7343e8f1e383aa29cedef76221cedca76d1557de03b4b637810503413b378d49b8a46bef12f928ce92428919e977979fc6a0f40000000df7a6485bcedca71f7a801ba8089b25fcb3005c2f3c1a94a88695dd58b4078f219d385c13e39c574624f484e9e0ca9da810102f3ed6c91aa9b5f88429fe42b72 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{63327001-5B3B-11EE-BA54-F6205DB39F9E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401763980" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6309F8A1-5B3B-11EE-BA54-F6205DB39F9E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2388 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2388 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2388 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2388 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2388 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2388 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2388 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2388 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2388 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2388 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\SysWOW64\WerFault.exe
PID 2388 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\SysWOW64\WerFault.exe
PID 2388 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\SysWOW64\WerFault.exe
PID 2388 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\SysWOW64\WerFault.exe
PID 1188 wrote to memory of 2680 N/A N/A C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 2680 N/A N/A C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 2680 N/A N/A C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2680 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2600 wrote to memory of 752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2600 wrote to memory of 752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2600 wrote to memory of 752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2600 wrote to memory of 752 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2972 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 52

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\3505.bat" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:340993 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.238:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.238:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1200-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1200-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1200-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1200-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1200-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1188-5-0x0000000002D20000-0x0000000002D36000-memory.dmp

memory/1200-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3505.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\3505.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\Cab3A92.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar3B41.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c072ce5778c2ca9344c4050b992bb8df
SHA1 2b6f7ebc02b2b2bd9ec9e280ce453d3d6a97069f
SHA256 6aead974ffe393c983b118f2c45171dae2c357608dc7a4006690acc3ac916aa9
SHA512 c81b8f22df52ec71f8f08eaa044f139d44c3d10f5e24fc85f6cb6a3ef78cc4ba5e5f933d0439a7eb04bb27ffe0faeb549cfab8188c6841bc3de87a7bb41dd0fd

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6309F8A1-5B3B-11EE-BA54-F6205DB39F9E}.dat

MD5 ab3260f3d1e1c5436c44dfd3bd709233
SHA1 ff87749034200653a7a385aae782d76317d57cc3
SHA256 81aebdc7fc6a164bdc9ffb910ae6988c96288f06b4ccce3f6de49dc2e906845a
SHA512 abc68ee6fc1c3d335f7208e1938278a44565c9f316192978054a2362170b3dc3180940e495f9642511473374420e6c4a5f7d4fecde2e15a25df6c39f26beb890

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed5ce94706a5b238f7fa4b5ab6df6bb6
SHA1 3b22c4ae814a69a085de2dc812b799a9865e7fc3
SHA256 15c64cd81bb992cf976823a7ed95337a519325ad114a692f8471f66031aebb29
SHA512 9ceb887883200d19702d6abced5dbef5273f3b4cb16c06d9168e496a791fbd5458b70365e7ffcc21c1079c030e6c182f596b65c38ee4e30e8055f776a2f23b0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e20c0e8986872d16dc226ba885b7958f
SHA1 7b3f583f4bd35386edbe46f4a55adbf0a0209b6d
SHA256 cc4130b2f9552bae36d839094c0fb0fd0b921a8427d8f7c0ec5fa4233d20581a
SHA512 e340f5f0f224eaad2f015163a243740bdf7c836cbf2cc6b476b1231854fc18ca182a83018886ef887345ee3dc910638344bb19565b3bf75714822baac75145ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

MD5 109e8bf8123e8d24f145f2fd6d20cd09
SHA1 18e2cf0e2322454b88e2a7f7183db09cb10e2b39
SHA256 cc66770916e19e086634f8f9cbd332716bf72ee3dffb1ae20492015877b7508a
SHA512 e97efecb4aa6212c8d531a76ce82fca60b3fb62efe42696e0d58754bd330cac325169c5c58f161794d5921ed49cf8d36f13cd527f57d0068ebad43ae8fb1f20c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

MD5 0fcfe566fad24c70244c843720a55bb2
SHA1 ebaa43b9ed382cde5178ecd4d638c706b4428f35
SHA256 d8cd273832f6e48aea41913405d5854f6c83d19826117c9c94a503d4d0010db5
SHA512 7d7252abac785fa9c22907bbbe25d29401ac75057ce00684ab38c58e72c1734c6f45cb2271112e67a084d6d06c6baaa987979224f81481ce41dc7660545bf111

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

MD5 c1481fcd5428e1e8013edc7621812724
SHA1 8e86eadf871ca94477b0e469360502203eab3d97
SHA256 9b9ad2ae252224803a2cc6f160d3305677ca54c8053008fd5b469574c42ac12e
SHA512 364e2fc399239cc2db6dd9e1f93ca5fb4b482ffe8e1d2a05a2c81d3c1efde9ad2d51a693dcde9f1198a35fa1e0d6ed3b46048cb56ac3be34e9ceb40c4c389ae6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B9T67D7I\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\zo0jyaj\imagestore.dat

MD5 e3cb6d485753f41cfcfcf667193cd19b
SHA1 e4d37b0ac71f8ed37a6edbd29b74d2b6d9bfed9a
SHA256 46c93f3ef5094f4a624c75778a00f9694240a147b878db4b08f259942a59f7d6
SHA512 9e62e035c838e8fda7c0dd1fd266b877bf56c339d74ea8a857405496aa7b935d79d2f5f09d54d477bb22a8032e78310de802ee61bb64146a5f2b803e1930f5d3

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\zo0jyaj\imagestore.dat

MD5 cb536c6c39a38a41faa356b0e47bd4d9
SHA1 3a87bc588d9bffe73874a1db23c808f08dcb8474
SHA256 2f68a8be790d510f52abe7fb076e0569b6c58ea0d510ee18edd65f461100b6b5
SHA512 604663335534aa3f9df6f5e81a23404b9a324de26819d48c795cbde1680b4da53a367f3b0e4f3a512f21472226a7ff8e02d167ff8e5ca97f7c58cb750adde516

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XQ8ZHSDO\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4621db862d3339f7e726583b4af4b56
SHA1 88e7606fc699daad04a9a4f3456078c22d4e5a7f
SHA256 a171599028336c86e8ef4e33670de4ba1d0a667c6d76105827ea21a04e5991b6
SHA512 e486903753e17c1e3b3404b98225467d89e318215534fabb026739c713ccaa70f717cdbaf86f4afc642f35eedc4afe5c38d81a15b6e54e55c20ec8f5effc931b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b33de76d5fc3fd262277cbcdefb4234a
SHA1 ebebedf8d5cea308b7e2942e095f534b06b149e2
SHA256 007ec808514c277d6c8c90ee100cd9b69cae5c4db3e03b4e3ef255a905e2b315
SHA512 2b95724bb7f83827f821c335b1d3957f20c9239388b31ec47be23c5ceaf20934551550a23ec7142e1df0d3472e3624c2aa94cc6a7938c150336a66b1eb71e453

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd1f3f97015eb49ab6dace0cc5da6704
SHA1 2b23baf85f49b5760e3d602ad91657d591726666
SHA256 e9480ac0208baf5dca8ebe256ce5d1d8af44f9179bc127e89ae47d79f09be738
SHA512 b320d0a2a736dfcc28e15c3f7e54c2f5eb7a0f518ef0d1eab459f4b5d47dbbe5c6328686aeab684f0cae83070d409408e38cc2cc1392a10b9aba986421692e49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fd1c9051201d2054e768dc26e594238
SHA1 4bf58cd9ad69fb1b969460edd88bffe552faa1a8
SHA256 1e19c40996dece4ff181ce9a139e5d0b1482787a62525ccd4656bfe9675cc731
SHA512 9554b88083915b774091768fbaad8ac09092b03475dfabd4a4a24239c9ff73c794bc2e0d8bdfa99adefdcc1a9474b86f36262fb89615b31b6390a95e5b955557

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53ba3715275c12d36c524fa0de30c7be
SHA1 55ee06d237d1da94d87281483d2d8909dd461987
SHA256 303de8a49813f94258268504f64c5da3e1e71ed6af7db778ee99e58ccff5e07e
SHA512 0b777b108d6adade391d731a026137cd1c274f3953759bbb4585c9c5facb7602921b8f59a7390c51d4e205c885b3b7eca6c91dc6a117daae29db1a6510b8697c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f3031cc887d6a60d639cef1724c8709
SHA1 28fa767ed575c969ccd62908fb1a81f78e1f868f
SHA256 a0e309ad6862e4982a8d89626e84813cb762243cdaa852307d89b01888f5bc2e
SHA512 40e75d5971e68c8246705c9a4560ac0832b555e9804341c0df1de38eea14437ab4f90a04949a6c2b224762d9fb1132e84206191342ef18712651e67b1e1d1dc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8afc667bc71f95d8da84416eed3f7f5c
SHA1 b33ea05770ee4e01926c11315447aebe37369bcd
SHA256 2a11452ca806d3875a4562986c495e2decff18d26ea0e9345870a438e5972e59
SHA512 35de522f7267a0df10eea12f4b72effc6041e274351f6cdb2097e0133b3c33a330f91f24046e5c5bd47325bc958af5e3f3be11d5dde28d5b9baa3ba734bda703

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c9e9b5917bf56a18a9cd0bf23e3db4b
SHA1 245876c90e14ddfe145cf69a6bf7be9f2700d224
SHA256 6481757dfd6b180a821ae2b302b72d60e34cd4c8af2801890b4372634b95040b
SHA512 654721cd23fa7f25b97117653ab2bc5750d29eb0b73c6fa5a1605534b94373557a4631a915023dc0fc9f1460b2479159adf6b281d11b6bc1658d8b03af39f319

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e872f6b5eac12213a733b298385c5be
SHA1 f7de70953e801da3461dae4ebcf0586d66ed9d38
SHA256 d021f446cbd6fe79308f2c9255200b221aebf27aeb60f4f8e704ad1901507cc5
SHA512 6411c748ce8642231959a32da87ed2c941bb22bfefafd3bf3576cf289fdf76d6ccee7f27cf068e59372f4c61d4e6a96964c1c26254e00603f189bc0a79009a3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 588a5b640012949d2fa1d8be5169eb0e
SHA1 9eafed890c2f2a4be396302c95afaaca9cbc9a79
SHA256 0afa7a92b8cb25e06f266d43df7e652776b059d9c176a7b342136b5ae67cdd81
SHA512 657db6f753f5e60aee19ad50913aa25859118cd0cf22d4ff9bfd9bac0fba210a692e3094377b47c0a1b441509b03c86f356f7246ba047e971fd9d51e02ddea4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fde1d96f23fe2c48fa15d233b89689a2
SHA1 619d2a4fffe9ee559fe3fb27a747ad7ed1ec7add
SHA256 3fe99872c6054234dc6a387ee33c260fa158957cc0984352fc0cbb60fbcb0aec
SHA512 a110abde77641883315b1a1670d03023cfda01c35694f829e81c9500bf0ddb8fb945576f46a60e8e1c2a7a8671781451bc7a98376071b0b38223b96c98941570

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b0c6bc98876708ea50480b237b080f9
SHA1 7b9a18a26a5999e914d75e15f8de836549f38259
SHA256 93daddc135b75296328a152ccfe329a1183facaae9f609f562d2aad14959691a
SHA512 8faae1b0c0f7ec9ce2f3e3a6d6e625b7e2188b52e706ab3ad5383800c977733ee767bd7476deb965decf8dc6eae0ce898ccf95f60854f396225d4b13a9c96fdd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b686f1e70b5108df809679b572b9c2a
SHA1 46cc6bde8e0bf9ba0b9ca0ad8e44f8b81cd41ac2
SHA256 2261c53cae8cd9b6997291d502cf8f1ad891a32070722d6fccc9523757dde6bf
SHA512 e74e27b88f271f51c4ed43c80be1c58264fb30d6fde0dde40780b4a9e4dea66052f24e535acc121138c7fa4d19028a20537fddd2e59714ebee236117ab153229

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02502e1793470716ef1cfb96e15fb8cb
SHA1 d5873cd6d809e5317a027b48811341dd439d9cfd
SHA256 5f0e0d4674a97a139affe05ebef0668d2f723fda3ebd37162a1e34f8511852e8
SHA512 fbde7eb6dc6739051e20efa29884714446e7b3387c71280bafdf20d5f5a3151a0f1c7af9b3b12abe5cfbdba5dfdb55e83fa698852886832d1a15f7ca20704191

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e0cfc982ef059aa0f157f0daa601bfd
SHA1 bc4c0478ec14062973a9bc0588d7eea9be034790
SHA256 5cffd0dd226c5c84a1917d51b346c798bba1eca36e121b42b5ccebddeaea275f
SHA512 e4acef40e54ba3658799257a833b6e9e450b9994c1962225b782e6143490f19f6fcb711b8eec774a67cef88af395c3163b07647852191de720df6e5585c176e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa72522db55c9836b60e357a161dbfa5
SHA1 6edae1999ea247faf38c5b2437462c2f2f32fdab
SHA256 57f904fba60868ee071502a2b5cc029b98fcf154dc3098e727d0c2e1903b3f7a
SHA512 3205623ac0f7410c3f98f7adb48d1a3a414b5251c0f0c28a839cdf52c5e8846104085bffa0725da99116882ecfd908b8cbe5fbf1c7386325c0120d593c155fdd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4097883cdb7964dd660766cf78bcfe4b
SHA1 b11dc9c555a69651a26dbc2a65c77c69776bb6fc
SHA256 9f2658c9885190119ac9efe58bff57a6ca1638b6bdc692e5d2948140bf438796
SHA512 7878805311ded99c4b61a8236e528d12472e6e0f00813a3e1b65bece400ef4e9751efd626ba04d20c09ec304b24cf338d08267013999270ae468e24913e49c8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3840486b1efcb778158997a28262b264
SHA1 237f068478d8eeca0b564593ee1aff9cb896b8f7
SHA256 aa4c311d463a33b1bbded59238a8df4ed715ffa4eceac276164c9ceec3267cb3
SHA512 4fdc3699ca47bc959e01c310eeb253b40b8f45969c6589c28215cdeeb657c37d3bd4cdf2db82b9697343e16d722d2ff1a36ad3d064e57ea79e3f49e6ad983cc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 68aec6ec890647ee3bc4f39d71f0c555
SHA1 db80e8571536598b640682e888107923e4b638b6
SHA256 839330a0426e60d80d9a6a2a8d1882666b20808db1c0cf82ee7c779cf3c2331c
SHA512 71871e0a57dd5e3afef1e7d3fb864bce27f11f3e41844f7ab01b0bd096924c018ff8fe8c09c974eb76073a6e6ef14abe5ef745549158364c9d6d4642f6ee157b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd0de1ddba5ece5d359d74a18964bb7a
SHA1 fd1250730d1edccf52d770b1fedcd157855cc23c
SHA256 4245ab4d0eafa79d4774a4abd5a81efe6c279cce715615628e9f52d1d63a44d1
SHA512 220a74e552da29a620140666f6460f9e562c0ffc8513e0a8858c63fa95b00cb3556f4b122608d31c5207769d9ed1aecf12ccd331870bf41360211364d5553781

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 488748a743ebe12ad389c536e7ac0016
SHA1 e4111282075565991a0d146a1981f117f50bba47
SHA256 7d986dd4d0c563a1fb1452cc063bf2b74d97070f8c844c9d1ac63f773f2e63c2
SHA512 e621fb35815a360a486d46e73cf5110ba985092e002d226bbad44a2819ccc76e6be273ace790549630fb13ad073f297c984c157fc357da4ac25623d9b01e6a1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b5b46525b9d182d41d17d1fc55a031f
SHA1 816ad1d29127e27a02c5223c7e767d7c3c03890c
SHA256 d2720b41eb6dc14179feff129eddc874313e0d77b7f6c92d9c0e0c50be762c42
SHA512 7adf392d2772fd38a313585106a6df14c25eafb6d5c7b2481aa4159c7baac2ba6e8b99a46a9e129acc64a5620d1efece61d3e586ed3f6280d8f7a3a63a1f3e96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a66b4db1fe4dbc0942d921472d705ab2
SHA1 879feecc75289f2610ec04f59263c0c674a80d45
SHA256 65af2d1a966ba904df93ce0593f49d62e874f2b28400d630ad234bc627c189e6
SHA512 457134e6484d889abe9a8eb3f7dcdfcdb57ea3504d33330bc75c799986a3bc09edae939e33ce94798152aa1c4159a0087fbb8a79207ed21d500561cd49d89d81

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-25 00:34

Reported

2023-09-25 00:36

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2732 set thread context of 2336 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2732 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3176 wrote to memory of 1692 N/A N/A C:\Windows\system32\cmd.exe
PID 3176 wrote to memory of 1692 N/A N/A C:\Windows\system32\cmd.exe
PID 1692 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2284 wrote to memory of 2916 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2284 wrote to memory of 2916 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1692 wrote to memory of 3616 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 1788 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 3204 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 4684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 4684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3616 wrote to memory of 2472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Evo-gen.17369.14688.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2732 -ip 2732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 236

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\65F8.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe358646f8,0x7ffe35864708,0x7ffe35864718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe358646f8,0x7ffe35864708,0x7ffe35864718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,10468242684103281672,14748137690765837205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,10468242684103281672,14748137690765837205,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,10468242684103281672,14748137690765837205,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10468242684103281672,14748137690765837205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10468242684103281672,14748137690765837205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,6598060475976807694,6832156282040063040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,6598060475976807694,6832156282040063040,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10468242684103281672,14748137690765837205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,10468242684103281672,14748137690765837205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,10468242684103281672,14748137690765837205,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10468242684103281672,14748137690765837205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10468242684103281672,14748137690765837205,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10468242684103281672,14748137690765837205,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,10468242684103281672,14748137690765837205,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.238:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.238:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/2336-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2336-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3176-2-0x0000000002D90000-0x0000000002DA6000-memory.dmp

memory/2336-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3176-9-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-10-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-11-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/3176-12-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-13-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-14-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-15-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-16-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-18-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-21-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-22-0x0000000004F50000-0x0000000004F60000-memory.dmp

memory/3176-20-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-23-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-24-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-25-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-27-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-26-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-29-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/3176-28-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-31-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-33-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-32-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-34-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-35-0x0000000004F50000-0x0000000004F60000-memory.dmp

memory/3176-36-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-38-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-39-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-40-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-42-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-43-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3176-44-0x0000000004F00000-0x0000000004F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\65F8.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6351be8b63227413881e5dfb033459cc
SHA1 f24489be1e693dc22d6aac7edd692833c623d502
SHA256 e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b
SHA512 66e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_3616_EJUNZBAKDHVPEVWP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_2284_FRLEPIEKWVOKWUWT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 67c574f9f32841101dfc814b51100787
SHA1 98d92d655dc64534f7dafd6dd6faba4dfb77cbc6
SHA256 152eed815f53d9ac64b3b5722b39ef658e014cd5a9ea02adfa4149395a7b7d26
SHA512 8c037de8d49a65ca5439224f948abe3360557aaf2714dd313cf28e248d81f9a92b1bb762e439bda8ad402ae323b4b1ec9d2ffdaf8c8b91fd01847313e0fdbb2e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f15e41e96b6d1e89fb8bf6c9da83976f
SHA1 bda3aa249bf89298eccabb92a61dfcc81443ec10
SHA256 7ea35183a26f92f4e7c0879b9081ab385e55b521026d31a71230cc3a3b385cee
SHA512 5ebf681e83f5f607da407a95ec2dfc96236b528b2acf7794bb8cc8ea43f703fee3b747ecf3b970a27259c4e28216c26a1b94ed3910a9f6f8cad148542c120b8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b282c4e818786ce1b3f63270607d859a
SHA1 5206bf9ec3d63fe523ea311ff3e7a9b0ef1b16b9
SHA256 63d60efa1439b388c82fe5d1413da896e40767f2f68c8ff1ee76116ecc2f514b
SHA512 a5ff8cc02f40d43dfa2519ff41080c8ed28a66263e6abc78d5f67a405414951cd0b6ec88dd4857d276991722f6c17bcc131d1432db05bbc284e8d71adc30cbce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 67c574f9f32841101dfc814b51100787
SHA1 98d92d655dc64534f7dafd6dd6faba4dfb77cbc6
SHA256 152eed815f53d9ac64b3b5722b39ef658e014cd5a9ea02adfa4149395a7b7d26
SHA512 8c037de8d49a65ca5439224f948abe3360557aaf2714dd313cf28e248d81f9a92b1bb762e439bda8ad402ae323b4b1ec9d2ffdaf8c8b91fd01847313e0fdbb2e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 44e723f396d7816b4ed54bec8100df17
SHA1 5b8a2548571af4844d579679d524ce7014dc919c
SHA256 30ca2e0735adad0c912afff8b05d10069bb66752360f42ccdbe186e0363f9a9c
SHA512 c8e8f3a7db3c0292c6834c9da792b6fc62f74ddb0d6536748016c33ddc3dcd1b01814bef44180c24c658c73524ea592a85ab7ee5e86d103fa80e8c7b85c25294

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 699e3636ed7444d9b47772e4446ccfc1
SHA1 db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA256 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512 d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c94d55d744b5c27498d022dff57c71fd
SHA1 8f94c287916e6dd6b1e30dbf7327cce581a45f9e
SHA256 a38c80ecc9d73749382b250573d5016bc68204524f87ba6da394d52425985149
SHA512 9cc824c9f42f2a310011aabae753913777b7fa777c9cbb2b68da7ea9746bd9cfd40563d5162619881b63401f49ab35ccb8e21daa4cb72bd868dfa8c2bf00940e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58bcb4.TMP

MD5 5bfd67be0ad11e1f7627cacbd73f9222
SHA1 19eaa1528288fb92afd02978827c388f9f98bc1c
SHA256 985e68e9dfe0e70cfa1f99d8ac254962d1e9b076c3cad32fcdc629794576cfbf
SHA512 663ad1b12074effb7d9938ae99998ccc900eb7f4893e41f05741d395dd44f1c93656b3b17b8b2a0ab3dd8b693a8520dc0d2284c691f9da8f6a6417635fcabb2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 98ef50bd69fff2f55ac67ffd68585d48
SHA1 08b975792880fe8e37989ab27ea7f5337f0438b1
SHA256 c95c052724c100fdbbc07f69ebd391528ac0a04f14e2ec1bb6c2fd691e53abe1
SHA512 92d43940b19a1f6c63f5d282132562970d4060fc333de6476cf64bae4ae210b96196f41a8c0908a4acfed26a290007a6d5b294b2fc80b3ff97d18d92662e5d7b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6362896d8fc2004c6d73636b66745699
SHA1 95f7ab75e913651d52905cf234ae3e6aa597edf9
SHA256 9ada25675e638e52b6be7c634b5ea2b5972885073eabaebbd450564d63c97cbb
SHA512 8a98da83dbd3ffe9abfd136872bf0174a73cb035fdb21721616880f5d75e6b4778ac4ed2dce3e2f2ef576c26b92bfb6bfe33c516b4daf897cd11b5530ba1f2cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 6603ba4099121f2f4188947ad87c66ee
SHA1 25bf9cbab33d1cdabbb239ef7d164b5799b286b7
SHA256 4e065997cf7b13abc9cb6a05032ffccb033e8ae8d681500da9b2e9dbac64c993
SHA512 aa69a651469516e30e82c161ee13b1cb3c5eab33254d5a9304d80d959fde2fab05c05b5f3f2a71f8deb407de196c34ee4a9375bc7a932a6ebb13fab729fe9f85