Malware Analysis Report

2025-08-05 20:01

Sample ID 230925-b1n2ssce68
Target 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30
SHA256 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30
Tags
smokeloader backdoor google phishing trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30

Threat Level: Known bad

The file 2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30 was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor google phishing trojan

Detected google phishing page

SmokeLoader

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Modifies registry class

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-25 01:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-25 01:36

Reported

2023-09-25 01:41

Platform

win7-20230831-en

Max time kernel

300s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe"

Signatures

Detected google phishing page

phishing google

SmokeLoader

trojan backdoor smokeloader

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hdtsiiw N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2332 set thread context of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30eeb3fd50efd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000713e6fc5b9e4840e8d4471de939b272167b3a591a77f8f5254606cf1495611f0000000000e800000000200002000000044fc3aabfcef7ef85579d36884f31b3570c01b083f3ca3b5185e0333c07d3bd42000000063b59d5eb91b0894cbf5b2997ba9aa1076ee35f26c0ce3bcb704b75e094c2be74000000065b62dcbe021859e7455e4f959fc01b1e52d20c2254550e6a3e3debf4f56e24190dbfaee17b0881751f7a5d2477c0e216c3c0297445264e8285d8a79023b873b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401767746" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27CF60F1-5B44-11EE-8B8C-7EFDAE50F694} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000881fec66623c6507787893ae750b5ecf450e3d8b21ef9983078dbffadbc2c772000000000e80000000020000200000005a4e9bf92722dd687725d3c7701251aa3c1c213ef5b862e1cddd7ff2037ccf43900000002aa8133b4f9378967804c22759df9a8182ae51f175bf1b6c9f9d867c50f37c50358b77fca23c53db1feab1afdb1bd205479205f28e13d4c1a4a9088bd31ebaf1743864f8962e49a667167a9c3d5d18a1cb9497b21af4d13a79e1e245badd240cd893366589c409bb2727528b9a4f07cda905fbbface764eacbf9cfb92277fd33677c1fba3acfdd65bf33bc45c81e49154000000091a8148ad33ffe7393c9593574ab8e640ceb572c4e89bf2d6c3b55cfa69f606eed8d902a1bfa7c7c15cf51e9acfa9b68e3e32e227132d18485ae725735261560 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27E72EB1-5B44-11EE-8B8C-7EFDAE50F694} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2332 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\SysWOW64\WerFault.exe
PID 2332 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\SysWOW64\WerFault.exe
PID 2332 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\SysWOW64\WerFault.exe
PID 2332 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\SysWOW64\WerFault.exe
PID 1212 wrote to memory of 2812 N/A N/A C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2812 N/A N/A C:\Windows\system32\cmd.exe
PID 1212 wrote to memory of 2812 N/A N/A C:\Windows\system32\cmd.exe
PID 2812 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2812 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2812 wrote to memory of 2996 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2996 wrote to memory of 2480 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2480 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2480 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2480 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2812 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2812 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1276 wrote to memory of 1956 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1276 wrote to memory of 1956 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1276 wrote to memory of 1956 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1276 wrote to memory of 1956 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1316 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\hdtsiiw
PID 1316 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\hdtsiiw
PID 1316 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\hdtsiiw
PID 1316 wrote to memory of 2316 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\hdtsiiw

Processes

C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe

"C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 92

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\276E.bat" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:275457 /prefetch:2

C:\Windows\system32\taskeng.exe

taskeng.exe {9175621F-EC96-4FE4-8384-E9EB3DCD2CFB} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\hdtsiiw

C:\Users\Admin\AppData\Roaming\hdtsiiw

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.238:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.238:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp

Files

memory/2128-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2128-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2128-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2128-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2128-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2128-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1212-5-0x0000000002A80000-0x0000000002A96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\276E.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\276E.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\Cab2BD2.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar2CB1.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eec2ed13671ec2e721c890e48734e472
SHA1 800f3813bb42310480ff525187c0eb9dd97f6b24
SHA256 7baba5abfd7714b2d004b54e846f0b129f43aa8d8f414f3cbae36f4921b6f20d
SHA512 97334534544e1e8d9f66400683edb0ae5249c411e774f3b4e83015bc44afe638e89a33fc8143085ef7f53fef742bdadccdbea50abaa087625dda315a612405fc

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{27CF60F1-5B44-11EE-8B8C-7EFDAE50F694}.dat

MD5 8a68f5659292f11f27b5410b8774f8be
SHA1 58e64576fa01e484280f96ff3ef43597e737173b
SHA256 6333493d6abd57c28d7d691bb39f44e5a9ef4d84c244961d47cb0cc134545e90
SHA512 7dd055a7ed210e517d5556a82e2f21ee9a80c17b267f9f25033efd7500cac30466efb0e8e3dbdb0fd3afcd22207d3bddfa70f61b853db000d7222ea2d8ffe8d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1b66bc3673c775e7f26f478ab7830cf
SHA1 da43c209ac2c52dcd103cab65de9043f78cbe0e6
SHA256 a87093b67902819b5e9d6f520f7b65f6e9e8c081451fa23d4db809cbd9b31cbc
SHA512 98e12db7a942fe2c2cba830cfccf7255b4967401757c1b4b8f41babe0ca8e030091c97c4674bab455e40f1317a46446977ab8c680be548dba784f94770bec9ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

MD5 0f3dd64317d6e0d9aa63cf746797069f
SHA1 a39cbceb882091f356d7a76dfd528d106878d53a
SHA256 442c9fe03ebb5914c5b0e13d4cb3355ac1737021fcfe2345b3e641e11bde3e92
SHA512 f4e5ec2a96d8f4e8f0423eb0fad676894d15e8acbefd2a281bc5a3cbea704d28afc330fa7caa7cc77d54d13ac636d720498943e947215f9bd075f767679ea860

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

MD5 c1481fcd5428e1e8013edc7621812724
SHA1 8e86eadf871ca94477b0e469360502203eab3d97
SHA256 9b9ad2ae252224803a2cc6f160d3305677ca54c8053008fd5b469574c42ac12e
SHA512 364e2fc399239cc2db6dd9e1f93ca5fb4b482ffe8e1d2a05a2c81d3c1efde9ad2d51a693dcde9f1198a35fa1e0d6ed3b46048cb56ac3be34e9ceb40c4c389ae6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JORLV5PC\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\6gi47o3\imagestore.dat

MD5 6c5f11718f309a31cc5d49480bbac531
SHA1 5fe297517616b58b39a2f98383120d47691ea62d
SHA256 ccae3336bc867908f7829109321946d10679cf450c47cc5e09f0e26f54af70d2
SHA512 168fe88f09969041b6e196539a2b6d1ab4cca82c89a8e09e60eac849270444ac571995a6f0515ed87831861821c58fd94c4583e7cf2d56963b84112e3c9c23fe

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2P314ZXV\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\6gi47o3\imagestore.dat

MD5 515b1edf39b2839dbc61928ea978a214
SHA1 a9fb1235a1323b7282e8ab32f3310d42e8c78a39
SHA256 4ac266367d91f2d40c07a4b6c62eb7eccd677e77fb826f59b1325d1e803e3b4a
SHA512 923aab5ebf7d7c2f48e5deec4bc7d6607d55fd1c9d801c55cdb97be66b4ded304b7e488abc3c1f55916b2420d37a56be22e8bb012d9eeef8d8f94a8dfb147821

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62ae4a8ed6838e375281687718ec9e42
SHA1 e52a19c2e1af60361284e110d3e3e6e1ee18f33a
SHA256 29b9abcb33fec28be93304a86f3e9407bb16ff7b115d660beab902579d097b41
SHA512 7fa1bfb7fa0f11fd630203ff95f247773331909d70fb044f54c6bd0e82f27c4d381ae4a29c9c466608d11b2e951364dbca2b929eaab0006d46445ac175abcbec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d0b99476c6faee2250c84e2a1531403
SHA1 ac435f7fbef16556839cbf5691671deb0703ff19
SHA256 cbcd86f6d67691353b348912d63e385bbe0fe4026b951379bb89e13a964d118b
SHA512 57f181bba28a3bef4afc236583235a2e637ebb28360701ce9d3f01f8ada104de5e6056f117c2af5ca7d8dd985eccca958bfd311589068cc6610d97ca513dd963

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc2b6ce2841a2090e66d398aaf611894
SHA1 9c6c9218c7f57b42b2a3fdd42fbd98db84201a3e
SHA256 c14336e277ce7c4296edcc07a3f45eb06010b8b1d5228e10a8626cb322f3c6fa
SHA512 3dcb58efc5b9ca9f484c0f67b0fdcf3013f696e7107072c588cad70a41a9580510e44a9728f3479049dd8d65828e77c7b9a8e5cbbe3ade38fdfda9198f5e029e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc2b6ce2841a2090e66d398aaf611894
SHA1 9c6c9218c7f57b42b2a3fdd42fbd98db84201a3e
SHA256 c14336e277ce7c4296edcc07a3f45eb06010b8b1d5228e10a8626cb322f3c6fa
SHA512 3dcb58efc5b9ca9f484c0f67b0fdcf3013f696e7107072c588cad70a41a9580510e44a9728f3479049dd8d65828e77c7b9a8e5cbbe3ade38fdfda9198f5e029e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cff9a5c2f57c366140fd2ede1005564e
SHA1 8a9ceb8b8164841ffbdfe425df8659d98126384b
SHA256 641451624cc3d330e8102875ad4324535b7448344c32c00c9fc0475298c4810a
SHA512 a91dcf1196a11325b1d851cde87a4005575f7cac237f1533609c5cd8dab0253b5cb80fc7b908dba0788c135d070975fb31c38f1bc51a612de074e5e68f1b0c86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c23af0457fef98a9c9d10959c0d5a28
SHA1 c223abdcaeac475493079895ffea4d4f5434cda3
SHA256 1178a364801577200f5314c7d55f221cacce50d6b18262f7a248a0f806571a7f
SHA512 d9d6683f23349b991b3f60e45baebdebee4186c9cf4e98cae61e04d8302fd7f30e379c354c169bb5ef8f1c2b1d01df8596b555cc06a1b611c0ce3e71c482581c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1274076afc91cdae6baf39c28ada61fe
SHA1 6121793a896d8b6384e23611e9c56579944b2ee7
SHA256 984235d545914ce481431433e9ae5f7ed7cc7b55c163f9a6adecdf967c757c7e
SHA512 3bdc83f7c8cacebccb92a71bfdbd88bcf632b0c70d8d08e0c06cea51965e30f46b66a6c88e54e3ce5686439a601fe4a6404e4ebac9ab148d695c26f4f1b19797

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46c182fc44a96f31b6e0863e685c3930
SHA1 38e0ffe4a20a09ac2a93e132799506eb4bcca2a8
SHA256 e14583250817b4e41ceef45904ecc2b4fd610853dbf8e2cb2031f9c9c16cf63a
SHA512 19016196554660e4e8ab18accb45441daaf6caa484c4d55b47a1118dd632a89f5089fc61f2cec42b3193690e2afc50ca06c020d7aa5d4932dbdb91e2eca3f306

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a3b80d56fc86dc014c0e33b3f531d56
SHA1 b07f21e35bafcb55855b7a2ae5f1cbee1985c692
SHA256 bd94091f54d73dcc3de2fa5029536ddf7677db3da01e3d606ce4093a7cdbf0c8
SHA512 f7c8df5929a53ddc43dc61c8d8703a259279d39e43a4e249cafc038451b22e894d1c0eb3f7e0b98de9dda5a8b1d7422dde0a3a809c0a1f057609177707528d3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29f2d4ad0aa3f6928b24300266d52b5e
SHA1 8fbcf74bf6aa60ff845ea0adcbdbfaeefc1ec147
SHA256 3358a5272e515774fc67fac9a6118b497497ad9b2e7a5d46bcac5797a9c3213f
SHA512 316b83667c1e173f26dce63e580c24fdeda322b11e4fc91eb82fd931ac961ea2c55d000c5f43fcfadd7903676dd010f2384daf723ef307da63c907e012d22ac0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 986ef64f528308b46f4fca98c11993cc
SHA1 5ea9f7fc3aecf81757ad7bfaee1ca48e6bfe1501
SHA256 6705951dd2c229ca6efbf67dcbbb42e2bee9b77d8e8eb87ac69d231f5fc11c83
SHA512 fe69649ded582da4fcff21fefa5258ca3bc84667a4c44d4bd47dd3f854b2df71380da9ba1392a1b6beccf0121a65f9b2a71c9aec65e69c0931dd92a35cc87c03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04911383420d317fd5cd78ea14912d14
SHA1 34edea2719cbb4b703df869bfba150d8680828da
SHA256 4e2f2034217cb3207389b3196fc5ccfa494f359af7df8f50a9c1dde1d4bf1b6e
SHA512 4b0af72dbf10cd4c748e47765f39124ac59b9cbe85bd1f9fb6799e445547219e76c9f6d505baa7aa99a83f26bc482ab8195f795b63676d1d290c5b4141d2d18d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ddc9f2faa1c5d46e4c3818020562119
SHA1 bbe240f49fadf0c5f72c6b582d175b9a1f8c69f0
SHA256 192ca3130291b695abef81fbe5d37d8eb220306783cef7528701dde6bba2c53c
SHA512 6df786f1c0896d10852c63db33b84ec73bd30cfd8189b26562485ffe76d18c544ff341c5e91af421f9600a74cb8bdce811d7d85808ad50ffb68b6bd6ce8f7aec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffbfea997200e49b3fc5cc3a050fcd2b
SHA1 3c8d4910f1ed2e72c7e8a4f47d615e767071935f
SHA256 1f7e2626f105c4cb6b21a3e4bd9b13fac9fea5d8768f155e18ba5310599ff8b4
SHA512 dc88479988b6c480ccca568505fb3e7176527d0abb889e81fc72d62639f42cb43e90fe9267477a5474511e134bac986f35255b0a2fdff973a70df3184007b775

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01c02053340c4759f0c50320e5adeb40
SHA1 5a17820b867f31506154b6717c3f9517dbc8a89c
SHA256 8996474482d9c8fb1def5a3d3f6501d639cb770bd100f7419baa9fb8080b8680
SHA512 b7a2dbb68822fc7319007e117a51f12b01bcc863f59ba4c1c784298fd436fc01103708cc4a9f715a11aae382fd4848414a9915152a8568502538e990d5b7bffa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4130c69a258b374745ae9a2c8baca563
SHA1 353f28cf97dc81da967d989128b8ae933c56c3b5
SHA256 6bc7111f3a88b2c56f75b1532c090991d295f1d87d5ed894b1e87bcdfbb3531c
SHA512 511b5432cd80e672afaa01f8c24f84d49703698e5f49c552b29a7a29701f4ffb0a9c021e90211b4625ca06770dd17af6c505acfa24466c6cc2f2a329a3892a38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81a4728136d8fd9f27e9064091fc6232
SHA1 4a5190ad90d1376e5af53be209fc8fe69f3979a1
SHA256 5f162820b59eaf9ddcb9b46e3caacea2988e1cb00095d7472caedbb64d38ef7a
SHA512 b95522e83c9e287da9c44e18701aff57a6957dc62f90bbf52b52c907d7cb97609c22b4fa99cf9f4b240e88f5d58430780bf113d2b99b01c749e8788ba57ccd88

C:\Users\Admin\AppData\Roaming\hdtsiiw

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

C:\Users\Admin\AppData\Roaming\hdtsiiw

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-25 01:36

Reported

2023-09-25 01:41

Platform

win10-20230915-en

Max time kernel

300s

Max time network

295s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe"

Signatures

Detected google phishing page

phishing google

SmokeLoader

trojan backdoor smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\thfeavr N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5072 set thread context of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\2219095117.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\MrtCache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 85b2fff650efd901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2bfcc7ff50efd901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2a7956eb50efd901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4877f90551efd901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "402449619" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "402378659" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 587a75eb50efd901 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000039c0fee31982e43f63784f7952e1a919c9c2f8765dca61f7aeafd572b20b5d79a1d34d6ee2e756dc2d6759381efcdb2af817c254e137db64e4d6 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5072 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5072 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5072 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5072 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5072 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5072 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3252 wrote to memory of 4880 N/A N/A C:\Windows\system32\cmd.exe
PID 3252 wrote to memory of 4880 N/A N/A C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 3816 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 4988 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 2176 wrote to memory of 4988 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe

"C:\Users\Admin\AppData\Local\Temp\2b36fb5c662c83cd30d6138e2f93a5c8e6e61d48ffa825a3f9a48eae09460d30.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 244

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BF73.bat" "

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Users\Admin\AppData\Roaming\thfeavr

C:\Users\Admin\AppData\Roaming\thfeavr

Network

Country Destination Domain Proto
US 8.8.8.8:53 135.121.18.2.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.238:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.238:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 watson.telemetry.microsoft.com udp
US 52.168.117.173:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 173.117.168.52.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 52.168.117.173:443 watson.telemetry.microsoft.com tcp
US 52.168.117.173:443 watson.telemetry.microsoft.com tcp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 126.178.238.8.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 88.221.24.18:443 www.bing.com tcp
NL 88.221.24.18:443 www.bing.com tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 163.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 18.24.221.88.in-addr.arpa udp

Files

memory/3388-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3388-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3252-4-0x00000000014F0000-0x0000000001506000-memory.dmp

memory/3388-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF73.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

memory/2692-15-0x000001E16A220000-0x000001E16A230000-memory.dmp

memory/2692-31-0x000001E16A600000-0x000001E16A610000-memory.dmp

memory/2692-50-0x000001E16A7F0000-0x000001E16A7F2000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 24be8a92460b5b7a555b1da559296958
SHA1 94147054e8a04e82fea1c185af30c7c90b194064
SHA256 77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3
SHA512 ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 24be8a92460b5b7a555b1da559296958
SHA1 94147054e8a04e82fea1c185af30c7c90b194064
SHA256 77a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3
SHA512 ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 10d0fb19e7c9e304cdc220095fb09186
SHA1 0d0eafcd00a8d7a7579ae1d11b9b8a3a3be64c37
SHA256 5f7373124dff83b12aa24dd87ab36bbaf187f6702002435bbdddfbb1b8e4c7af
SHA512 827a5c91a17664d2835f688e06102f069f6d021a8fefb237bb8538189803f5f2a8fd06334e01f726c9eaf5f0052e54331c4c028e23507a6c4e8a8419649bef0b

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 10d0fb19e7c9e304cdc220095fb09186
SHA1 0d0eafcd00a8d7a7579ae1d11b9b8a3a3be64c37
SHA256 5f7373124dff83b12aa24dd87ab36bbaf187f6702002435bbdddfbb1b8e4c7af
SHA512 827a5c91a17664d2835f688e06102f069f6d021a8fefb237bb8538189803f5f2a8fd06334e01f726c9eaf5f0052e54331c4c028e23507a6c4e8a8419649bef0b

memory/3816-130-0x0000017568150000-0x0000017568152000-memory.dmp

memory/3816-132-0x0000017568170000-0x0000017568172000-memory.dmp

memory/3816-136-0x0000017568330000-0x0000017568332000-memory.dmp

memory/3816-204-0x0000017568A80000-0x0000017568A82000-memory.dmp

memory/3816-210-0x0000017568B50000-0x0000017568B52000-memory.dmp

memory/3816-214-0x0000017568B70000-0x0000017568B72000-memory.dmp

memory/3816-216-0x0000017568C70000-0x0000017568C72000-memory.dmp

memory/3816-228-0x0000017567C00000-0x0000017567D00000-memory.dmp

memory/3816-247-0x00000175685F0000-0x0000017568610000-memory.dmp

memory/3816-250-0x0000017557790000-0x0000017557792000-memory.dmp

memory/3816-381-0x0000017557780000-0x0000017557782000-memory.dmp

memory/3816-390-0x000001756BB90000-0x000001756BB92000-memory.dmp

memory/3816-394-0x000001756BBD0000-0x000001756BBD2000-memory.dmp

memory/3816-397-0x000001756BBE0000-0x000001756BBE2000-memory.dmp

memory/3816-405-0x000001756C050000-0x000001756C052000-memory.dmp

memory/3816-408-0x000001756C080000-0x000001756C082000-memory.dmp

memory/3816-414-0x0000017568290000-0x0000017568292000-memory.dmp

memory/2692-418-0x000001E170B20000-0x000001E170B21000-memory.dmp

memory/3816-421-0x000001756A900000-0x000001756AA00000-memory.dmp

memory/2692-419-0x000001E170B30000-0x000001E170B31000-memory.dmp

memory/3816-428-0x0000017557B00000-0x0000017557C00000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\KB6QKMTG\B8BxsscfVBr[1].ico

MD5 e508eca3eafcc1fc2d7f19bafb29e06b
SHA1 a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256 e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA512 49e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c

memory/3816-472-0x00000175572F0000-0x0000017557300000-memory.dmp

memory/3816-473-0x00000175572F0000-0x0000017557300000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\06OGS5OS.cookie

MD5 4786911fb0ab668d7325c55b773f9782
SHA1 c71b0b4b105a1c3f56f29c32697ab0c705e6f959
SHA256 b509d793da6b71ac97b2811d741a09f42506413400f9f91d0bfba1fc3525c973
SHA512 3f499d6d4aa36cb2818cd0bffc9cd975db02cb832904b5ce410e7b755f9859a3f643c701b54511a5cde9fd69b636bf7fb1466e60330ce5a4ced0198c867cdc54

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

MD5 3b7403306365b481a905b872a4a8fe8d
SHA1 848d8b54a1b0fa0f473fe13bbabcb7872c0a6067
SHA256 f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7
SHA512 bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190

MD5 a8c45b5c9cb1d05b699d759c977912f9
SHA1 c96bfdeb25c0e1fd1256089baa66a7529c24207c
SHA256 82ac4249caf5d83752e055a2ebc6b75d7481e20b3292ff1d3454992349d4a153
SHA512 340f313fa432572987e7fdadfee7983689f311094a8ab97838087cc1c428e4faa5bbb63b3c2d71a3c18f128f9adbbc78f74ca9076c971f78fd91b07728f6c9ca

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 1cce9fe9c9806c98b282e07836f224db
SHA1 769fc0dd9dc50359200361cc6b33fbb71b2ac00b
SHA256 1418cf27fdc4eea9f503968c1f02e114776513804644c4c582d7c40b66b288ab
SHA512 fd31625328c3dc062cdcaee98c70d2fafa0a19d8a5a677b6266b88da65649a235ebb106392982f56c151210a994d51b881cd022c4a9ff5ca653a4dc9af9a5848

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 dd94ba4b4c642981bdf463473198a708
SHA1 b965048c8b693e8675272b63be70692b54a1c4ee
SHA256 9c741a92628e5d4340e35e59300873773610285c9e51e790a7cc13c602342c3e
SHA512 ee63a3017ecf728020696d1b15607a1dc9e22cf6fbcf01d0abb5d7d961303227581645c4f5d62fea77c74288d9b58632e0452bdc6f2542cd991361c34bafdcef

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b5eda74305a01c41450e0d12777199e1
SHA1 36162e9e8c3a69b237d317f7c300f11927a37c12
SHA256 6e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594
SHA512 f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

MD5 c1481fcd5428e1e8013edc7621812724
SHA1 8e86eadf871ca94477b0e469360502203eab3d97
SHA256 9b9ad2ae252224803a2cc6f160d3305677ca54c8053008fd5b469574c42ac12e
SHA512 364e2fc399239cc2db6dd9e1f93ca5fb4b482ffe8e1d2a05a2c81d3c1efde9ad2d51a693dcde9f1198a35fa1e0d6ed3b46048cb56ac3be34e9ceb40c4c389ae6

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

MD5 54af41572fcda9a14f1cb35bc695b6fa
SHA1 f432ca5f699f51cb189d98bbd9aea871956c928d
SHA256 6146095f5d3a1f433b4b0bfc99d59cacb43f8fd749e240de1f0840d3ea6fb89d
SHA512 198e4f8bd9d46d90432273b49c3537e7edd36b2292a560d2f666aa777b6ddbfdbec8d8d91ab64d8db9d97164f91d7de9397e650603f458987bfaa0d8200280ff

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\WIQH1AYB.cookie

MD5 82b3f52a45ab81bf622626239de5645b
SHA1 58c5ad43ae0ed0f3ff27085096301c9dc7f1dfd5
SHA256 4564fe0968896246e3b0356c9529804c3c6acebf42aca98ff3846a9b08b3302e
SHA512 92882f2743b4454b1e71cd3c8f7d812e68c385a81166ed0d86babe47219d75c1c8ce46f48df14187cd19d44fa137c15561fc4128bf3628e438b09f752a1ca9f5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0G1F2NWK\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\J012CJ85\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Roaming\thfeavr

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

C:\Users\Admin\AppData\Roaming\thfeavr

MD5 7825cad99621dd288da81d8d8ae13cf5
SHA1 f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c
SHA256 529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5
SHA512 2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4