Malware Analysis Report

2025-08-05 20:01

Sample ID 230925-bmal9acd42
Target 2c8fc97d5d80ee9c7abc1ce63a14ad43.bin
SHA256 78c1e6097111b17c45764fa1ba092951f81f69315ee74fff45825c73f0599bb2
Tags
smokeloader backdoor google phishing trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78c1e6097111b17c45764fa1ba092951f81f69315ee74fff45825c73f0599bb2

Threat Level: Known bad

The file 2c8fc97d5d80ee9c7abc1ce63a14ad43.bin was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor google phishing trojan

Detected google phishing page

SmokeLoader

Executes dropped EXE

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-25 01:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-25 01:15

Reported

2023-09-25 01:17

Platform

win7-20230831-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe"

Signatures

Detected google phishing page

phishing google

SmokeLoader

trojan backdoor smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3020 set thread context of 2124 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b0000000002000000000010660000000100002000000034165fa9785a1a2f4e7dc8204ab20179bfd375341d71826ffd76b8d40832f6e6000000000e8000000002000020000000413cf128fea62bc402a47eca622b9a1e63d9f4c49b490ed7674894b44ac782c5900000004039b1d0fe6482bf39fceeeb29c36e19309508f0181e143bad646d8c0d7c1cf2ebb4e2b3d2885a9fe1b0e555794da2f74dcd80110425fdbf72b822da04e207050cd76e02e70f7eeb0821ab902bfef0c32a4ac7df43467b162dd41738cdafc02b0f14c9ef927b9dd018b1d779ff92e5561465c14616f3a5a3763495012dade3eac3a056537fe37123b4c39e0262b6033440000000ad2ca8e2cb75a48b78c0172bc2a1baed595f0918bd95c5fdac1ff80b28f8b5ebf0c124363d92a5f49706037be900e5caa5ec0825211725d07050f5a41dfee09c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{221622F1-5B41-11EE-AA35-F2498EDA0870} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401766448" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003916b9f19191c547a3cd833648cc0b6b00000000020000000000106600000001000020000000cfdf4ed48301c5474ab1c8fc8cc390133175bf503dc4d02666c61a0cc0f93bd5000000000e80000000020000200000001dc813fd1866b38ba467a659ce3fbef9c1916f098c2d14278e36dead0038ecbd200000006c1a0bb1b43dc6c94979efa498e3dc399f849f67a8f8323564d01d29685d9f4f400000006a434d320611d7c1c56ea723776d4277a64cf32c38611b5f0e5bb2e11ea57a8a8bf2a932604160bb91328632fc00cad6383eaf7875680f5d7e533ca216dd2e64 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002128f84defd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{21F99271-5B41-11EE-AA35-F2498EDA0870} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3020 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\SysWOW64\WerFault.exe
PID 3020 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\SysWOW64\WerFault.exe
PID 3020 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\SysWOW64\WerFault.exe
PID 3020 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1204 wrote to memory of 2664 N/A N/A C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2664 N/A N/A C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2664 N/A N/A C:\Windows\system32\cmd.exe
PID 2664 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 2956 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2664 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1532 wrote to memory of 1904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1532 wrote to memory of 1904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1532 wrote to memory of 1904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1532 wrote to memory of 1904 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2956 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2956 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2956 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2956 wrote to memory of 2924 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe

"C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 52

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\6D05.bat" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2956 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.238:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.238:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.201.35:443 facebook.com tcp
NL 157.240.247.8:443 static.xx.fbcdn.net tcp
NL 157.240.247.8:443 static.xx.fbcdn.net tcp
NL 157.240.247.8:443 static.xx.fbcdn.net tcp
NL 157.240.247.8:443 static.xx.fbcdn.net tcp
NL 157.240.247.8:443 static.xx.fbcdn.net tcp
NL 157.240.247.8:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.201.35:443 fbsbx.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.206:443 accounts.youtube.com tcp
NL 142.250.179.206:443 accounts.youtube.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2124-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2124-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2124-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2124-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2124-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1204-5-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

memory/2124-6-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6D05.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\6D05.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{221622F1-5B41-11EE-AA35-F2498EDA0870}.dat

MD5 8b80e40da6d32cea93497353a144fe3c
SHA1 a0bf82daf76de8fb1584b6df23a77551e62303d4
SHA256 c4eec6ae0af84ad40ae990d8df55976153c8c07b1d6faeac94d0e3356298dd7b
SHA512 b81aada4cbd077b9f24e5c65e0973055a09e7ea9cc12e8bdf1f5bac0c699750b0f5f600b719cdebea5933893095971ff0dec31c0c06d549b5c14d69b54bf718e

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{21F99271-5B41-11EE-AA35-F2498EDA0870}.dat

MD5 e8b43e142e8759e0c5ea69e6036de211
SHA1 187b2a22f284705925ee29ce788c840887430d52
SHA256 1092428e303ba1e4157aef7cc79a19df6b4549933b48511d188d423c2951c851
SHA512 8318aef0ece6339d48b6de1fb3169b4884020c26fd291c1418813a9b85dd10d7332159ccd144be747a2763da77e04b10c15307feee9d8d099709c72282fca7ef

C:\Users\Admin\AppData\Local\Temp\Cab7485.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar74F6.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abdf510e4c7f203f242c6c907f52b299
SHA1 31d725e084325164d8863619aaae46092ce11d12
SHA256 bd10cfbcbebfb8a88e5e4fc35bd2182a9087b40e58a0cc3e1451e45c660fb0c4
SHA512 98f06150a99326e171552fe249a6c97b8da4937d0b9752ab0eecba1b33caa5b6d456197b5fe46eed86a01f0759832b9b859d4481d71ce53d86a87d91130895fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9012a1d01ed827218cfd2376ed12e41f
SHA1 78a074ed5474aa8b9d25af87da1ca91c2ac8b33c
SHA256 b7d7b5477ce89fe807caa2b07e78d6ecf714ec2cf7382d4efd5354b51b932c34
SHA512 fcc79013d6e5857825ae0d91319661fa2ed4720ccb156e85c1e45ee13dbe919ca90678b1f75d0c0ec23b6fc3f74134bf3ab383ae6ceb2fd85da0bb4569a5387c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad52634b5a234b8a8f138ac14851f3f3
SHA1 255c3cfee070083dd3d1bd6b801306628a9df10d
SHA256 50b96ebb1e47d2bcad1769b2828db55b2289776d3a471826d6e172f8bde0fe24
SHA512 1f53c87f24ddd522959a1d0238b11e04a09a754c3cf9df31e12f8b742b741c5e23de5ea987d06696f991bc2a9a6ccb71ef5a815adebdfb8fdca366ea7c9eb0ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1ZD8WV6\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q81kvxe\imagestore.dat

MD5 7a1c22a98ac63b5689101a8ad44b8735
SHA1 61910d060c50a988d1f0bca8929b015ab4097d5c
SHA256 69e88f3cc6c1efd56b640da1e42240edccde3a99b944d13e3056f39248e80e90
SHA512 2b207e582234100612abd43252db44ab282089450503b277dfe8972f13ae70feedcccdaf2b7801cba7bca065dc7dd5f8ea3a5969e6865bddff2e320229eb85cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N1ZD8WV6\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q81kvxe\imagestore.dat

MD5 0b8dea06dc6a1b79ad82916170671c11
SHA1 f4d4cc1431ede594c1236e130233101a6505eeba
SHA256 e3b554eab8c8efe8b0dac5344b4f2a86e7dacac678800c766120ff763539b380
SHA512 34d509c6e17f8dda7e6b1762a82be259a8094a1a824b441154b923ebe191a7f5b48b81e3801b8ca0dd8c5d7f6e83a5109fb365b6f1c74205ff5d2252e578249c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d2a252cf8fb3084c09b1d58e6a51802
SHA1 3f0894855d1ea720d5d1fa472f838217c3dbc7f6
SHA256 682df099f58956e338c86b30b530c34aaf120883aa49c1c5d94782478bb0c288
SHA512 2c2581a55107e4727a8794f854013b5b7a40632edb65bf5124e62d300bc237d0c58ea46fadae47e31723073ec982002acb2064d3c14b966f8f894b4bb1d9be8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03b4afc114a260a77f720ce9cff4d7c1
SHA1 ac42b4aefdc4d395a4aa188be0232ccbfec55d82
SHA256 88d103bdf8b51938c432ff861f188d1af981acad0a4943f921c48f86b04acb76
SHA512 0be98703c2f35e444c7546cf35541a57516e6afa1d1939e60722720d896e1dfbde96c781d8e7a40ae18a8f33bccab27cf49226782db6c8016c115b9ad804a93c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa3f6fb2ca186000318fd8e269fe0fbe
SHA1 73ecde9a301ca1fbdc70c5ce32bf3a81130d5553
SHA256 dc3191bae69878a421289b09bc8416f33ea206b7945e93058b22dabe679b0a17
SHA512 c058b175cc08afaf84efc2b05db78e31cb9fef8e6deb543fa3fb72818099b6bc0bcf5acb764a38132d35ba6af9f04374e852f133e7d8b01d1b2642222e25c2ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a630e8cc94749eea38dd8e60cd6ff4f2
SHA1 8c257bb3654b0f7a9a8b2c5175c064daae77d176
SHA256 0cd5ab27d9028118472a33652b3a16f5c0265cab2564c8dda26348f8c01e29e0
SHA512 b79d94a064555ad9959697a497cd1704b5599a9f6b5581be35e5054d8af8f807ea892335126be88dda2ba48d211cc4953d2eabcb6ff4c7e5262ba7abef2173d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b884a7a82076ab58c9451228aff3fdf9
SHA1 ee31bc88970bc2f01a34099e2a01d948e0d793a9
SHA256 febe11c877cecce4c4439649fe5ffbb936aa59b562e28c44616712851df91272
SHA512 d1564386203fdfe5ec8d5cea0fac4b5ae6334649ecb97d7d7a5459597bd549d80e1aa380453fada9a42d59d8cd93cd4a37be705db1965a4ecd00d20b8d11366f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 095ebe998d14de577a1b6803e91a7cf0
SHA1 857dd76357d1923265263d56b176dbc95c03c896
SHA256 771490bb10d49af5fcab9ab2c8951db8e22d8941148dbb432168d39df8f71f02
SHA512 07381fbf8d0cd81b0f8e997bd302133b1c40b58038dc8213dc85399ed23bd37cd77faf3e625cd56ecaa09a2c0e94db124ec77bb88c64fdf9b9e266832e235179

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47a969e2858c6228447cccb98fc9b77e
SHA1 6a06a7950f2cc76e00d7e2bb929f7cadde86ef6b
SHA256 bbb9f291b18050e74851e071ad57b5e9771cc42e2e9d9773689f42899f5b7476
SHA512 bbcefb7f9c6b9e88b5063537ab60c1b8fd96f37acab8fb2889b823de54c5ca9f16670b59433cee9eb2b9777afe46381d0cd5a82a63d6e44267d2f8a62ce2f4b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 680c01a55ae9ba887904460903f094f3
SHA1 b936ec3181203c2c26e3492bc9e3261748f3c395
SHA256 2b1f84489d3662de2b1fc340848c1adade43740d03bde76239b92ba1a276a066
SHA512 d13ea3b681f5d7d4bd8404394ec79dab8a32412986334c67cf35ccaf1cbda71d8bba31c44ed32586753c9eb8481add944ca811aae2a86223ac26b936cb4c76a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c76f5eb0787a7560c27dfe1ddad9ad9f
SHA1 2909081f9bf153c2239a61c1b8e0a07ee2a680db
SHA256 64690e7796734cb6a86a306ecfebb1340f4b650fa04f5ff1af1dadb0e6b2a869
SHA512 5980359314c781fda086c3e882331149e01cbcd75256f467c5eec22199ba50a2d2be3823c4cd82424f943528bfff30e2b1dec3df88242c50eb4e7d1e92f02c70

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f02ef2bc135d72480eb69bd65d2d3d3b
SHA1 dc0c6347a43baca56610a84b4696feed244485be
SHA256 2d5a7281c9ec79a24024ea497587ca522bfc27a92dbea051ea1829ee895b212c
SHA512 dc4ef28f7abf745b4c5599a4aaa14c87f8c632a69e0360008f4756af9d1c8cdb6cb83e50f325e012618af91e37cc942dd4dad5fc03e18379c1731955085326cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 872f190aaab04b301f07469346cda8a1
SHA1 948678d52c4d8b5ac9bfccc8dc38d88db2431ab4
SHA256 87be79e1bea1a1b6cd9e0b1de21dab1ab43b6da32c162fa5daa95f4b326ef3e9
SHA512 3bcf49312f0c2c277cdc4113361b52bdcbf15f996b46603d5f0348a7b49e3bfd7f14f4e6d2cb848ca909fd2a4ef9ce31f5228b5d64642563e817213c63cc96e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96afd3a4128f0192a520383931a6fc83
SHA1 f6d1a469da0e40c15b2a6fed492735e65cf8a71f
SHA256 2bbf081f3b3f31c018acd826e21413fcac39086624d738acd36941d6e2819852
SHA512 01056af84346fc987409fa25705094079f1ac305bed10bfa60b939fcc1f0f2632daa40b94ec4f14248a644a372e59b889a0af0ceaf104bd4e7c2ace7af2f0c2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45300c4c4ee616e312f0381b1ee472a4
SHA1 fca749bfd63f2b3a5bd9acab25f72f54bb540cb7
SHA256 f3b2aab81342eb8f7f460cd18a5d52254683f5271b944bcc19a61e772fa14512
SHA512 2401ec9f7a4169a388d08a296abf1300038b6cea5c4ad7f04946044b8d8edf9f528529086381b7639b4760834bf55a35d9c55c44c06255af5e39b4ff22955f8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d1d7c022a38dd08bd9116832880fe2cc
SHA1 cfbe9cfedbbe98b5ee564005fa76dc73f9eda6b8
SHA256 4593ae6769a179bff701610429eb186838dbe884914985a9340f476915feb612
SHA512 480ffe42671c8c5225dbfb9a1a5fe464f7eb0c7bb04a780eaac3f58864864ed91ff2b28d97aabbd3ede97fa3d6eb126f2b9ab88348e2999bae6d4a2a23be6a5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3b8ece31d04510bca73d8f038905a0d
SHA1 5bc27ba3bc1374bfb50fdfafe9b323cc8369a04d
SHA256 a3809d5b490165c1b789f3ebf9e47d96b1e641931f00357200762436c6a29fcc
SHA512 bbfd509c508b9685533d297b32bd33bad89c0cf2d20513a9143de0514070ae5e8824dacbf68c5154b2a444f8fe76394a81608ada5d192349196384c5f0046793

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc3d2e14be7238b1fb9c49af0694a938
SHA1 bf8d103b823c68484efbb295d950e482b6783273
SHA256 43afe42ccefa5655d16fd5db74f0a7b39ae22b43949dbb071bc517615524ad1e
SHA512 8923acb454c43db679747ccc436da2fcb97965f5ff2552823d43aa24f6359e04fe281373fcde822210cdb3446341418021682eb12af76f96f73b7717e7960837

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1bd8626a4b978d964f7e007bae61e42
SHA1 44534f40bda5d2f001b9af9419ad1f979a0e0e9d
SHA256 f011209e44684bcc14276adf7abc5efee64cdc627995d03ab343e4e02fd554b4
SHA512 16674fba30234373b2d0012755e5d806721c980ceb6f07823ae10f888245f6862e54dda39af1db452bf053377341252e6035b4e2b180e48a7efbfbe9c2511ea3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 562824dca5cf2870e1bafe7e42303404
SHA1 0bb6a9c7e0bc23ef992345f85db2d0e3419c5605
SHA256 0def19bc8e14828918ab9eced79211a685f9fb06c1160b685a344abc409a4c7b
SHA512 fccc86f1495fea5215e4bd5bf4a27e0ac3d395a39fad30ce91170fe564ec6a6c010a66465e8cde797d9565a0250c7f367bff072be0244fd31f7dab5998d0db5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dcae49c01d0a2602caf86aa662d7de9c
SHA1 27f985d674b79c6bfd70fc50430125ef51103b54
SHA256 466a73286071d6065f806976e177cbd104f07aa2c8c15dfdd8585084ce32ac1d
SHA512 41c74dd89becd6a0a244e651245c0bd9b4f0f68f7ca611ef6a2d3b3797296638c264d35143a6cf62bcff435dd8a339be00646ae77e691bdd2aae0ea132ef0742

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ceeaea83b578f74f7d96629bf14f381
SHA1 3106a5f339c863d49318faaf02782f8e0eb46471
SHA256 89b2e928e3af437c7c9c29668383fbc429a7b75df2fcfdc7a17db501e44442dd
SHA512 c3154c5c98fffe8eafe6bfed212fa246fa0fbb9860e01f8a2a5bd41abeafe94c96355adc1bdcde8798510beb4f29fcfe347e7a05be7d284ac3fa4fe660e20a2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18348dcd4fa2bb95dc179963b375a422
SHA1 f7c52c6dc78be10ddc2b6ae1e1ef45e22d20a35e
SHA256 dfca80a21c2d7f8846c6088aaa45147862b0636d2213f257cb9c82d3097b1d55
SHA512 aaba41abdbfff486a0c72f14926659265fd39b810ee561293c96aca6db0ebaa7690979c7d1dba07f7d47c562a671c09dc07b08f8d12e8dd2c016bfef8a41db03

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-25 01:15

Reported

2023-09-25 01:17

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\iatgfca N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3144 set thread context of 224 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3144 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3144 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3144 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3144 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3144 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 2964 N/A N/A C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 2964 N/A N/A C:\Windows\system32\cmd.exe
PID 2964 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2964 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2208 wrote to memory of 4116 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2964 wrote to memory of 5024 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2964 wrote to memory of 5024 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5024 wrote to memory of 4840 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe

"C:\Users\Admin\AppData\Local\Temp\42783825acdd36a5727054e95dd6638d21a6cf7fb2a7c1bffe4d31b2a324d1c7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3144 -ip 3144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 248

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A0CF.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffd2dd446f8,0x7ffd2dd44708,0x7ffd2dd44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd2dd446f8,0x7ffd2dd44708,0x7ffd2dd44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,2593899697362149130,12236240131630768222,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,2593899697362149130,12236240131630768222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,6589448903411671519,10229206381034691754,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1

C:\Users\Admin\AppData\Roaming\iatgfca

C:\Users\Admin\AppData\Roaming\iatgfca

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.238:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.238:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp

Files

memory/224-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/224-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3180-2-0x0000000002C40000-0x0000000002C56000-memory.dmp

memory/224-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A0CF.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0987267c265b2de204ac19d29250d6cd
SHA1 247b7b1e917d9ad2aa903a497758ae75ae145692
SHA256 474887e5292c0cf7d5ed52e3bcd255eedd5347f6f811200080c4b5d813886264
SHA512 3b272b8c8d4772e1a4dc68d17a850439ffdd72a6f6b1306eafa18b810b103f3198af2c58d6ed92a1f3c498430c1b351e9f5c114ea5776b65629b1360f7ad13f5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

\??\pipe\LOCAL\crashpad_5024_OLXRFDLMVBKBCXXL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

\??\pipe\LOCAL\crashpad_2208_KIRHGOUUMKHEKHZO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b5d28177364c290b0ea9e4f4d56f34ae
SHA1 cee5553f0c0751d5d359bde76805b9271eb4bcc1
SHA256 a02ca08db2cb2768082b22178758f6b4784841bbcc212768ac17961115673be6
SHA512 a1499293ef327f6900945aecdee85bc2c864f82b4f1969089a44f0809fb418cf087d450240e881f7c0cd336d6df432347e42b64d21d3ec7a7f1a7d1cbc458e5a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0b8f80cd578c6d6848f0e06e0914e698
SHA1 ae29c2acb244154bb86d6a6fe5fc13f06f7bc7d5
SHA256 bb84c99f9ab769a4da168c2c6ed10ae4fadedb0d783a882f52a13c3190f813e8
SHA512 075ee6d36d90ff018dfbce2505184b6f3796b75fc927aafaabb915369c937f26b2221cf754ee81bb431a3b3e69fc29e8413a3ccdb2a16a082d54969e549f8220

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b5d28177364c290b0ea9e4f4d56f34ae
SHA1 cee5553f0c0751d5d359bde76805b9271eb4bcc1
SHA256 a02ca08db2cb2768082b22178758f6b4784841bbcc212768ac17961115673be6
SHA512 a1499293ef327f6900945aecdee85bc2c864f82b4f1969089a44f0809fb418cf087d450240e881f7c0cd336d6df432347e42b64d21d3ec7a7f1a7d1cbc458e5a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 67f2525eca1c7e72b26d1100c2762036
SHA1 fc62ab3c52d46bfd6a741bddeb82b3dca465d2f8
SHA256 2f2c46e42651b130874a88713e7d1f5e2b5888c2984af87ab361a282f3e11619
SHA512 ec2069013ee7117d202c9f40b9109efe8e1d943a2647091b8c1fe0366bfd3f0c08d21697be0c8870cbf722d16edec683aeb8b6817a7103fe63d19b726f2b93a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7442b2e6fde6f604d8308eb84dd559e9
SHA1 1a9285267d6d1159aea1aa9408afe811e816c5fc
SHA256 b37789dba1f67afccd35e204946412e3af53269e32ecc879fdafd44b38505d7a
SHA512 bd1c625c8711edaea308711f6fe370348a7cb559a7ebbe2ffd9140d90041e30ebc1bb585c3b66db63501c97c3559420b178f89f741d0d687d9854d75847cc2a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 4a078fb8a7c67594a6c2aa724e2ac684
SHA1 92bc5b49985c8588c60f6f85c50a516fae0332f4
SHA256 c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee
SHA512 188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1aa73374c002819995cfe7b131295246
SHA1 ad0243a706bc00c520c64641f401d40d2125017b
SHA256 453e2bab1de906d72556034114bc54e64d16969e65a859c0541256a357ee8cfd
SHA512 9adcb1266997490b2f86933233eff2c6a3963ce50b6ad720e47e5c815e130d461c051cc53216fdde0902bb798014f1b3a9fc1e920f518e31ccf26db1e5a9b4d0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 38919804f77a692b14d40b66f0b81e01
SHA1 3a5bc536d87bc1a00b108ffd2924ec368a69149b
SHA256 59af0ac1577ec62dffc15672e69a90295773d284e00c46e510464295c55adae6
SHA512 0195080691b43faef306ed3ab2ef8b1e2c08fbdc82449366d321044c1c3515d5d267c4bcdf634fcefcee76a4d93f0b1385f9a30ba922bced706bbc565db93629

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594a8c.TMP

MD5 d0790b39705d7942985dadedfef42fc5
SHA1 c0a2f73742f035e29632d0c46e132ee0f2887791
SHA256 c614d044b0b48ed663cdf99b4c2511b552db3f8267812d3ca5eac67a371f9d70
SHA512 4de42a7092724509003ba881d583d579d1ad91ccf53cdb5d61f5360a943b3b8511961d8c8d3b1bb44fa3ddedb47c88067840cca3c8d4f3af8c746a6c471ed7e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 0841221c228ce399e1bcefb5de421b52
SHA1 f8ba25b67ac2a6531d60af6895915ec933681b6a
SHA256 05b728e0723d53969db65551153d875ba957981a6bdcfc7fc573effc4dfe9fda
SHA512 1744c22a19604e53ef31f259c2d5abf9e8b4a06a7dcd8e83e945728d5e2fa2cd2c4de77cc3dd820a713cbc8763e5cbe1d4a25e0a13dd04b4dbc28b33d71a3cf6

C:\Users\Admin\AppData\Roaming\iatgfca

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

C:\Users\Admin\AppData\Roaming\iatgfca

MD5 89d41e1cf478a3d3c2c701a27a5692b2
SHA1 691e20583ef80cb9a2fd3258560e7f02481d12fd
SHA256 dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac
SHA512 5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc